In an exclusive interaction with Express Computer, Naseem Halder, Head of Cybersecurity and Compliance, Slice, sheds light on the pressing cybersecurity challenges facing the fintech industry today. Halder discusses the multifaceted issues of network security, data and privacy breaches, fraud, regulatory compliance, and third-party risks, offering insights into how these challenges can be navigated. He also delves into the transformative role of AI/ML in enhancing business security measures and the critical need for robust AI governance, particularly in the Indian context. Through this conversation, Halder emphasises the importance of balancing technology with human elements and regulatory requirements to safeguard the fintech landscape.
How can a perimeter-less network and the integration of AI and ML drive future business growth while ensuring the security of such a complex environment?
As a technology executive, embracing a perimeter-less network and leveraging AI and ML is pivotal for driving future business growth and securing complex environments. AI and ML enhance threat detection and response capabilities, enabling real-time identification and mitigation of potential security breaches. The adoption of Zero Trust Architecture (ZTA) ensures that every access request is thoroughly vetted, regardless of its origin, effectively minimising internal and external threats. Implementing Secure Access Service Edge (SASE) with micro segmentation further strengthens security by converging network and security functions into a unified cloud-native service, ensuring secure access to applications and data from any location. Additionally, cloud-based infra, deploying advanced encryption protocols and continuous monitoring tools ensures data integrity and confidentiality. These technologies collectively create a robust, adaptive security framework that not only safeguards critical assets but also supports scalable, agile business operations in an increasingly digital landscape.
What are the most significant cybersecurity challenges facing the fintech industry, and how do you see them?
In the fintech sector, several critical cybersecurity challenges stand out. Foremost among these is data breach and privacy risk. Given that fintech relies heavily on data for its core operations, safeguarding this data is paramount. A breach not only jeopardises customer trust but can also have severe regulatory and financial repercussions.
Fraud is another pressing concern. While fraud has always been an issue, digital advancements have amplified both its frequency and sophistication. Modern fraud often involves intricate schemes and insider threats, necessitating robust integration of fraud prevention within the broader security framework.
Regulatory compliance is also a significant challenge. With evolving regulations that reflect emerging threats and industry developments, maintaining compliance is increasingly complex. Timely adaptation to new requirements is crucial yet demanding.
Moreover, third-party risk poses a substantial threat. The extensive network of partners and service providers in fintech introduces multiple vectors for potential breaches, particularly around data security.
Finally, the integration of blockchain and AI/ML technologies presents new vulnerabilities. These advanced systems, while revolutionary, attract sophisticated cyber threats, making them prime targets for exploitation. Addressing these challenges requires a proactive and multi-layered approach to cybersecurity.
How do you balance compliance requirements with frameworks and regulations?
Balancing compliance requirements with frameworks and regulations is critical, yet it represents just the foundation of our security posture. Compliance establishes minimum standards, but it’s imperative to go beyond these basics to effectively safeguard against sophisticated threats. Cyber adversaries continuously evolve, leveraging advanced techniques that can outpace conventional defence mechanisms.
In our role as a fintech company, adhering to compliance and regulatory standards is non-negotiable, but it must be complemented by proactive security measures. For instance, data residency requirements, such as storing data within specific jurisdictions, can present challenges, especially if our technology partners do not have local data centres. Addressing these challenges requires a strategic approach, ensuring our security architecture not only meets compliance but anticipates emerging threats. By integrating advanced security solutions and staying ahead of regulatory requirements, we can better protect our assets and maintain robust defences against evolving cyber risks.
How can AI/ML play a part in this?
AI/ML significantly enhances security by automating routine tasks and minimising human error. Predictive models can identify potential vulnerabilities and threats before they materialise, allowing security teams to address high-risk areas more effectively. While AI/ML should not be viewed as a panacea, its capability to analyse vast datasets and provide actionable insights is crucial in preempting incidents and ensuring system reliability. This integration of AI/ML is not just an enhancement but a necessity for advancing our security posture in a rapidly evolving threat landscape.
India has been slower in establishing comprehensive regulations for AI, unlike the EU and the US. How can industry and security leaders play a role in AI governance?
