Well, first of all, it has to be taken into account that the banking sector has been one of the most digitalized sector for a long time. While other sector are still in process of digitalization, the banking sector has almost 80 percent of their business based on IT. That means that banks have gone down a road that other companies still have to work through. This makes the financial sector one of the most mature sector, if not the most, with a lot of investment already done in employee training and in awareness and in cybersecurity measure for a long time ago. Another important driver that has to contribute to this cybersecurity maturity level in the banking sector is the regulation. There are different organizations like national regulations, European regulations, industry organizations, etc, that are chasing the compliance with the defined policies and directives. The policies in the most of the cases include cybersecurity topics and force the banking companies not only to deliver measures but also to have a specific organization model. In all the banking sector, there are three lines of defense: operative, risks, and audit, which is not useful in other sectors. As a result of these measures, the banking sector has nowadays one of the most robust status in terms of cybersecurity with measures not only to protect information properly, but also to detect when a security even happens and respond correctly to it. This is quite important since some companies are only focused on protection measures and not putting too much focus on detect and respond capabilities. Regarding the banking employees' experience, I can talk about my own experience. When I started working at Santander Group, it was quite a surprise for me in a positive way about the amount of measures implemented in the bank to protect information and also to increase the levels of awareness of the employees. Although sometimes, we can feel the measures could be uncomfortable. Once cybersecurity culture is in place, the effectiveness of their measures increase exponentially. As I see it, there are three main challenge that we can face as a security professional. The first one is provide cybersecurity according to the new ways of working and delivery services in IT. I'm talking about agile methodologies, Cloud computing, DevOps, etc, and this is an important because this is the arena in which the businesses play in today. The customer has changed the way they choose the products they would like to buy, and in many cases, the decision is based on immediacy. Big companies are fighting against its own processes in order to be more flexible and complete with the startups and digital companies, and cybersecurity cannot be [inaudible]. The second challenge is the [inaudible] of the perimeter. In traditional cybersecurity architecture, it is clear that the protection should be at the perimeter. The stronger the perimeter, the more secure the company could be. There are firewalls, endpoint protection, DLP measures, and proxies in the mail and so on, and nowadays, the [inaudible] required of most of the employees [inaudible] are more dynamic endpoint controlling the security through the end-to-end, but without taking into account infrastructure that is in the middle. Moreover, the personal use of professional devices and vice versa is becoming more common day by day, and last but not least, all the industry is suffering the lack of cybersecurity professional. There are different reports from entities over the world are acting in about this. The cybersecurity professional has to have a lot of skills to be able to understand when the risks in a holistic way and how to minimize them. They are always struggling because have to be in continuous learning and investigation. The lack of professional also carry some overload in the current staff that in place lot of difficulties for adequately facing their tasks and responsibilities. It's really a problem. I have seen a lot of good professional changing to other industries because of this saturation and this pressure. I think the most important trend is that sophistication of a task is increasing day by day. There are organized groups which are continuously investing money in investigation and developing new techniques to bypass the security measures implemented in their companies. Their objective is clear, to gain access to our systems and to carry out some kind of fraud. The power of the tools they are using is bigger and bigger this day, with for example, TenX based on artificial intelligence and we have to improve our protection continuously. What is more? They are sharing their knowledge between them, so now they are not the small enemies. In this way, one of the most important capabilities in cybersecurity is cyber intelligence. Know your enemy and anticipate to the attacks that they are coming. These sophisticated attacks tend to have one thing in common. They target our employees. Nowadays, it is still very easy to trick the employees and this is the reason of more or less 80 percent of the security incidents. So one of the main trends is to provide the way in which we can protect the user without increasing the complexity of the daily work. Finally, I think detection capabilities are as important as protection one. Taking into account that the way we have to detect incidents is mostly the same in all companies based on loss correlations and use cases and so on. We are experiencing new kind of attacks that are focused mainly in not being detected. This require a new way to detect these kind of attacks that couldn't be based on standard patterns. I'm talking about users and entity behaviors, analytics, and hunted activities. It's clear that the relationship is between banks and users keep changing. It's becoming more and more digital to the extent that it's one of the essential pieces in the citizen technology portal. Nowadays, almost every user has one or more banking apps in their mobile phones and after social network apps, the banking apps are used the most, but it's also fact that the cybersecurity awareness is not too high between the users. I think the people have a false sense of security, thinking that someone is going to care about them. It could be the bank, the e-commerce platform, the phone vendor or the telecom provider, but people are not aware about the risks and that it's important to have a continuous [inaudible] , just like they have in the non-digital life. We are very concerned about this because of that, the launch in different programs to increase this final user awareness. For example, we are sending little cybersecurity bills by e-mail alerting about some kind of attacks. The last one has been about SIM swapping, one of the most used techniques of identity spoofing that we are facing. The main objective is to grant, ensure the user is more [inaudible]. What is important also is to take into account that it's quite different the way in which technology is used by the different generations and we are very worried mainly about young people, the millennials, and the next generations. They are digital natives, very used to share information on social network. That means that there are a lot of information in the Cloud that it could be used to fool them. At Santander, we are carrying out awareness programs with the children of our employees. We show them how easy is to use the information they post on the Internet to elaborate attacks, not only for them but also for their parents. Consumer habits, location at a given time, friendships, habits, all information could be used, and it's important to be discreet online. In cybersecurity, there are two kinds of solutions that can be provided by the small and medium enterprises, products and services. From an innovation perspective, perhaps products are more suitable for innovation. In Spain, that is margin for providing small companies with more opportunities in this field. If we take a look to the Spanish cybersecurity product landscape, there are very few small companies compared with the other European countries like France or the UK. Although there are some great grants that are fighting at first level in the global landscape. CounterCraft, BlueLiv, or [inaudible] are good example of this. Big companies are a relevant role on advancing on these directions. In the opposite case, small companies used to be companies very attractive for young talents, people that has just finished their university studies or even without them want to work without the restricting tables and in work spaces that allow them to develop all their potential. It's a great [inaudible] ground for innovation and it's where the greatest contribution of the small companies to the cybersecurity sector are being generated. As a conclusion, I think that small companies could be a very great agent for innovation in cybersecurity, mainly because of what they can provide from a service perspective. There are a lot of talent in our young people and they think in the same way that the malicious agents that could carry out attacks, and this is a must when we think on protection. We need this talent, and small companies could provide them the real company to working.
