Maria Dolores Perez: a brilliant and pragmatic mind to face cyber challenges

Maria Dolores Perez received the “CIO of the Year” award in 2017 a few months before becoming Data Protection Officer at KBL European Private Bankers, while the GDPR came into force.

With a great experience in different functions at the crossroads of business and IT, Ms. Perez masters the art of synthesis to perfection. Her background (both scientific and financial) as well as his dual culture (Belgo-Spanish) allow her to multiply the experiments and to put her career on an exponential curve.

We met her to talk about her journey and vision of cybersecurity. Sophisticated and resolutely optimistic, Maria Dolores Perez loves coffee and chocolate… and hates the grumpy who only see what does not work.

Her career began in audit: “For me, it is a major pillar of cybersecurity because it allows us to prove that the processes are in compliance, to demonstrate the existence of a risk”.

“Auditing allows us to restructure the way we speak, present the facts, evaluate them and connect with others … However there is one major drawback. When you do this job, by definition, you are not appreciated. So you have to learn to go beyond that. “ Maria Dolores Perez had to cultivate very early the sense of firmness with a smile.

The cultural dimension of cybersecurity has also played a major role in her journey. The KBL epb group is a banking network operating in 50 cities in Europe, piloted from Luxembourg.

“Everyone sometimes has different approaches. For example, in Luxembourg, we were not in favor of using remote access to access customer data outside the country. However, legal constraints and practices are not the same from one country to another. So we have to listen to the market and we try to challenge ourselves. In the same way, the need for tools varies considerably across countries. For example, the Web Banking is not necessarily the same in Spain, because the realities of the market and the expectations of the customers are different.”

How do you see the situation of cybersecurity in Luxembourg? And its future?
“I would first say Congratulations to all the initiatives like the Cybersecurity Week that are being taken here in Luxembourg. I have no problem taking my phone and calling who I want (or almost) … I will have an answer within 24 hours. In fact, we have a family of experts who are not numerous and who respect each other. There is no jealousy.”

But where does this efficiency come from? Is it the startup spirit?
“No, I think it’s mainly the education of people. When you have a scientific background, you are more in a logical search for efficiency and scientific accuracy. When we share this state of mind, in a large village like Luxembourg, it facilitates contacts. We call ourselves directly and we stay open… We also have to be humble about the threat. We are faced with an invisible army that is becoming ever more powerful. Our only advantage is to be able to exchange best practices and tips to better defend and resist”

The big evolution I see is that companies had IT security, with separate networks. Security has shifted, first to applications, then to connected devices … and today we focus on the data. Every industry has data to protect, secrets. Our secrets are the data of our customers. We also need to consider that our customers who want to log on to their account without having to go through tedious checks. They are impatient, their online bank must be available at all times. Space-time has been completely distorted.”

Does this mean that security must be ergonomic?
“Absolutely, the tools of Web Banking have strongly evolved in this direction to make the life of the users easier. It must be considered that these applications have become the main gateway to the bank for most of them. So, this is our brand. IIt must meet the expected safety and comfort standards. Comparisons are easy.”

Cybersecurity is evolving: how do you see its future?
“Before, it was the IT that was leading the maneuver. Today, it is the customer who pulls the evolution. Today there is a “risk assessment” approach, in which we place more emphasis on optimizing risk management, rather than focusing on tools. It is clear that we are in a phase of profound upheaval in the digital world and that there is a maturation in progress. Look at the aviation industry. How can one imagine that so many planes are in the sky at the same time, while there are so few accidents? This is because we have put in place a series of very strict standards in terms of physical security, air traffic control, and more and more computer security. When human life is at stake, we do not go into production until maximum security is guaranteed. In the future, this level of requirement must be in place for personal data.”

Security is also about the human and the organization. How do you do ?
“We have training, tools, internal phishing test campaigns. Indeed, people are trained. However, do not think it’s enough. You must have a real reflection on the tools deployed. If a solution that is 99% secure poses adoption problems and is bypassed by half of the users, in fact, it does not work. It is better to use an 80% safe solution that will be adopted by all. The remaining 20% ​​will be our job. It is also necessary to have an intelligent system: the artificial intelligene will be a major advantage as it will help us to detect potential risks more easily in order to provide a better protection to our customers.”

Physical security and logical security are therefore not totally different?
“No, and I even think there should be more analogies between the two: a firewall is a fire door. Encryption is a vault. Through this kind of analogy, everyone is allowed to visualize and understand concepts that are sometimes nebulous.”

As a DPO, do you think the banks have passed the GDPR?
“Surely, I think the banks were well prepared. Because cybersecurity has always been an issue. The security constraints have always been very strong for us, especially to preserve bank secrecy.”

In the end, Maria Dolores Perez fights for a pragmatic vision of cybersecurity. An approach that gives priority to the customer and the user. Because they are the real owners of their data.