full

full
Published on:

27th Aug 2025

When ATMs Fail: Banking Outages, Black Swans & Digital Risk

In this episode of the Disaster.Stream Podcast, host Bill Alderson sits down with Bill Genovese, CIO Executive Advisor at Kyndryl, to explore one of the most high-stakes failures in modern banking: a nationwide ATM outage during a holiday weekend.

Drawing from decades of global experience with IBM, Kyndryl, and Big Four consulting, Genovese shares how banking systems can unravel in moments — and why recovery often requires more than just technology. Together, they examine how black swan events (rare, catastrophic failures) and gray swan events (compounding, foreseeable risks) threaten not just banks but entire national economies.

🔑 What you’ll learn in this episode:

  • The true impact of a bank losing all ATMs before a holiday
  • Black swan vs. gray swan risks — and why multiple gray swans can be worse
  • Lessons from IBM’s global SWAT teams on crisis response and remediation
  • How banking regulations, international oversight, and resilience standards shape recovery strategies
  • Why digital transformation and multi-cloud dependencies increase complexity
  • Practical lessons financial institutions can adopt to build resilience

👥 Featured voices:

  • Bill Genovese (Kyndryl) — global expert on financial services architecture, resiliency, and risk advisory
  • Nick Leghorn (New York Times) — application security leader, on how to write cybersecurity policies people will actually follow
  • ISSA (Information Systems Security Association) — professional community strengthening global cybersecurity practices

💡 Key Takeaway:

There is no cookie-cutter solution for disaster recovery. Each bank and enterprise has a unique “technology fingerprint” that requires holistic analysis across people, process, and technology. True resilience means planning for the compounding risks of our interconnected world.

Transcript
Speaker:

Hello, and thank you for joining me.

2

:

I'm Bill Alderson with Disaster Stream.

3

:

This is where we talk about data

disasters that are extraordinary, and

4

:

the responders who have experience

dealing with these type of disasters.

5

:

We look into the lessons learned,

and on this particular occasion,

6

:

we're gonna talk with Bill Genovese.

7

:

He's with Kyndryl.

8

:

And he's gonna talk about a

situation sometime back where a

9

:

major bank lost all of its ATMs on

a holiday weekend, not a good time.

10

:

He's also going to discuss some

concepts that may or may not be

11

:

new to you, but he talks about.

12

:

A gray swan and a black swan.

13

:

Now a black swan is

like a zero day attack.

14

:

No one's ever seen it before.

15

:

Unanticipated risk.

16

:

And then a gray swan is

something just a little bit less.

17

:

But his discussion will talk about how

multiple of these type of things can

18

:

equal a much larger situation and event.

19

:

Each week we talk about various

disaster responder stories.

20

:

I'd like to tell your story.

21

:

No doubt you have some lesson learned

that can be turned into a best practice

22

:

to help a major institution either

recover faster or obviate some sort of

23

:

a problem that they have been having.

24

:

I invite you to contact and let

us know that you're interested.

25

:

Now this is Bill and he has a huge

resume of solving a lot of various

26

:

problems with his critical problem

resolution teams flying in all around

27

:

the world, solving problems when

he was at IBM and other locations.

28

:

Bill is at Kyndryl and he advises

leaders of large institutions.

29

:

You can read a little bit of his

resume and he's gonna introduce

30

:

himself in just a couple of minutes.

31

:

I like to introduce you to

organizations and or people who are

32

:

consequential and helpful to all of us.

33

:

And one of those organizations

is ISSA, the Information System

34

:

Security Association International.

35

:

I happen to be a board member

of our local Austin chapter.

36

:

I take and make sure that we

record those sessions, and so

37

:

they're out there publicly and I

will introduce one of them to you.

38

:

I'm gonna give you just a little

bit of a teaser about one or

39

:

two minutes during this session.

40

:

And also introduce you to Nick

Leghorn who's with the New York Times.

41

:

Nick takes care of application security

at the New York Times, and he is going

42

:

to take us through an insightful ability

to learn how to write Cyber policies

43

:

that aren't miserable for everyone.

44

:

And he takes into a lot

of experienced consider.

45

:

How to go about reviewing your policies

and then how to write good ones that

46

:

are not just click the box, good

but truly working Cyber policies.

47

:

I'll break in during our session and

I'll introduce you to Nick, and he'll

48

:

pop in and give you about a one or

two minute talk, and then you can

49

:

decide in the show notes, I'll give

you links to Nick's entire session.

50

:

Now these are some of the slides

that we're gonna go through.

51

:

I just wanna make sure that you

see what you're getting into here.

52

:

This is what Bill Genovese is gonna

talk about a little bit, and he

53

:

goes through and explains these

multidimensional events and issue.

54

:

And risks and market risks

and operational risks.

55

:

He also shows us the top global risk

because Bill is a global perspective

56

:

person, and so you're gonna enjoy hearing

his perspective on these different things.

57

:

And he's gonna talk about the Basel

committee on international banking,

58

:

you're gonna really enjoy this.

59

:

He also talks about the

governance and readiness.

60

:

And these are international standards

and supervisory agencies, some of

61

:

which are US agencies, but many

of these are international banking

62

:

agencies that are the regulators

of the world's banking systems.

63

:

He'll go through that with you.

64

:

The purpose of our broadcast is to

take the best practices that we glean

65

:

out of the responder stories in other.

66

:

What did they learn?

67

:

What were the lessons learned during

the disaster recovery that we can

68

:

take and turn into best practices, and

then we can imput those best practices

69

:

into your organization so that you can

either obviate problems or reduce the

70

:

impact of problems in your organization.

71

:

Thank you so much.

72

:

Now we're gonna get right into

it and Bill Genovese will.

73

:

And introduce himself.

74

:

I will go back and forth with him a little

bit, but he's got some great stories

75

:

that you're really gonna love to hear.

76

:

So thank you so much.

77

:

And here comes the interview

with Bill Genovese.

78

:

Hello, I'm Bill Alderson and we're

talking here with a leader at Kyndryl,

79

:

and he's going to introduce himself.

80

:

Bill.

81

:

Hi.

82

:

Thanks, Bill.

83

:

My name is Bill Genovese.

84

:

I live in St.

85

:

Augustine, Florida, but I've lived

and worked all over the world.

86

:

In terms of full stack architecture

and technology at the intersection of

87

:

primarily one major vertical, which I

would say financial services in that

88

:

umbrella, banking, capital markets,

securities, investment banking and

89

:

insurance, and diversified healthcare

to a second extent, and then telco.

90

:

And mainly from the provider side.

91

:

So I'm a second generation IBM er.

92

:

I worked in four divisions

in IBM on five continents.

93

:

I've been all over the world

with big blue ex Big4 consultant.

94

:

So I was with KPMG, two tours of

duty with KPMG as a senior consultant

95

:

and then a director on a contract

basis in their technology M&A group.

96

:

Doing due diligence for

acquisitions for clients.

97

:

So I've worked in a number of areas

and I've never really escaped risk.

98

:

And everything that comes

under that umbrella.

99

:

I've worked in a number of business

units in IBM, high availability

100

:

Center of competency as part of a lab

services executive consulting firm all

101

:

over the world to their technology in

major Fortune 50 banks in enterprises.

102

:

So this is a topic near

and dear to my heart.

103

:

look forward to the discussion and

seeing where this kind of takes us over

104

:

the next few minutes, an hour or so.

105

:

Bill, it's really a pleasure to

have met you and started to engage

106

:

hearing some of the incredible high

visibility, high stakes stories.

107

:

Of response and problem resolution

for yourself and your organizations.

108

:

Really looking forward

to some of these stories.

109

:

Now, I'm not really exactly sure

how much we're gonna be able to

110

:

get done in the next hour or so,

because you have a prolific career.

111

:

If you go and look at

your LinkedIn profile

112

:

. It's just littered with large

organizations with critical problems.

113

:

Let's get right into it.

114

:

Bill, what do you think are some of the

stories, and we can go into more detail,

115

:

but just give me a synopsis of some of the

type of issues that you've dealt with in

116

:

the area of critical problem resolution,

disaster recovery, unanticipated risks

117

:

that have become actual risks today.

118

:

So help me understand some of the

things that you might be able to

119

:

help us with in this particular area.

120

:

Yeah, my, my experience and , what

I've encountered throughout my career,

121

:

primarily, contextually this is

mostly relevant to my work with IBM.

