Finding DORA-Strengthening IT Operational Resilience in Finance

In the latest episode of “The Hitchhiker’s Guide to IT” podcast, focusing on the Digital Operational Resilience Act (DORA) and its significance in strengthening IT operational resilience in the finance sector. Hosted by Michelle Dawn Mooney, this episode features Joerg Hesselink, CEO of DC Smarter, who provides expert insights into DORA and its implementation.

Hesselink explains the essentials of DORA, a European Union regulation designed to enhance the operational resilience of financial institutions against technology disruptions and cyber threats. With DORA set to take effect on January 17, 2025, He emphasizes the urgency for financial entities and their IT service providers to manage IT and telecommunication risks effectively.

The discussion covers the critical challenges posed by cyber attacks, data breaches, and technology errors, highlighting the importance of IT Asset Management (ITAM) in maintaining a comprehensive technology landscape. Hesselink draws an analogy with the movie “Finding Dory” to explain the necessity of discovering and protecting IT assets within an organization.

Finding DORA:

(Host: Michelle Dawn Mooney)

Hello and welcome to the Hitchhiker’s Guide to IT, a podcast brought to you by Device42. I’m

your host, Michelle Dawn Mooney. Today we’re talking about strengthening IT operational

resilience in finance with DORA. What is DORA, you may ask? We’re going to talk about that

and much more with a great guest that I am pleased to bring on today. Joerg Hessling is the

CEO with DC Smarter. Joerg, thank you so much for being with me today.

(Guest: Joerg Hesselink)

Thank you, Michelle, for having me. Looking forward to getting into this conversation.

(Host: Michelle Dawn Mooney)

Before we do, can I ask you to give us a brief bio, please?

(Guest: Joerg Hesselink)

Absolutely. Yeah. So Joerg Hessling, CEO of DC Smarter, after almost spending 30 years in IT

and telecom operations in multinational companies, I decided to create my own company. And

together with my co-founder, we created DC Smarter to share our experiences with other

companies.

(Host: Michelle Dawn Mooney)

And we are definitely going to share some great information today in this podcast. So at the top

of the podcast, I referred to DORA and how it’s going to help us in a variety of different ways,

which you are going to get into as we go on with this conversation. But let’s start off here. What

is DORA for people who are not familiar with it?

(Guest: Joerg Hesselink)

Yeah, that’s a great question. So DORA actually stands for Digital Operational Resilience Act.

And we are a German headquartered company. So this is a European Union regulation, which

allows us to strengthen the operational resilience of the financial institutions. And this is mainly

to do when it comes to technology disruptions or cyber threats. So in simple terms, it requires

the management of IT and telecommunication risk. And if you look at DORA, it applies actually

to all authorized European financial entities, including credit institutions, investment firms,

insurances. But it also applies to ICT, IT and telecommunication third-party service providers

who serve that industry. And I think what is most important is DORA within the European Union

as a regulation starts on January 17, 2025. So it’s around the corner and there is a very strong

call to action.

(Host: Michelle Dawn Mooney)

Let’s talk about something that we hear in the news, unfortunately, too much, but it’s not going

anywhere anytime soon, cyber attacks, data breaches. How does DORA come into play there?

(Guest: Joerg Hesselink)

Yes, so absolutely. So when you look into 2023 and based on a very recent report from the

Global Technology Industry Risk Study, we have identified basically the top three critical risks

here. The first is data security and privacy. So this involves protecting sensitive data from

unauthorized access and breaches. So this will ensure privacy of personal data, but also it helps

us to comply with data protection regulations. The second part is digital business interruption.

So this typically refers to the risk of disruption or even a loss of digital services due to incidents

like you mentioned, cyber attacks. But it could also be because of a system failure or a data

breach. And the third, which is often forgotten, is technology errors. So this risk involves

potential mistakes or oversights in the technology services or products which are provided by

those companies, which could lead to financial loss or even damage to its reputation.

(Host: Michelle Dawn Mooney)

Let’s talk about the importance of ITAM. How important is it and why?

(Guest: Joerg Hesselink)

Yeah, another acronym, right? So ITAM stands for IT Asset Management and in IT and

telecommunication, this is really the heart. This is the heartbeat. So this is the center of your

repository. It contains all the assets in your inventory. Now it is super important for DORA as a

regulatory framework because it enables this comprehensive visibility into the enterprise

technology landscape. So it is mission critical for managing cybersecurity risk and ensuring

rapid discovery or recovery from disruptions. And I keep on saying that all the time. You want to

protect or improve something that you don’t know you have. And without IT Asset Management,

there is no point. You wouldn’t even know how to start.

(Host: Michelle Dawn Mooney)

So we’re all familiar with the movie, probably Finding Dory, which I thought was really interesting

in Europe. It’s actually Finding Dora, which is a perfect segue to my next question with this.

