In the fast-paced realm of fintech, the pursuit of seamless user experiences harmonised with stringent security measures stands as a paramount challenge. Jim Newman, CICO of Capco, shares his experience in cybersecurity while keeping an eye on future challenges.
In an era defined by rapid digitalisation and technological advancement, the importance of cybersecurity stands as an ever-growing imperative. From personal data to critical infrastructure, the virtual realm is a treasure trove of invaluable assets vulnerable to cyber threats. We had a great opportunity to speak with Jim Newman, who is deeply entrenched in this domain, gaining valuable insights into security approaches to navigate through various challenges.
With more than 16 years of experience in the creation and implementation of information security strategies and programmes, security processes and controls, security policies, standards, and processes, Jim Newman offers valuable and unique expertise both for fintech experts and those who have just started their journey. Let’s dig deeper together.
Fintech security 2.0
“Users expect to use their apps quickly and with as little friction or effort as possible,” Jim emphasised, capturing one of the central challenges faced in fintech—harmonising stringent security measures with a seamless user journey. He believes, “Usability vs security is a challenge, but the two are not mutually exclusive.” This underlines an excellent approach: a pragmatic blend of robust security measures while ensuring a smooth user experience.
So how to approach balancing this need for security with the need for user experience in fintech applications?
“In fintech, identity and authentication pose a serious challenge because we need to deploy robust customer authentication mechanisms to protect customers from fraud,” Jim stressed. How? Leveraging techniques like biometric authentication not only enhances security but also makes the login experience seamless for users.
“By taking a pragmatic approach to delivering security in products, we can avoid the trap of creating unnecessary controls or complicating the process for the user,” he pointed out. The key lies in meticulous threat modelling before development, enabling proactive identification of security requirements that enhance both platform resilience and user experience.
That is not an easy task. What challenges may you face in implementing secure fintech solutions, and how can you overcome them?
“One of the biggest hurdles in delivering a secure fintech solution is the complexity of integrating multiple diverse systems while maintaining a strong security posture,” our guest highlighted. To navigate this challenge, you should consider adopting a DevSecOps approach, empowering infrastructure and software development teams to embed security seamlessly into their workloads.
While working at Jaja, Jim Newman, Head of Security at that time, faced an intriguing challenge in consumer finance: “Customers would pay off credit card balances using debit cards,” he shared. This necessitated a nuanced solution – acting as a merchant while evading the regulatory complexity of PCI-DSS compliance. How did they resolve it? “Our solutions architect and head of infrastructure delivered an elegant solution that relied on some third-party services and employed tokenisation so that customer debit card details were not stored or processed on our systems.”
What about sensitive data? How can it be handled in fintech applications, and what measures should be taken to prevent data breaches?
“Sensitive customer data requires a multi-layered security control approach. It needs to be protected on the user’s device, in files, databases, logs, the third parties we exchange it with, and in transit as we transfer that data from one system to another.” Jim emphasised the importance of data classification and encryption, with keys securely stored and regularly rotated. Access control policies play a crucial role, ensuring only authorised users have access to relevant data. Additionally, logging, monitoring, and immediate response to anomalies are integral parts of the strategy.
“We vet our third parties, vendors, and software to identify risks and ensure they meet our standards,” he continued. Beyond technical controls, the expert stressed the significance of ongoing staff training and security awareness to foster a security-first mindset and culture.
While continuing to reflect on partnerships in fintech security, Jim Newman also highlighted the collaborative efforts within the industry: “There are several working groups and industry organisations that bring together companies across fintech, banking, and payments to share threat intelligence and best practices”. He emphasised the significance of industry events and the Open Source community’s contributions in disseminating information, advice, and tools vital for information security professionals.
Shaping Tomorrow’s Defence
As fintech keeps evolving and implementing new technologies, we`ll keep facing changes and challenges that come with them. Let’s find out how Jim Newman views the future of security in fintech.
Quantum Computing:
“Quantum computing poses a threat to encryption algorithms. Datasets encrypted using current algorithms that are currently considered secure would be easily decrypted using quantum computing. The industry needs to react and adapt quickly to advancements in technology and be ready to adopt quantum-resistant algorithms as and when they become available.”
Open Banking, APIs, and Financial Systems:
“Open banking increases the attack surface for financial systems as we have to open up our systems for third parties to interact with our data. At the same time, PSD2 introduced mandatory security requirements for initiating or processing electronic payments and increased regulation for access to accounts. As fintech firms, we can mitigate the risks of the increased attack surface through secure API design, strong authentication and authorisation mechanisms, and the implementation of API runtime security tools.”
Digital Assets and Financial Security:
Regarding the growth of digital assets, such as NFTs and digital collectables, Jim outlined the uncertain landscape: “They introduce a new paradigm for value storage, ownership, and transfer that doesn’t fit traditional investment approaches.” While offering diversification for portfolios, the long-term viability of these assets remains uncertain, posing challenges for investment strategies.
Cryptocurrencies and Decentralised Finance (DeFi):
“We’ve already seen a number of successful and very lucrative targeted attacks on Crypto companies and exchanges,” our expert highlighted. The relative anonymity of blockchain transactions and the lack of regulation make cryptocurrencies an appealing target for criminals. “DeFi applications have vulnerabilities that can be exploited by attackers: manipulating smart contracts or token prices, and exploiting logic errors and bugs. Compounding the risks and attacks against the technologies, there is a growing user base and a lack of knowledge and awareness of the risks.”
AI and ML:
Expanding on the impact of AI and ML on financial fraud, Jim foresaw significant advancements in fraud detection capabilities: “In the future, I see these systems becoming more adaptive and delivering better predictive analytics. From a security perspective, the ability to leverage AI and machine learning enables us to monitor systems and detect security events at a speed and scale that simply isn’t possible with traditional Security Operations approaches and SIEM tools.” However, he also cautioned that criminals would probably explore new avenues using AI-driven fraud methods, such as deep fake voice calls and sentiment analysis manipulation, highlighting the need for continued evolution in counter-fraud detection strategies.
Your Next Reads, Listens, and Watches