122

:

And Kyndryl is a division of IBM

or was a division of IBM Global

123

:

Technology Services, where I worked

for almost six years in two countries.

124

:

So I know this space quite well and

I am a CIO executive advisor as part

125

:

of our advisory services practice

in Kyndryl now working with CXOs.

126

:

So resiliency is still

very much top in mind.

127

:

It's part of implementing

digital transformation.

128

:

But when I was with IBM Global

Technology Services gts, which is now

129

:

Kyndryl, a lot of the content in where

my career took off was in the result

130

:

of outages, a nd stability issues.

131

:

So I followed the career path from

consultant and I moved more towards

132

:

the technology engineering side of

the house in IBM and architecture and

133

:

number of profession certifications.

134

:

And as you cover more and more

architecture and technology from an

135

:

enterprise perspective, obviously

you're working in different camps,

136

:

different layers of that architecture.

137

:

So what may have started earlier

career as an application or software

138

:

architecture engineer move more

into infrastructure and data center.

139

:

And up and down the platform.

140

:

So invariably when there is an

outage in a major enterprise,

141

:

where does it occur first?

142

:

It's usually a cross-platform service

or it's unknown to the firefighters.

143

:

Is it the application?

144

:

Is it the database?

145

:

Is it the infrastructure?

146

:

Usually the investigative

discovery process starts at the

147

:

infrastructure in the data center.

148

:

And that's where a lot of the

focus is in terms of remediation

149

:

teams and support teams.

150

:

Which is fine if it was 15, 20,

25 years ago where one application

151

:

sat on one platform, but in digital

transformation in a major enterprise

152

:

in a major industry, vertical and

international bank, internet banking,

153

:

. Or ATMs don't all sit on

one hardware platform.

154

:

So it creates required correlation

across support teams to see

155

:

exactly where the issue is.

156

:

In my career in IBM, as I became more

and more of a senior architect and chief

157

:

engineer, chief architect client technical

leader, so these were the folks that

158

:

were actually advising CIOs and banks.

159

:

And, I was the most senior

technical leader on the account

160

:

for selected Fortune 20 accounts.

161

:

If there was a major issue like an

outage, we would get called in and

162

:

work with the teams over the contract

period to remediate what that is.

163

:

I've seen a number of situations

and issues ATMs going down

164

:

right before a holiday weekend.

165

:

Performance degradation issues.

166

:

It could be as rudimentary as annual

or biannual disaster recovery testing.

167

:

That goes fine in terms of flipping over

to the DR site, but the client or customer

168

:

can't come back . And it's good to see

that your DR is working in the event of

169

:

a smoke hole in the ground situation.

170

:

But how do you come back

to restore everything?

171

:

And if that can't be done,

that's a challenge as well.

172

:

So everything in between.

173

:

Another highlight in my career

after I left GTS Global Technology

174

:

Services and IBM, I moved to

systems and technology groups, high

175

:

availability center of competency.

176

:

So with that team of experts.

177

:

The best of the best.

178

:

We were a very elite SWAT team that would

parachute into anywhere in the country,

179

:

world, I should say, on a moment's

notice to remediate outages and have week

180

:

long discovery sessions to get to the

real root cause of what was going on.

181

:

And more often than not, there's a

familiar pie chart that is always

182

:

in burned in my mind in memory.

183

:

Outages are not caused primarily

by infrastructure problem.

184

:

It's usually service process management.

185

:

Or applications first and foremost.

186

:

Then infrastructure.

187

:

So these workshops and the remediation

efforts that we would get into would

188

:

be carved into technology days and then

service or process management days.

189

:

because we would want to see exactly

what's going on that's contributing

190

:

to the outage in future remediation.

191

:

I think that gives you a good cross

composite in more recent years in

192

:

between working for big IT providers,

I've done work in the M&A space.

193

:

I've worked with smaller

companies and startups and

194

:

tier two, tier three companies.

195

:

And my knowledge and expertise

has helped me do due diligence

196

:

in terms of acquisitions.

197

:

So if a private equity firm was going

to buy a company, a smaller company

198

:

for their portfolio, what types

of things should they look for in

199

:

terms of a risky investment in terms

of stability in the infrastructure

200

:

and cloud provider, as an example.

201

:

Yep, I'm very lucky, honored

and humbled to be here and I've

202

:

had a very good career, I think

and hope to keep contributing.

203

:

Very nice.

204

:

Bill.

205

:

It's really interesting to, to hear

some of those stories, especially

206

:

on the international level, that it

wasn't merely in one market, but a

207

:

myriad of markets across the globe.

208

:

So in, in our initial discussions in

talking, I remember a few different

209

:

scenarios that you spoke of in detail.

210

:

Are there some of those that

you'd like to highlight today?

211

:

Yeah, one, one long-term contract

that I was involved with IBM, it

212

:

was a very important account for us.

213

:

It was very high up in terms of

account focus, our relationship

214

:

with the customer and the client.

215

:

We had a 10 year managed service

strategic outsource deal.

216

:

It was a bank in Southeast Asia.

217

:

I had finished up another

engagement in the same division

218

:

in IBM for another bank in Europe.

219

:

And I was in between assignments

and I was due to return back to my

220

:

home country, the United States.

221

:

But then I found out, I was contacted

about this other opportunity and

222

:

actually there were two banks that were

experiencing some level of stability

223

:

issues, both in Southeast Asia.

224

:

And both were managed service accounts.

225

:

And it turns out I was supposed to

go to Thailand but I got rerouted

226

:

to a higher situation crit, sit.

227

:

For a bank that experienced island wide

ATM network outage the day before major

228

:

holiday weekend, public holiday weekend.

229

:

Now Bill when ATMs go out whether it's

a weekend or not, but in particular

230

:

holidays, what happens to the community?

231

:

And then how is that high visibility,

high stakes kind of issue, how

232

:

does that get pushed back onto a

system provider or somebody who's

233

:

providing assistance or services?

234

:

How does that affect.

235

:

the company who's experiencing

the problem, and then yourself

236

:

on the other end trying to help.

237

:

Yeah.

238

:

So to frame that a bit, it's good to time

box it in terms of when this happened.

239

:

Because that should give some context in

terms of where we are in the industry and

240

:

overall as a planet in that timeframe.

241

:

The question I would throw

out was mobile banking.

242

:

And the ability to consume digital

financial services from a payment.

243

:

Payment transfer, moving money around

between accounts, paying from your

244

:

phone, paying from your face, ordering

stuff remotely, whatever you want to do.

245

:

Was it the same as it

is now post pandemic?

246

:

I think we all know the answer to that.

247

:

No.

248

:

It wasn't So if you experience a mainframe

outage, , with the lack of mobile

249

:

banking and mobile financial services,

that's widely pervasive and used almost

250

:

as a default mechanism as it is today,

there's gonna be an impact to a society,

251

:

? People need to get money.

252

:

Out of their ATMs.

253

:

Before holiday weekend

before they travel somewhere.

254

:

Or I can think of a myriad of situations

why you need to get to the atm.

255

:

And so very highly impactful situation.

256

:

In terms of the core livelihood

of a banking institution.

257

:

I can only imagine if, like today a lot of

us have reduced the size of our physical

258

:

wallet and we put one bank card inside a

sleeve of our cell phone to take with us.

259

:

And that's the only one that we have.

260

:

And now, if that were the chosen bank

for our a hundred percent dependency

261

:

and we're on a motor trip from one

location to another location, The

262

:

ability to get petrol, the ability

to get food, the ability to stay

263

:

in a hotel is now highly impacted.

264

:

So no doubt customers of the bank are

screaming bloody murder at this point.

265

:

Yeah, exactly.

266

:

And, you hit the nail on the head

in:

267

:

wallet and essentially living from a

digital financial services consumption

268

:

model from the perspective of the

brick in your hand, didn't exist.

269

:

or it was just starting.

270

:

, so you were tied to that atm,

you're tied to that debit

271

:

card more so than you are now.

272

:

13.

273

:

13 years later.

274

:

Yeah.

275

:

You can't just add another card to

your Apple Pay or your Google Pay

276

:

wallet and change cards easily.

277

:

Right on, on the run, you're pretty

much stuck with a physical card

278

:

that it either works or it doesn't

work, and when it doesn't work

279

:

it's essentially catastrophic.

280

:

It's a catastrophic disaster for that

person in that situation out of town.