Because if people have seen the movie or if they haven’t, Dory or Dora in Europe is looking for

her parents and she doesn’t know where they are. So can you tell me, Joerg, how does one

protect something when we’re talking about Dora? And it’s unknown where the thing we’re trying

to protect actually resides.

(Guest: Joerg Hesselink)

Yeah, perfect, perfect question. And it’s a great similarity. When you think about this movie, you

think about Dora and finding home and along the way identifying or finding things. It is very

similar when you think about IT Asset Management, because the question is where do you

really start? And in IT and telecom terminology, usually you tend to start with what we call

software discovery. So network discovery basically is another term we use. So we go out in the

network, we discover things like Dora. And as we discover things, then the question still

remains, where do we store this data? Do we understand the relationship in between these

things which we discover? But also more important, where do they reside? Where are they

exactly at that point of time? So this is exactly where we come in. We basically help companies

not just to logically find things and help them to make sense and build these relationships and

correlation. We even tell them where exactly at. And again, that at the end of the day helps you

to find home. Why is that so important though? And then maybe can you go into the next step?

So we’ve located what we’re trying to protect, but then where do things go from there?

Yeah. So first of all, I’d like to talk a little bit about the challenges, if you don’t mind, to get there.

Why is it so hard? And I would say there are four things which I would like to call out. First, it’s

what we call visibility gaps. As we just discussed, finding DORA along the way, we deal with

incomplete data on hardware and software assets across organizations. And that makes it very

difficult to maintain an accurate inventory. But the second part is siloed processes. So we have

fragmented and disjointed IT asset management practices across different departments. And

they’re hindering a holistic view of this technology landscape. Third, rapid technology change.

So the fast-paced evolution of IT and telecom systems and devices, they require constant

updates to asset inventory management strategies. And then last but not least, we’re talking

about the regulatory framework, compliance and complexity. So how can you navigate the web

of regulations such as DORA and ensure this comprehensive compliance across all the

organizations? So these are mainly the four challenges to introduce IT asset management and

get ultimately to compliance.

(Host: Michelle Dawn Mooney)

So we know what DORA does now. Perhaps the bigger question at this point is, how do we use

it?

(Guest: Joerg Hesselink)

Yes. So in fact, the way we go after that is we basically, once we know what we need to do,

basically now we find a way to help the customer to get to the how. How I’m going to implement

that. And what we’re doing basically with the customers, we’re integrating IT asset management

and physical inventory management. We combine the two. And how do we do it? First, it is

because we provide this unified visibility. So we integrate IT asset management and what we

call physical inventory management. And this then allows us to provide this comprehensive

view. Secondly, we synchronize processes. So we align and streamline these workflows and

procedures in between the digital world, but also the physical world, which ultimately then can

be used by multiple departments. And I keep on saying that when we talk to customers,

oftentimes we have IT on one end and we have facilities or manufacturing on the other hand,

but they don’t come together. So we synchronize the processes so that they talk the same

language, and they get together. And finally, and this is very relevant for information security in

particular, DORA is the risk-based approach. So as we have the data, we understand what we

got and where at. We now need to ask ourselves the question, what’s the risk for the business

and prioritize based on this security risk, and then take this proactive approach to mitigate any

threats.

(Host: Michelle Dawn Mooney)

We’ve learned a lot here. Well, I’ve learned a lot, Joerg, in this conversation. We are almost out

of time, but I know people out there will probably have questions or they want to learn more

about DORA and what we’re talking about here today. So do you have any resources you can

share, places they can go to learn more about what we’re talking about today?

(Guest: Joerg Hesselink)

Yeah, absolutely. I mean, first of all, I’d like to invite everybody to join us in an upcoming

webinar, which we are hosting early July. Here we’re going to really talk about, again, how to

implement it. And we will even go straight down to the tools, which can help the customer to fast

track. Because remember, it’s around the corner, January 2025, there is a call for action. But

other than that, you can find me either via LinkedIn, Joerg Hesselink, through our website,

dc-smarter.com, or through email, anytime, so we can stay in touch.

Joerg Hesselink, CEO DC Smarter Jörg, thank you for your time and helping us to find DORA,

what DORA does, how we can use it and how it will make things better for a lot of companies

out there. So appreciate you being here today.

(Guest: Joerg Hesselink)

Thank you, Michelle.

(Host: Michelle Dawn Mooney)

And I want to thank all of you for tuning in and listening to the Hitchhiker’s Guide to IT, a podcast

brought to you by Device 42. If you’d like to hear more engaging conversations like the one you

heard today, we encourage you to subscribe to the podcast. Thanks again for joining us. And of

course, you can go to Device 42’s website for more information there, if you’d like to learn more

about the company as well. I’m your host, Michelle Dawn Mooney. Thanks again for joining us.

We hope to connect with you on another podcast soon. Bye.