In an era where cyber threats loom larger and evolve faster than ever, fintech organizations stand at a critical juncture. What does it take to not only weather a cyber storm but emerge stronger? This exclusive interview dives into the crucial, yet often overlooked, motivations of threat actors. It outlines the ideal crisis response framework for fintechs, identifies common blindspots in incident response plans, and explores the hallmarks of effective leadership during high-stakes security incidents.
In an exclusive interview with Bobsguide, Sarah Armstrong-Smith, Chief Security Advisor for Europe at Microsoft, shared critical insights on crisis management, the cyber attacker mindset, and future-proofing fintech organizations against evolving threats.
With over 25 years of experience spanning business continuity, disaster recovery, crisis management, and cybersecurity, Armstrong-Smith offers a wealth of knowledge for financial institutions navigating an increasingly complex digital landscape.
Her journey, which began with tackling the Millennium bug, has consistently focused on the “business side of cyber,” emphasizing the protection of people and data. This perspective is more critical than ever as fintech companies, often “born in the cloud” and operating in fast-paced, agile environments, face a barrage of sophisticated cyber threats.
Watch the full interview on YouTube
Understanding the attacker mindset
A key theme from Armstrong-Smith’s book, “Understand the Cyber Attacker Mindset,” is the imperative for organizations to look beyond the method of attack and delve into the motivation of threat actors. “Often cybersecurity is thought about from a technology perspective… but quite often we don’t talk about the motivation of the threat actors and why they do what they do,” she explained.
For fintechs, this means understanding the motivations of various actors – from nation-states and organized crime to hacktivists, opportunists, and even insiders. Armstrong-Smith highlighted two critical areas often overlooked:
Identity as the Holy Grail
As technology improves at blocking anomalies, attackers are increasingly targeting humans through social engineering. “Cloud identity, in particular, is like the Holy Grail [for attackers],” Armstrong-Smith warned. “If I can control cloud identity, I can control everything.” Fintechs must rigorously assess how their organizations are built and the ease with which access can be gained.
Data as the Ultimate Target
Ultimately, threat actors seek a return on investment, which usually means accessing valuable data. Fintechs need a holistic, end-to-end understanding of their data: where it resides, how it’s managed and secured, and crucially, the strategy to protect it during a crisis. This extends beyond cyberattacks to include data breaches and insider threats.
The ideal crisis response framework: proactivity, resilience and testing
“It’s not a case of if something will happen, it’s a case of when,” Armstrong-Smith stated, underscoring the need for a robust crisis response framework. For rapidly growing fintech companies, this involves a dual approach:
Proactive Preparedness
This means pre-empting and predicting major incidents by understanding stakeholder expectations (regulators, consumers, partners), regulatory requirements, and the organization’s risk profile.
Reactive Resilience
Recognizing that not all incidents can be avoided, the focus shifts to rapid response and recovery. “While we have an incident, it’s all about how quickly we respond and recover,” she noted.
A cornerstone of this framework is a well-defined, well-communicated, and regularly tested incident response plan. Armstrong-Smith lamented a common failing: “I’ve not really seen that many companies who truly understand what their worst-case scenario is. Have they planned it? Have they exercised? Have they tested it?” She strongly advises fintechs to identify their worst-case scenarios, assess their preparedness, and actively work to bridge any gaps.
Common blindspots in fintech incident response plans
Building on the theme of preparedness, Armstrong-Smith identified several common blindspots in fintech incident response plans:
Lack of True Risk Understanding
A failure to genuinely comprehend the organization’s risk exposure and vulnerabilities, particularly concerning third-party services and supply chains. Fintechs, often dependent on cloud services and other third-party applications, need a holistic view of these.
Insufficient Transparency with Leadership
Boards and C-suite executives must have a clear, unvarnished understanding of the company’s capabilities and vulnerabilities to avoid making incorrect assumptions during a crisis.
Overlooking Supply Chain Dependencies
A critical blindspot is not fully considering the impact of an incident affecting a third-party supplier. Fintechs must understand the cybersecurity posture of their partners and have contingency plans for such events. “If an incident happens to someone else in that supply chain… what does that mean for your organization?” Armstrong-Smith questioned.
Effective crisis leadership: action, communication, and empathy
In the heat of a crisis, effective leadership is paramount. Armstrong-Smith, drawing from her first book on effective crisis management, highlighted key differentiators:
Learning from Past Incidents
Reflecting on major incidents, even those affecting other companies or countries (public inquiry reports are valuable resources), can provide crucial lessons and foresight.
Taking Affirmative Action
A well-tested incident response plan provides a guideline, but leaders must be prepared to make critical decisions and adapt if unexpected events occur. Understanding the critical path – actions that must happen sequentially – is vital.
Clear, Honest, and Empathetic Communication
Transparency is key, even when delivering bad news. “What you’re going to be remembered for is not necessarily the incident itself, but it’s how you handled it,” Armstrong-Smith emphasized. This involves empathetic communication tailored to different stakeholders (customers, regulators, investors, employees), understanding their expectations and information needs.
Putting People First
Irrespective of the nature of the crisis, the well-being of people – employees and customers alike – should be the primary concern. This fosters the right mindset for navigating the incident.
Preparing for the future
Looking ahead, Armstrong-Smith advised fintech companies to “expect the unexpected.” The proactive steps to prepare for future crises include:
Learning from Hindsight
Analyse the events of the past 3-5 years. Were they anticipated? Did they align with previous planning?
Embracing Agility
The threat landscape, technology (like generative AI and quantum computing), and regulations are evolving at an accelerated pace. Rigid plans are insufficient; companies must be able to pivot.
Holistic Risk Understanding
Maintain a clear view of the current risk profile and appetite, considering industry-specific trends, geopolitical shifts, and evolving business models. “Whatever is going on in the external world has a direct bearing on what’s happening inside our operation,” she noted.
Dynamic Evaluation
Continuously assess if the organization is on the right path, if its risk profile or appetite has changed, and if stakeholder expectations have shifted.
The Human Element in Crisis
Reflecting on human behavior during crises, Armstrong-Smith shared a valuable lesson: “Humans tend to rally together… They tend to want to be able to do everything that they can at their disposal to recover.” She encourages organizations to leverage this collaborative spirit and not hesitate to ask for help.
However, she also cautioned about the risk of burnout during prolonged incidents. “We’ve also got to make sure that we’re thinking about people’s well-being in a major incident.” This involves fostering a supportive culture, ensuring good leadership, implementing well-being practices, and providing appropriate breaks.
“When we’re thinking about our organization, we think about the most valuable assets that we have is our people,” Armstrong-Smith concluded. “And when we look after them, they’re going to look after you.”
This interview underscores the multifaceted nature of cybersecurity and crisis management in the fintech sector. It’s a continuous journey of understanding threats, preparing diligently, leading with empathy, and prioritizing both technological resilience and human well-being. As the digital financial landscape continues its rapid evolution, these insights from a seasoned expert provide a crucial roadmap for navigating the inevitable storms ahead.