281

:

So did the companies that you were

working with, The level of urgency that

282

:

their customers were pressing them with?

283

:

Absolutely.

284

:

Once again this was a very successful

account up to that point, with IBM.

285

:

Who I was working with at the

time and it was year eight of

286

:

the first 10 year contract.

287

:

So we were entering, when you go

into a renewal for a managed service

288

:

outsource contract, you're not

waiting until year 10 or year four.

289

:

You're starting the discussions year

seven and eight, and you're positioning

290

:

what's gonna be in that renewal.

291

:

So for this to happen in year eight,

292

:

, Is catastrophic potentially.

293

:

So very high visibility from

the provider perspective.

294

:

The other perspective is, I'm not gonna

get into naming any clients or customers

295

:

here, but in smaller countries, ? In

Southeast Asia, other parts of the

296

:

world, the most successful banks are

the poster children in terms of their

297

:

visibility with the regulatory bodies.

298

:

? So the smaller institutions can be a

little bit waffly, they can be unstable.

299

:

They don't have the wallet

share of the population, they

300

:

don't have the visibility.

301

:

They're not the media darlings.

302

:

So if one of the big anchor

banks goes down, , that is the

303

:

wallet share of the country.

304

:

That's a major ordeal.

305

:

So it's no longer just the

customer of a particular brand

306

:

of bank, but now it has national

significance within the geopolitical

307

:

organization that they're a part of.

308

:

And of course that goes on the

nightly news, yeah, you can

309

:

continue that thread of thinking,

310

:

. This is a representative pillar of

industry representing where that

311

:

country is going in terms of technology

innovation, and it has a failure.

312

:

That's not a good thing.

313

:

So that's proverbial the black eye

that we talk about in industry, right?

314

:

Exactly.

315

:

Exactly.

316

:

So you get a pretty clear picture

of the back backdrop and the

317

:

context of what I was facing.

318

:

So how did that end up

coming to, to closure?

319

:

How did you navigate your way through?

320

:

That critical problem?

321

:

It was a holistic approach.

322

:

All roads led me to that as a enterprise

architect in my career developing.

323

:

So I didn't go into that situation being

a web architect or an Oracle application

324

:

architect or a DB2 database architect.

325

:

At that point, I had worked across

all layers of the architecture

326

:

in a number of banks globally.

327

:

And then also I have a patent in

terms of automation and provisioning

328

:

and cloud environments with IBM I am

certified as a technology consultant

329

:

and architect in terms of systems

management and service management.

330

:

So when I went into that context

and why I think I was brought

331

:

in, I know why I was brought in.

332

:

It was that full comprehensive

diagnostic that I would need to do.

333

:

People, process and technology

in terms of, going into that dark

334

:

room and flipping on the light.

335

:

Where is everybody scattering from?

336

:

And it's not one, one situation.

337

:

We've gotta look at everything, ? And

rebuild the estate, the culture, the

338

:

people, the process, the organization,

the technology, the infrastructure

339

:

of the data center, and raise it from

three nines, availability to six nines.

340

:

And it was a complete, that's all I

did for two years to help my company

341

:

and the client and the regulator.

342

:

I was involved in discussions

with the regulator.

343

:

How do we turn this situation

around and in a preventative sense,

344

:

make sure it never happens again.

345

:

And looking back at that exact type of

situation, what are some of the lessons

346

:

learned that you brought forward to help

the organization improve their resiliency?

347

:

Good.

348

:

Very good question.

349

:

And this is why I brought up this example,

because, none of us is infallible.

350

:

We're always learning, I don't care

if I have 27 years of experience.

351

:

You have 40, somebody else has 60.

352

:

A couple of key points that

have stuck with me in my career.

353

:

Every single client situation that

I've been in, any country all over the

354

:

world, I could be in the same city,

in the same state in the United States

355

:

on the other side of this, and I'll

come across a different situation.

356

:

The context or the symptoms may be

very similar, but the solution is

357

:

never a hundred percent repeatable.

358

:

I There's always a wrinkle.

359

:

There's always something new that pops up.

360

:

Bill, are you basically saying that

there's no cookie cutter solution?

361

:

So essentially if, let's just say, of

course IBM has a lot of major clients

362

:

around the world and almost that one

time or another, almost every company,

363

:

but taking the solution from bank

A and simply applying it to bank B,

364

:

that doesn't seem from what you're

saying to be the way things work.

365

:

Saying it another way,

there's no silver bullet.

366

:

I will say even another way, if you

have a 95% silver bullet that you

367

:

implemented in the United States.

368

:

And then you went to Europe and maybe in,

in one or two countries it was a 92 or a

369

:

93% silver bullet due to other reasons.

370

:

And then you said you

based your assumption.

371

:

I've lived and worked all over

the United States in small,

372

:

medium, large environments.

373

:

It's worked everywhere here.

374

:

It's worked in two or three

countries with some differences.

375

:

Minor it's gonna work in

any eight country in Asia.

376

:

I learned the hard way.

377

:

Culturally that's not the case.

378

:

This is where I got slapped a bit in the

face with cultural and people differences.

379

:

In terms about technology

and services are delivered.

380

:

And in terms of risk appetite.

381

:

And approach and thinking.

382

:

Approaches to enterprise

architecture approaches to DevOps.

383

:

Approaches to teams working together

in terms of rigor and testing.

384

:

I can go on and on.

385

:

And I had to learn that certain ways,

mindsets of thinking in the United

386

:

States and the West and Europe.

387

:

I had to jettison and adjusts on

the fly from my experiences in Asia.

388

:

So Bill, can it be said that regardless

whether we're using the same technology,

389

:

i e mainframe or certain types of systems,

that almost every implementation of

390

:

a company's architecture has a unique

fingerprint that requires specialization

391

:

and theorists who can really look

at the true underlying technology

392

:

architecture, that it's not simply.

393

:

the same fingerprint that

company A has, and you can

394

:

simply apply that to company B.

395

:

I haven't found that to be

the case in almost anything.

396

:

You have three banks who have

mergers and all three of them have

397

:

completely different technology.

398

:

Even if they're using the same IBM

mainframes, their communications

399

:

architectures, everything requires some

type of specific planning to approach

400

:

their architecture in the way that

their architecture works and their

401

:

fingerprint of technology, so to speak

for that particular organization, which

402

:

makes it a lot more complex problem.

403

:

And like you said, you can't simply

use a paint by the number or a cookie

404

:

cutter plan to take disaster recovery

for company A and apply it to company B.

405

:

Absolutely.

406

:

So as architects, as engineers

we're all familiar with reference

407

:

architectures for industry.

408

:

What does an internet banking

reference architecture look like?

409

:

What does a core banking deposit

systems architecture look like?

410

:

And its deployment patterns.

411

:

But to your point, as everything

around it has transformed those

412

:

reference architectures are a point

in time or a specific point in an

413

:

organization from a pattern perspective.

414

:

What we need to be more adept

at is identifying outliers and

415

:

anti patterns as architects.

416

:

Those anti patterns that pop up right

now in the next outage or tomorrow become

417

:

inputs to the next reference architecture.

418

:

And that's how I would best describe

what you're framing up there.

419

:

And that's what I've

loved about my career.

420

:

I've been exposed to not only looking for

and being hung up on this is the reference

421

:

architecture I know and how it should

be, but I look for the anti patterns.

422

:

Now first, can you explain to us a

little bit about what you mean by those

423

:

anti-patterns so that we can get our

arms around that a little bit more?

424

:

Yeah, once again, going back in time

you had basic client server architecture

425

:

based technology, ? And, you had an

application with a call to a database, a

426

:

client, a thin, a thick client in a call

back to a database, via client server.

427

:

The application database could be

on a mainframe, but it was a thick

428

:

client on an application that was

installed on a workstation, then you

429

:

went into thin client, ? Then you

started to get involved with internet

430

:

banking, transforming in terms of a

anti pattern where you had front ends

431

:

on web server X 86 farms thin client.

432

:

Then you had some type of compilation.

433

:

Logic, computational logic,

mid-tier engine, which could

434

:

be on Unix risk-based systems.

435

:

And then you have, in terms of

messaging and connectivity, MQ

436

:

back to the mainframe database.

437

:

Yes.

438

:

And yeah, the, all of those technologies

can be used in a different pattern.