India’s approach to addressing industry challenges is commendable, drawing valuable lessons from the experiences of leading economies like the US and China. While these nations face distinct challenges, India’s ability to adapt and refine solutions based on their insights is remarkable. By leveraging the expertise of industry leaders—those closest to the grassroots problems—India can effectively address these issues on a broader scale. Though India often adopts strategies later, the result is frequently a refined and optimised version. The frugal and innovative mindset inherent in India’s approach will undoubtedly drive significant progress in tackling complex challenges.
You mentioned AI reducing manual work in risk mitigation. Could this have a negative impact on the human workforce?
Yes, absolutely. Every technology has its benefits and cons. For example, air travel saves time but involves significant risk if something goes wrong. Similarly, AI/ML can perform many tasks without human intervention, error, or bias. But it can also result in job losses for few repetitive skillsets and be misused if not properly governed. There have been incidents where misuse of technology has led to significant issues, like the Cambridge Analytica scandal. Proper governance mechanisms are crucial to control these risks.
As AI models become self-learning, can they reliably mitigate known threats if they are trained on them? Additionally, are these models advanced enough to predict and respond to new, unforeseen threats?
As the CISO of a fintech company, my perspective on AI models and their capabilities is nuanced. While self-learning AI has made significant strides, it remains limited in its ability to fully mitigate known threats and anticipate new ones across the industry. Current models can address specific, predefined scenarios effectively but often fall short in predicting and responding to novel, unforeseen threats.
Advanced models, such as those demonstrated by AlphaGo, excel in controlled environments, but their deployment in broader, less predictable contexts remains challenging. For instance, a study involving a robot navigating and predicting behaviour underscores AI’s potential but also highlights concerns about privacy and control. As these technologies evolve, they present both opportunities and risks, including the potential for misuse in tracking and surveillance.
It is crucial for our industry to establish robust safeguards and ethical guidelines to ensure AI advancements align with security and privacy standards, preventing potential misuse and ensuring responsible deployment.
As a security and tech leader, what do you find to be the most concerning limitation: technology constraints or employee skill gaps?
I would say technology is always a tool. The biggest challenge is human skill set and human psychology. Over the last 5-6 years, people have seen the value addition of cybersecurity and are accepting a lot of things. However, it’s a failure on our part as leaders if we cannot explain or showcase the ROI properly.
For example, leaving your luggage at a bus stop versus an airport. At a bus stop, you wouldn’t feel comfortable leaving your luggage unattended, but you might at an airport because of the security controls in place. The entry to a bus stop is easy, whereas an airport has stricter security.
So, the challenge is not the technology or the skills but our failure to effectively communicate the ROI and importance of cybersecurity to people.
Are people adequately skilled or improving their skills to address evolving threats?
The talent pool is improving day by day. Earlier, we had only one or two subjects on cybersecurity in B.Tech or M.Tech programs. Now, there are entire degrees of cybersecurity. Platforms like YouTube offer a lot of free materials to learn this subject. So, the talent crunch is improving, but new threats are also emerging. It’s like a cat-and-mouse game that continues infinitely. Compared to 10 years ago, today’s scenario is better in terms of talent availability.
There was a time when cybersecurity was not considered a threat to business growth but was perceived just a technological threat. Board members were not concerned about investing in security. Has that changed over the years, especially after COVID?
Yes, 100%. After COVID, there has been a boom in digitalisation, and with that, the importance of cybersecurity has increased. For example, there was a CroudStrike event a few days ago and systems saw significant downtime. Microsoft Azure also faced downtime. Board members now see cybersecurity as a business risk because any downtime impacts the business. Cybersecurity has become a board-level discussion. Digital fraud is linked to internal people or insiders, so appropriate barriers must be in place at every level.
According to you, how can organisations stay ahead of the curve?
There is no universal solution or silver bullet for leveraging AI in any business likewise cybersecurity; if anyone is offering a similar solution then the UPS is gone, but a tailored approach is essential. Organisations must thoroughly understand their unique business needs and risks to develop customised strategies. For example, the cybersecurity strategy for an insurtech company will differ significantly from that of a fintech firm due to their distinct operational and risk profiles. Effective AI implementation requires aligning technologies with specific business requirements, ensuring that the chosen solutions address relevant threats and vulnerabilities in a targeted manner. This bespoke approach is crucial for achieving optimal security outcomes and managing risks effectively.