439

:

The message queuing systems, of course,

that IBM's famous for the database thin,

440

:

thick clients and all those various

architectures, even though they're the

441

:

same technologies, they're implemented

differently, perhaps different vendor

442

:

interfaces, different vendor computers.

443

:

So each one of those represents

an institution that has their own

444

:

fingerprint of technology that you

have to, as a theoretical expert,

445

:

you need to be able to look at.

446

:

Holistically, like you said,

and look at the exact problem

447

:

situation that they have.

448

:

And, teams in a support mechanism,

troubleshooting firefighter context

449

:

have not necessarily changed.

450

:

Along with those anti patterns.

451

:

In a holistic sense that says, I am the

internet banking service support guru, and

452

:

I'm gonna look across all three platforms.

453

:

No, it's more often that they're broken

out by infrastructure, platform and data

454

:

centers, and you've got three separate

individuals each looking at their monitor.

455

:

Representing their tier of the service

and them trying to figure out where's the

456

:

bottleneck, where's the outage occurring?

457

:

The front end's fine.

458

:

It must be you in the

middle . Yeah, exactly.

459

:

Exactly.

460

:

Bill, one of the things that I was

hoping that you might be able to share

461

:

with us is some of the messaging that

you find to be cogent and relative that

462

:

you're presenting now inside of your

advisory services, that you might wanna

463

:

take a couple of those anecdotal places

and show us a little bit or talk to

464

:

us about some of the messaging you're

helping large institutions understand

465

:

from a particular experience viewpoint.

466

:

Do you have anything to share with

us that you'd like to discuss?

467

:

Yeah, I mean there's a, there's, this

whole concept of multidimensional risk,

468

:

and, catastrophic events, we've all

heard the term black swan, ? And that

469

:

more or less can, be framed up of a

smoking hole in the ground scenario,

470

:

? That comes around once

every hundred years.

471

:

What, if you have two or three of these

events that are not necessarily smoking

472

:

hole in the ground, lights out events,

but they're problematic enough to disrupt

473

:

operations, and if you have two or

three of them happening at the same time

474

:

in different areas of the world the.

475

:

Combined aggregated result can

be even worse than a black swan.

476

:

And some of these are being

characterized or defined as gray swans.

477

:

So covid and the pandemic, not

necessarily a black swan a transformative

478

:

enough to it and the business that

major adjustments had to be made.

479

:

In terms of digital transformation I've

been speaking for a number of years

480

:

on what I call next generation digital

transformation with the advent, for

481

:

example, of mobile financial services.

482

:

This Gray Swan event of Covid.

483

:

The pandemic with some environmental

hurricanes, typhoons, regional war.

484

:

May have kept us cooped

up in our houses more.

485

:

And may have directly and indirectly

fueled the focus in institutions

486

:

to move further and faster with

digital transformation, including

487

:

mobile financial services.

488

:

Obviously we had to do things

more from a mobile position.

489

:

Just a case in point, bank of America

in my Austin community closed probably

490

:

a dozen bank branches two of which are

quite near to my home that I used to

491

:

avail myself to, and they were gone.

492

:

I drive over there and

they're completely closed.

493

:

Now, they kept the ATMs open at those

locations, but subsequently, two of

494

:

those are now completely closed down.

495

:

They even removed the ATMs.

496

:

So vast changes.

497

:

I think when you talk about this gray

swan, which is an interesting concept

498

:

that I'm definitely gonna wanna study

and keep my ears to the ground on,

499

:

because you're right, exactly what

you just said has major repercussions.

500

:

But it wasn't a black swan

catastrophic zero day event

501

:

that brought everything down.

502

:

It was kinda like putting the lobster

in the pot and turning up the heat.

503

:

It changed a little bit by little bit and

fundamentally affected how we do business.

504

:

I'll share a couple of slides here

if I can, to of frame up a bit

505

:

more than a bit more about what

I'm talking about further here.

506

:

Let me know when you can see my screen.

507

:

I can see it and I'm broadcasting it.

508

:

All right.

509

:

From a kind of framing up exactly

what I'm I was saying here, you know

510

:

what the background and the problem,

and this is not only, impacting

511

:

financial services it's multiple

industries in terms of a trend.

512

:

? So you have risk that's compounding,

due to multidimensional events.

513

:

Obviously as technologists we focus on

that middle pier pillar on the bottom

514

:

half of the diagram, operational risk,

but you also have a run on credit.

515

:

Based on the confluance of

multi-dimensional events, you

516

:

have a run on market risk of pay.

517

:

People are selling securities,

they need to become more liquid.

518

:

If you can't get into your broker

to make an appointment to sell

519

:

securities, and some still operate

that way, you wanna be able to sell

520

:

and liquidate your stock holdings or

options from the palm of your hand.

521

:

So there's other factors culturally

too that's further compounding this and

522

:

fueling from a consumer perspective the

need for the institution to be more agile.

523

:

If these events do come up

and they are compounding.

524

:

So interesting statistics across the top.

525

:

From a consumer experience perspective,

if these incidents and situations are

526

:

going to occur, 50% of customers will

give their bank only two chances to fail

527

:

before considering a change in banks.

528

:

That's somewhat dated as a statistic a

few years ago at least right now, due

529

:

to everything that's been going on in

the world for a number of years, I don't

530

:

have all my money in one institution.

531

:

I don't invest with one institution,

? A number of the institutions

532

:

that I invest with, I've never

had a discussion with a broker,

533

:

I do my trades via Robinhood or other

institutions like that, acorns or Stash.

534

:

So I'm spreading my money around from a

risk avoidance perspective for the very

535

:

reason that, a regulator or bank would

not go with one technology provider.

536

:

And the more that you have correlation

of risk events, , the more that you're

537

:

exposed from a consumer experience

perspective, by being with one player.

538

:

So the traditional icons and titans

of the industry in terms of market

539

:

share, need to be aware of that.

540

:

And that's what's fueling investment

in adoption with fintechs and smaller

541

:

institutions with consumers, and

some of which, have a lower risk

542

:

appetite to get those consumers,

but those risks have not gone away.

543

:

So it's a double-edged sword there.

544

:

And then you see some other

statistics across the top.

545

:

Cybersecurity attacks, 93% still

focus mainly on the finance sector.

546

:

And then just the sheer volume in terms

of performance and capacity degradation.

547

:

Global trading systems

and transaction systems.

548

:

The constant discussions that I get

involved in mainframe is costing

549

:

too much for us, Kyndryl or IBM.

550

:

How do we move to a

distributed environment?

551

:

Can that distributed environment

process like visa, , and what types of

552

:

technologies in terms of containerization

in cloud can compete with a mainframe

553

:

environment in terms of its stability?

554

:

Very complex picture,

very complex problem.

555

:

That tied back to what I said

earlier, there's no silver

556

:

bullet solution especially go.

557

:

And it looks like these type of

statistics and drawing our attention

558

:

to this type of a problem the type

of responses that customers have to

559

:

these type of problems and what people

do as a result of experiencing these

560

:

things are a key part of decision

making in these large institutions.

561

:

From a technology by Location or IBM.

562

:

In solution development it

usually falls into fiefdoms or

563

:

camps in terms of ownership.

564

:

Being a bit colloquial and colorful

and how I'm saying that, I just

565

:

heard a recent saying, if it's

not my pasture, it's not my BS!

566

:

If it's not my operational

platform, if it's not my mainframe,

567

:

it's X 86 or somewhere else.

568

:

It's not my database, it's not

my P&L it's not my problem.

569

:

So even within each of these pillars,

you've got silos, ? And all it takes

570

:

is two or three correlated gray swans,

some morphin to a once in a hundred

571

:

year black swan event that blows the

walls of those silos completely down.

572

:

Very interesting.

573

:

Thank you.

574

:

Thank you Bill for that.

575

:

So what are we what are we looking at

in, in some of these textual things?

576

:

I know that there's probably some key

components that you can talk to or

577

:

bullet points that you can talk to

about some of these materials that

578

:

you have created for your customers

that are using your advisory services.

579

:

What kind of things are you helping

industry trends and state of the industry

580

:

are you helping people understand so that

they can make the better decisions within

581

:

the environment that we're in today?

582

:

Very good point.

583

:

And we're always we've always been

a in a catch up mentality or mindset

584

:

as humans, regardless of what

country we're in, especially from a

585

:

reactionary regulatory perspective.

586

:

So if it's not broke, don't fix

it or how it was broke the past

587

:

becomes the road for the future.

588

:

What if we haven't encountered

new ways that things have gotten

589

:

broke or how they're even measured.

590

:

So in terms of, reserves for risk

protection and banks, and determining

591

:

its level of risk in terms of

society, traditionally all along

592

:

it's been the size of the bank is

based on, its in terms of assets.

593

:

So here is a little bit more about

Nick and the writing Cyber policies.

594

:

He knows that every organization

has to have these policies, and a

595

:

lot of times they're, they drone

on and they're not very relevant.

596

:

He's gonna help you figure out how

to make them relevant, effective and

597

:

something that everyone can live within.

598

:

So you'll enjoy hearing from from

Nick Leghorn on this particular topic.

599

:

So here we go.

600

:

We're gonna go talk about Nick.

601

:

This is an example of the information

security policy for the University

602

:

of California which is pretty

indicative of normally how they

603

:

look and how they come together.

604

:

Like it's a giant document.

605

:

There's a bunch of sections in it.

606

:

It's got all these different

components to it, like it is a

607

:

hot mess of a of a big document.

608

:

And generally makes it unreadable

and your eyes glaze over after

609

:

about the first two minutes, right?

610

:

And it's useful for some cases, like

it's useful to get the information

611

:

out there, but it's not useful for

actually getting people to follow it.

612

:

And that's not unique to the

University of California.

613

:

A little organization called The New

York Times did a investigation into

614

:

a bunch of privacy policies that

exist around the internet including

615

:

their own and figuring out like how

readable and comprehensible are they.

616

:

And it turns out that they're.

617

:

Pretty bad.

618

:

Like the majority of information security

policies and privacy policies and other

619

:

stuff are pretty much incomprehensible.

620

:

They're massive.

621

:

It takes a long time to read them over.

622

:

You need more than a college degree in

order to understand what's going on.

623

:

It is miserable to try and

understand what's going on in.

624

:

And that's a a situation that isn't

unique to the privacy policies.

625

:

That's also the way that we

write every other policy we

626

:

do at our companies, right?

627

:

Typically the reason why there are

just incomprehensible mass is because

628

:

we're focusing on the drivers that

we see commonly for InfoSec policy.

629

:

And that really boils down to the

lawyers, so legal obligations.

630

:

Compliance people meeting HIPAA, PCI,

GDPR, CCPA, SOC2, like all the word

631

:

salad stuff that you gotta get done.

632

:

And then HR wants some cover for

being able to terminate people for

633

:

if they do terrible things at work.

634

:

Those are typically the drivers

behind policies and the real

635

:

force behind how they look and

why they look a certain way and.

636

:

By nature, the policies reflect

the audience because these are

637

:

the drivers for for your policies.

638

:

So how much is it holding?

639

:

But that necessarily doesn't get

into how interconnected it is on a

640

:

world basis with other ecosystems.

641

:

So that needs to change to

reflect where we are going in

642

:

terms of multi factorization.

643

:

And assessing and

preparing for risk events.

644

:

So an alternative approach,

645

:

. In global regulators such as the Basel

committee are looking to tweak this

646

:

further, are carrying it past size of the

bank institution and asset holdings alone.

647

:

So how interconnected is it?

648

:

There's a great chart, another chart

I have that shows all of the cloud

649

:

providers working with the major banks

and how interconnected this landscape is.

650

:

Between AWS, Azure, G C P.

651

:

and the foreign bank providers in

China, the foreign cloud providers.

652

:

And when you look at the

interconnectedness picture there, from

653

:

a potential risk issue perspective,

and if one, one piece goes down, how

654

:

it affects everybody that's connected.

655

:

That's critical.

656

:

So it's no longer independently how

much money each of those is holding.

657

:

Then you get into other factors.

658

:

Of suitability.

659

:

This is component, component failure,

but on a more macro sense, how

660

:

can things be swapped in and out?

661

:

So the ecosystem keeps going.

662

:

How complex is the interconnectedness?

663

:

Is there cross jurisdictional activity?

664

:

So it seems like Bill what you're

talking about and trying to help

665

:

us all understand is that there's

a high degree of dependence.

666

:

And what I just heard

you say is not only on.

667

:

A particular mainframe technology or

a particular cloud technology or a

668

:

brand of cloud, but there are national

inst ances of cloud capabilities that

669

:

are not even AWS's Azure or Google.

670

:

They're another localities

type of cloud or different

671

:

institutions or nation state cloud.

672

:

My, my company works in

multi-cloud management.

673

:

We recognize this issue.

674

:

Many of our c lients are not in one

country in terms of data centers.

675

:

And based on that, whoever they're working

with in terms of a cloud provider in

676

:

one country, they may not be able to, in

another country, the world where they're.

677

:

So how do from a risk management

perspective, get your arms and head around

678

:

that to see exactly what's going on?

679

:

The dependency matrix must be absolutely,

incredibly complex to consider.

680

:

Yeah.

681

:

And is that something that you help

people with, is to look at that complexity

682

:

and those dependencies and factor

that into the way that they have to

683

:

respond and what they have to manage?

684

:

Absolutely.

685

:

We have a number of

solutions and capabilities.

686

:

There's one we launched this year

called Kyndryl Bridge for IT operations

687

:

and multi-cloud management that we're

using internally in our managed service

688

:

context, but it's completely open in

terms of the architecture to work with

689

:

multi-cloud vendors for this purpose.

690

:

So we can gather that information

and provide better visibility into

691

:

a complete estate for those reasons.

692

:

Absolutely.

693

:

Getting into a bit of I'm showing a chart

now with, some terminology again in the

694

:

past, and based on how we approach things,

myopically, once in a hundred year storms.

695

:

The financial crisis of 2008.

696

:

But what happens if you have

Covid and then a major regional

697

:

war like Russia and Ukraine?

698

:

And the impact on commodity

and energy markets.

699

:

And supply chains that were

already crippled by Covid

700

:

that are even more so now.

701

:

With the regional war

in Russia and Ukraine.

702

:

So these are independent black swans that

are of morphing into they could be the

703

:

next generation black swan, but they're

gray swans right now that are boiling up.

704

:

And I'll explain more on what I

mean on that, on the next chart.

705

:

But there's also new types of black swans.

706

:

As digital transformation, decentralized

finance, the fueling of the everyday

707

:

layman getting into investing in trading

from the palm of his hand without

708

:

getting professional investor guidance.

709

:

So there's a great movie everybody should

go take a look at when you have time, if

710

:

you haven't seen it called Money Monster.

711

:

And this is all about hedge funds

Jerry rigging outcomes and commodity

712

:

markets to get a short position

and it benefits the hedge fund.

713

:

But everybody else that's invested

in that, and everybody that's

714

:

participating in those shells and

concentric circles in that hedge fund

715

:

gets screwed and lose everything.

716

:

What is there out there that

prevents something like that.

717

:

FTX is an example, in the crypto space.

718

:

That's what I was just gonna, I was just

gonna ask, talk about a current event.

719

:

We're talking exactly about that type

of occurrence and we've seen it in

720

:

the past with some of the other big

organizations that have been subject

721

:

to various scams both small and large.

722

:

How.

723

:

How does blockchain enter into

this equation to some degree?

724

:

What are you looking at solutions that

use blockchain technology and I'm making

725

:

the assumption that we can use blockchain

technology for more than simply crypto.

726

:

Yeah.

727

:

So a number of points before I get into

that a bit further, but that's part of

728

:

general trend in technology overall.

729

:

That the technologies are not

legacy technologies anymore born

730

:

and bred and developed in the

enterprise of the institution.

731

:

As the economy has moved more towards

a consumer economy out of necessity.

732

:

Less to a market economy in terms

of technology, people transacting

733

:

from their mobile devices.

734

:

Using digital wallets that

are supported by blockchain.

735

:

In a decentralized sense,

public blockchains Ethereum

736

:

outside the enterprise walls.

737

:

To move money around payment

transfers, remittances.

738

:

Via the blockchain Bitcoin transfer.

739

:

You can pay and PayPal

in cryptocurrency now.

740

:

As an example.

741

:

So a lot of disruption going on

there from a consumption base.

742

:

That, that is definitely occurring.

743

:

Let me stop sharing for a minute here.

744

:

Go back to the Sure.

745

:

While you're getting set up there, I'll

just talk a little bit about the fact that

746

:

our world is moving at a very rapid rate.

747

:

With technology and what you talked

about it with digital transformation and

748

:

disaster recovery because of covid is

having to change and transform along with

749

:

all the various digital transformations.

750

:

And it seems that I hear people talking

about digital or digital transformation

751

:

and a disaster recovery, having to

keep up with those type of things and.

752

:

Make sure that their plans are

still relevant and meet the needs

753

:

of the new digital transformation.

754

:

And then you talked about

the nationalization, or the

755

:

internationalization or the globalization

of all of these things for so many of

756

:

the organizations that you are serving.

757

:

And of course, blockchain is a big issue

as well as some of these other things.

758

:

And so if you wanna queue up the

next slide there, you go ahead

759

:

and I'll bring it on board for us.

760

:

Yeah.

761

:

So the a as you bring up that point,

the individual institutions from

762

:

a regular regulator perspective,

and what I'm specifically talking

763

:

about are the central banks.

764

:

? They're the ones in each country

and each of them across the world.

765

:

This chart is showing.

766

:

supervisory agencies that have

the capability holistically to

767

:

look at black and gray swan events

and what needs to be in place to

768

:

remediate in a preventive sense, any

bad things from really happening.

769

:

Now, across the top you may

recognize some of those acronyms.

770

:

SEC obviously is the United States

Security Exchange Commission.

771

:

Monetary Authority Society

of Singapore d n b.

772

:

, so these are all big institutions.

773

:

Bank of India, Boi, in powerhouse

countries that are the policemen

774

:

of the banking institutions.

775

:

? What you see here is on

the left side, supervisory.

776

:

And then you see color coding in

terms of if there's a solution in

777

:

development and experimental stage in

development or operational production.

778

:

Now this came from a report from the

Central Bank of Central Banks, the BIS.

779

:

Bank of International Settlement.

780

:

So that's the police dog watch

organization over the central banks.

781

:

And they took a look at

this a number of years ago.

782

:

There's white space all over this.

783

:

First of all, as we're moving

into blockchain, decentralized

784

:

finance, emerging tech, these

supervisory areas are not silos.

785

:

They're more and more correlated,

especially with interconnectivity

786

:

with big tech in the cloud providers.

787

:

You'll see.

788

:

That even if you pick one of

the supervisory areas and go

789

:

horizontally across the chart,

not one is fully operational for

790

:

all of the big central banks.

791

:

That's illuminating

792

:

Number two.

793

:

Going vertically down.

794

:

From a comprehensive, holistic correlated

perspective, from a supervisory risk

795

:

perspective for remediation, nobody's

got 'em fully operational either.

796

:

So those are the ones that are all

yellow in that second line there

797

:

where the realtime monitoring

and all the various efforts, and

798

:

some of 'em are not even yellow.

799

:

They're blank.

800

:

Yeah.

801

:

What does that say?

802

:

Haven't started.

803

:

So this is largely reflecting

too, if you trace back.

804

:

So like I said, this is a bit dated.

805

:

It it's at least three, four years old,

so there could be some improvements

806

:

on this, but for the most part

it, the picture is still the same.

807

:

But if you trace back in terms

of the big black swan events,

808

:

and I mentioned some of them,

809

:

. In the past 10, 15 years, you'll

see that the color codes that are

810

:

operational that are put in place,

especially in certain jurisdictions.

811

:

Those are the red ones, I presume.

812

:

Yeah.

813

:

You'll see that those reflect

a reaction to the major event.

814

:

There's the pattern . Got it.

815

:

So if you went, so if you went back

and looked at a timeline of this, , you

816

:

would basic a chronological timeline

of when these things started to

817

:

appear to be regulating or to work.

818

:

They would correspond to, for

instance, some of the big world events

819

:

of 2008 and other such situations.

820

:

And that they didn't really do that

for that kind of correlating regulation

821

:

until after those type of events.

822

:

Is that what you're saying?

823

:

Yeah.

824

:

And there's been some intentions,

for example, to modernize this view

825

:

based on how the world is changing.

826

:

So the best example I think I have

on this chart is macro financial

827

:

risks and emerging risk signaling.

828

:

So some of the major players of

joining forces and saying, look,

829

:

we need to be more holistic on an

international basis, on a, how we're

830

:

all interconnected on a macro level.

831

:

And start developing solutions in that

context instead of our own sandboxes.

832

:

So basically at this point, any of those

areas that are not yet operational are

833

:

pretty much wide open to black swan

events and to all sorts of disruption in

834

:

international commerce and banking that

might Absolutely, Bill, let me just throw

835

:

a complete wild card scenario out at you.

836

:

Everybody right now, in the past 60

days or so, maybe a bit longer is all

837

:

excited about this open AI chat G P T

initiative that was fueled by Microsoft

838

:

and natural language processing.

839

:

I've read now that and what it can do.

840

:

So you can ask it a question.

841

:

and the response accuracy it comes

back with is phenomenal in many cases.

842

:

In terms of how fast.

843

:

So let me add some almost

instantaneous feedback on that.

844

:

, over the weekend I was on chat and I was

exercising the system and I'm a computer

845

:

network analyst and so I asked it how

to write a computer network analyzer

846

:

called Wire Shark, how to put in a

filter for a certain TCP application

847

:

port and if it would write that for me.

848

:

And sure enough it came right

back and it delivered the exact

849

:

appropriate syntax for that.

850

:

And then I started asking it some

questions about disaster recovery

851

:

plans or disaster recovery surveys,

and it was amazingly accurate.

852

:

Now it's not going to do a comprehensive.

853

:

Amount of work for us, but in a small

amount of work that you ask it to

854

:

do, write me a disaster recovery plan

for the major risks in Austin, Texas.

855

:

I actually asked it that, and it came

back and it told me the natural disaster

856

:

type specific problems that Austin

would have that others wouldn't have.

857

:

So it's an incredibly accurate, albeit

very specific and to compare the chat

858

:

AI with something like Google Google

makes money when there's clicks.

859

:

So when you stop clicking,

Google stops making money.

860

:

Yeah.

861

:

So Google makes us click.

862

:

This technology, you ask it a question and

it gives you the exact specific answer.

863

:

With context that you're looking

for in almost pretty much every

864

:

area of technology or information

that I could quiz it with.

865

:

Amazing.

866

:

But that's based on a certain

context, like you said in dataset

867

:

that it's available and has access to.

868

:

And it's not gonna cover the unknowns.

869

:

How can it, what I'm saying is there is an

inherent risk there as it evolves further.

870

:

And how do we know that what

it provides as an answer

871

:

. Is the best solution in, in

terms of its input and output.

872

:

It's still binary to some degree, right?

873

:

Oh, absolutely.

874

:

It's very specific and it's also it warns

you that it's not accurate in all cases.

875

:

And it also says I haven't

really been taught anything

876

:

prior to 2001 or after 2001.

877

:

So my, it gives you these

pieces of information.

878

:

The other interesting anecdote

on this is that it remembers

879

:

everything that you asked.

880

:

So I asked it to create a Cisco router

configuration for five VLANs, and

881

:

then I asked it a second question,

which is a very technical thing.

882

:

It drew out and it gave me the exact

syntax for that Cisco router config.

883

:

And then I said, now put Ether channel

connections between the various.

884

:

Switches and it gave me the exact Cisco

syntax to do all of those sort of things.

885

:

So it's actually quite capable, but it,

like you said, it, it doesn't know or

886

:

understand or anticipate other things.

887

:

So it's very good for very specific

tasks with very specific outputs.

888

:

But like you said, it does not

know the future, but it is pretty

889

:

amazing to, to utilize the tool

and to get some experience with it.

890

:

I just did that this morning

and over the weekend.

891

:

So I wanted to let you know that

is something that's happening

892

:

today, although I could not imagine

anybody depending upon that for any

893

:

type of mission critical system.

894

:

Yeah I bring this up as an example

because there's the row in this

895

:

chart here, and then I'll stop

sharing machine readable regulations.

896

:

In this context, I can see how

that type of solution may want to

897

:

fill in some of that white space.

898

:

But it's still in its current way,

shape, and form is open to bias

899

:

in a limited dataset perspective.

900

:

So there, there's still some

inherent risk in that solution.

901

:

It's just very interesting as AI

develops and takes a life on its own.

902

:

I You've read about, AI being able

to program itself or code itself.

903

:

There's gotta be a base starting point.

904

:

For all of that.

905

:

So yes.

906

:

Now as we start to wind down, I'm

wondering if you could summarize for

907

:

us some of the lessons that we have

learned in today's session and prepare

908

:

us for some future sessions that we

might do on some of this very complex

909

:

global dependencies on technology.

910

:

And as digital transformation takes us

forward, what are some of the lessons

911

:

learned, you think that we have gained

and what things like you just mentioned,

912

:

do we need to take care of in the.

913

:

Yeah.

914

:

It goes back to basic hygiene

and, should be baked into dna.

915

:

So make your core solid number one.

916

:

If you look at the picture of the

concentric circles when you cut

917

:

down a tree, ? And innermost circle

is the oldest part of the tree as

918

:

it, and then it, grows outward.

919

:

You get newer pieces of the bark and

the layers added into the tree trunk.

920

:

That's the liquid ecosystem, ? As

you're growing that tree outwards and

921

:

you add more circles around it, ? And

the way that I visualize that from

922

:

an analogy perspective, that's more

disruption to your core business.

923

:

? So you've gotta make sure you've got a

solid core, ? And, in terms of frameworks

924

:

and methodologies that have further

evolved, zero trust architecture,

925

:

? Not only protecting you from.

926

:

outside in threats,

but inside out threats.

927

:

Looking at your application

and service estate.

928

:

Not just applications, because

it's not applications anymore,

929

:

serving one function or one service.

930

:

There's interconnectedness.

931

:

So do you have a proper view and

inventory from a categorization in

932

:

terms of criticality perspective

along confidentiality, data

933

:

integrity and availability.

934

:

So for example, a, B, C, 1, 2, 3.

935

:

So if an application or more

appropriately a function or service

936

:

is rated one for confidentiality,

integrity, and availability, that

937

:

is lifeblood to the enterprise.

938

:

That's like oxygen, right?

939

:

You can't live without it.

940

:

So that means from an outside in

perspective, strengthening the core,

941

:

you need high availability six,

nine s and full DR for that service.

942

:

? And, most institutions don't

even do what I just described.

943

:

And as you go further out from that

core and add those additional concentric

944

:

rings, there's gonna be different

permutations of the 1 23 ratings.

945

:

You could get into 1.5,

946

:

2.5,

947

:

and don't you see don't, doesn't it

seem like we are also transforming

948

:

some of our technologies?

949

:

We're still moving additional

resources and systems to the cloud.

950

:

Those cloud systems are still

moving into microservices.

951

:

They're moving into various containers.

952

:

That, again, shift the paradigm in being

able to build those systems up and scale

953

:

them rapidly, but at the same time, it

increases the complexity and changes

954

:

the technology in those like you said,

it beautifully said is the concentric

955

:

rings on the outside that continue

to affect even though we have a good

956

:

core, we're still changing as we grow.

957

:

Yeah.

958

:

And to, to some extent, it goes

back to the piece of slogan

959

:

that I mentioned earlier.

960

:

It's not my pasture in the core ring.

961

:

It's not my bs I'm shifting it off to

a container to, to an outside ring, but

962

:

that doesn't necessarily reduce the risk.

963

:

Exactly.

964

:

And then disaster recovery.

965

:

In some of the things that you

discuss with your customers are

966

:

you finding that the ability to have

disaster recovery is more synchronous

967

:

obviously than it is asynchronous?

968

:

In other words, it has to people cannot

tolerate any downtime or minimal downtime.

969

:

And do organizations who spend a lot

of energy, money, and budget building

970

:

out realtime capabilities, do they also

sit back and look at the potential for

971

:

catastrophic situations where they have

to accept that they may have to triage

972

:

for something that's unforeseeable?

973

:

My experience, it's usually been

reactionary, so there's been some type

974

:

of incident, there's been some type

of monetary loss, reputational loss.

975

:

And, the amount of focus that they go back

and look at this varies depending in some

976

:

correlated sense to what that loss was.

977

:

And it really depends.

978

:

Some of them still treat

it like a speed bump.

979

:

It was an annoyance.

980

:

We learn from it, they look at it

in context to the same or similar

981

:

things happening to their competitors

982

:

and they more or less chalk it

up to the cost of doing business.

983

:

And I don't necessarily agree

with that, especially with that

984

:

statistic I showed earlier.

985

:

50% of customers are gonna give the

bank two chances to get it right.

986

:

You can get it right now.

987

:

A hundred percent.

988

:

I'm still taking my money elsewhere

because in terms of consumer

989

:

experience, I won't name my bank,

but I used to work for them.

990

:

I've been in and out of them for

projects through two companies, and

991

:

I'm still with 'em over 20 years.

992

:

Do you think they send me unsolicited

offers to make my life better?

993

:

Hell no.

994

:

Meanwhile, I, meanwhile, I've

been with PayPal for two years,

995

:

two and a half, three years.

996

:

I've got credit lines with them.

997

:

I can buy crypto with

them every six months.

998

:

They're offering me some new

way to improve my financial

999

:

situation, unsolicited.

:

01:05:17,956 --> 01:05:21,629

And that's all it took for me to

move some of my business to PayPal.

:

01:05:22,229 --> 01:05:22,629

Yes.

:

01:05:22,644 --> 01:05:26,958

So it's interesting because today and

I know we've been talking about large

:

01:05:26,958 --> 01:05:32,459

corporate banking global and other such

things, but have you take into account.

:

01:05:32,471 --> 01:05:37,532

Companies that are utilizing things of

like Facebook for all their marketing.

:

01:05:37,592 --> 01:05:43,733

They get all of their sales from Facebook

marketing large companies who are

:

01:05:44,003 --> 01:05:47,032

utilizing that for all their new business.

:

01:05:47,332 --> 01:05:52,642

th,:

went down for six straight hours

:

01:05:52,706 --> 01:05:56,968

catastrophic outage, a black

swan, a zero day, so to speak.

:

01:05:57,388 --> 01:06:01,266

And, it's not so easy to just

say, , I'm moving all my marketing

:

01:06:01,271 --> 01:06:07,608

for to my Twitter right folks, or I'm

moving everything over to some other

:

01:06:08,118 --> 01:06:09,778

LinkedIn or something of that nature.

:

01:06:09,778 --> 01:06:12,630

It that, that requires not just.

:

01:06:12,657 --> 01:06:17,606

A disaster recovery capability, but

something that has to be baked in for,

:

01:06:17,643 --> 01:06:23,133

many years to move all your marketing from

one social media platform to the other.

:

01:06:23,188 --> 01:06:27,126

And of course the lessons learned

that Facebook had that, that cost

:

01:06:27,126 --> 01:06:31,326

them 25 to 50 Billion in that one day.

:

01:06:31,326 --> 01:06:35,646

And of course it went, this talk went

back up, but somebody on that day

:

01:06:36,096 --> 01:06:41,486

lost between 25 and 50 Billion of

value and may have made decisions.

:

01:06:41,491 --> 01:06:44,538

Like you said, banks are not

very, forgiving of customers

:

01:06:44,544 --> 01:06:45,799

are not very forgiving.

:

01:06:45,866 --> 01:06:49,049

They see this happen once and

they say it might happen again.

:

01:06:49,049 --> 01:06:52,349

They'll give you that one, but they

probably wouldn't give you a second one.

:

01:06:52,408 --> 01:06:57,849

Is there any allegory to the banking

world and, revenue production or

:

01:06:57,849 --> 01:07:02,619

nonstop systems that we can take

away from that type of an event?

:

01:07:04,350 --> 01:07:08,176

. The disruption of the traditional

industry, the traditional

:

01:07:08,176 --> 01:07:11,566

bank has not moved other to

other providers that quickly.

:

01:07:11,686 --> 01:07:15,856

For those reasons, they just

don't have the industrial strength

:

01:07:15,861 --> 01:07:20,326

capability in context with the

volume that they need to protect yet.

:

01:07:21,176 --> 01:07:23,576

And it's the not, it's

not the same type of data.

:

01:07:25,091 --> 01:07:25,541

As well.

:

01:07:25,541 --> 01:07:26,467

Which we all know.

:

01:07:26,467 --> 01:07:29,303

Even like your example using PayPal.

:

01:07:29,693 --> 01:07:29,783

Yeah.

:

01:07:29,783 --> 01:07:36,741

You can't move between Stripe and PayPal

and banking, traditional banking . Very

:

01:07:36,741 --> 01:07:41,621

rapidly, probably more rapidly than you

could move from Facebook to Twitter.

:

01:07:41,621 --> 01:07:47,640

But nevertheless it's a macroeconomic

change that and it's hierarchical based

:

01:07:47,640 --> 01:07:49,890

or tiered based in terms of risk appetite.

:

01:07:49,890 --> 01:07:54,174

So the consumption model that I look

at and use and present, in, in terms of

:

01:07:54,174 --> 01:07:59,034

the bastion of what's being disrupted,

payments has already left the building.

:

01:07:59,214 --> 01:08:01,494

That's fair Game to a number of providers.

:

01:08:01,494 --> 01:08:02,884

The bank doesn't own that anymore.

:

01:08:02,884 --> 01:08:04,818

Anybody can do payments.

:

01:08:05,593 --> 01:08:05,958

these days.

:

01:08:05,958 --> 01:08:10,295

That's why Facebook and Apple and Google,

they've all gotten into this space.

:

01:08:10,356 --> 01:08:13,667

When you the next piece is

really lending and credit.

:

01:08:13,667 --> 01:08:16,846

And some of these other

alternative providers have

:

01:08:16,846 --> 01:08:18,767

moved into that PayPal credit.

:

01:08:19,057 --> 01:08:20,857

So they know what you're

spending your money on.

:

01:08:21,067 --> 01:08:24,817

It's a natural extension to offer

you credit vehicles in financing.

:

01:08:24,888 --> 01:08:26,448

Not much more risky.

:

01:08:26,497 --> 01:08:28,444

There's a credit risk scoring algorithm.

:

01:08:28,457 --> 01:08:30,947

You've gotta have reserves

in place to protect.

:

01:08:31,407 --> 01:08:34,667

But there's all kinds of buy

now pay later schemes as well.

:

01:08:34,977 --> 01:08:35,176

Yeah.

:

01:08:35,567 --> 01:08:37,410

So that's being disrupted.

:

01:08:37,429 --> 01:08:42,269

The key part that's staying away

from the disruptors has been really

:

01:08:42,269 --> 01:08:45,629

asset preservation i e deposits.

:

01:08:46,089 --> 01:08:47,229

To a certain extent.

:

01:08:47,259 --> 01:08:49,029

And where there's more regulation.

:

01:08:49,779 --> 01:08:53,578

You need a more intense banking

charter to hold wallet share

:

01:08:53,578 --> 01:08:55,709

of a customer in your system.

:

01:08:56,368 --> 01:08:56,849

Got it.

:

01:08:57,429 --> 01:08:59,548

And same with investments or insurance.

:

01:09:00,457 --> 01:09:04,658

Because if there's a, if there's a total

disaster or loss and you're holding

:

01:09:04,658 --> 01:09:09,548

people's money when you're promising

some type of return, or you're ensuring

:

01:09:09,548 --> 01:09:15,488

it, if they lose it, then your risk

quotient is much higher than if you're

:

01:09:15,493 --> 01:09:19,264

offering 'em the credit or just processing

payments from point A to point B.

:

01:09:19,304 --> 01:09:19,514

Yeah.

:

01:09:19,904 --> 01:09:20,203

Yeah.

:

01:09:20,252 --> 01:09:20,702

Good point.

:

01:09:21,122 --> 01:09:21,211

Yes.

:

01:09:21,211 --> 01:09:26,234

So in closing I wanna give you the last

word and let you just talk to our audience

:

01:09:26,313 --> 01:09:31,077

and discuss some of these lessons learned

and where you think things are going and

:

01:09:31,077 --> 01:09:36,344

how you and your organization might be

able to help people that are struggling

:

01:09:36,344 --> 01:09:38,113

with these exact type of issues.

:

01:09:38,948 --> 01:09:38,950

Yeah.

:

01:09:39,042 --> 01:09:41,743

Number one, this is a

holistic perspective.

:

01:09:41,743 --> 01:09:45,582

And it's number of analogies I

used in terms of peeling back

:

01:09:45,582 --> 01:09:49,813

the layers of the onion or the

concentric trees in the circle.

:

01:09:49,813 --> 01:09:53,157

And the other point is it's people

processing technology not to use,

:

01:09:53,197 --> 01:09:57,513

a common term that's been bandied

about for decades, but it still

:

01:09:57,513 --> 01:09:59,283

is definitely all about that.

:

01:09:59,923 --> 01:10:02,683

Digital transformation

is not a technology play.

:

01:10:03,193 --> 01:10:05,452

Only it covers your organization.

:

01:10:06,272 --> 01:10:10,426

It covers how you're interacting with

your target customer and who that

:

01:10:10,426 --> 01:10:12,736

really is to improve their experience.

:

01:10:13,346 --> 01:10:16,196

Whether you're B2C, B2B, or B2B to C.

:

01:10:16,207 --> 01:10:20,686

And we primarily plug ourselves in

terms of B2B and to a second extent

:

01:10:20,691 --> 01:10:23,626

B2B, B2C context to help clients.

:

01:10:24,106 --> 01:10:27,466

But our approach is really digital

transformation, not only from a

:

01:10:27,471 --> 01:10:32,776

technology perspective, but business

strategy enabled by technology as well.

:

01:10:32,791 --> 01:10:33,322

Very good.

:

01:10:33,322 --> 01:10:34,222

Thank you so much.

:

01:10:34,222 --> 01:10:40,417

We've been talking with Bill Genovese

and he is the CIO advisory partner

:

01:10:40,687 --> 01:10:44,155

and CTO of technology strategy.

:

01:10:44,155 --> 01:10:50,559

Kyndryl, a former IBM

technical services company.

:

01:10:50,860 --> 01:10:54,610

So I just want to say thank you so

much, Bill, for joining us today.

:

01:10:54,615 --> 01:10:58,960

We look forward to having you

on a future broadcast, and thank

:

01:10:58,965 --> 01:11:00,730

you so much for joining us.

:

01:11:01,059 --> 01:11:04,256

And folks, if you want to get in

contact with Bill, we'll give you

:

01:11:04,256 --> 01:11:10,912

his contact information in the down,

in the show notes so that you can

:

01:11:10,912 --> 01:11:16,740

contact Bill or ask him for some type

of a presentation to talk about your

:

01:11:16,740 --> 01:11:19,650

particular issues in your environment.

:

01:11:20,250 --> 01:11:22,080

So now thank you Bill.

:

01:11:22,110 --> 01:11:25,230

Really been a pleasure to talk

with you and to get to know you.

:

01:11:25,230 --> 01:11:31,050

Look forward to additional times

on disaster stream, disaster

:

01:11:31,540 --> 01:11:33,210

recovery responder stories.

:

01:11:33,510 --> 01:11:34,140

Thank you.

:

01:11:34,140 --> 01:11:34,220

Thank you.

:

01:11:34,530 --> 01:11:35,430

Thanks for having me, Bill.

:

01:11:35,970 --> 01:11:36,360

Thanks.

Next Episode All Episodes

Listen for free

Show artwork for Disaster.Stream

About the Podcast

Disaster.Stream
Disaster Stream is a podcast series that delves into the world of disaster recovery
Disaster Stream is a podcast series that delves into the world of disaster recovery, cybersecurity incidents, and critical problem resolution in major organizations. Hosted by Bill Alderson, the podcast features expert insights, case studies, and interviews with leaders and pioneers in the technology and cybersecurity fields. Each episode shares lessons learned and best practices for crisis management, aiming to help organizations prepare for and respond to disasters effectively. Available in both audio and video formats, Disaster Stream is your go-to resource for understanding and navigating the complexities of disaster recovery and cybersecurity

About your host

Profile picture for Bill Alderson

Bill Alderson

Bill Alderson is a historian at heart, a storyteller by nature, and a technologist by trade. For more than four decades, he has solved some of the toughest challenges in cybersecurity and networks — from helping restore communications at the Pentagon on 9/11 to training thousands of professionals worldwide.

But beyond technology, Bill is the proud grandson of Mabel and Ed Plaskett, California pioneers who passed down stories of resilience, family, and the rugged Big Sur coast. As the family historian, he has gathered photographs, journals, and documents to preserve the heritage of the Plaskett family for future generations.

Through this podcast, Bill shares those stories — weaving together history, heritage, and personal reflections — so that listeners, whether family or friends, can connect with the enduring spirit of the Monterey County coast.