The Security Detail Download: Cyber Threats to the Financial Sector

Note: This is an auto-generated transcript, which may contain errors. 

Kirsty Paine (00:01.577) If we could start by you telling me about your background. How did you get to MasterCard and your current role today? And what does your role entail?

Paul Trueman (00:15.062) Someone recently asked me to kind of draw it out in a line. It just looked like a squiggle path through a word. I started engineering. I went through FMCG. I had my own company for a while. I worked in electronics, then I ended up at MasterCard. So every journey has a little path, and you kind of follow it along, and it a ll kind of makes sense in the end.

Kirsty Paine (00:37.293) You end up where you're supposed to be exactly where you're supposed to be. So Mastercard is a very interesting company. I'm sure we've all heard of it. We probably have those cards in our wallets today. What are the differences and the similarities between Mastercard and what we might think of as a more traditional financial institution, those large banks, for example?

Paul Trueman (00:39.711) I think so. Yeah, we play in the same territory. I mean, the idea of commerce globally is something that involves financial institutions, acquirers, merchants, everybody plays in moving money around or moving the interchange of commerce around for goods and services. So that's what we do. And particularly, that's what we do. So we don't hold money, we don't do anything with it. We just basically make sure that each party gets exactly what it should be. 

We are a large interoperable global network and we make sure the payment flows across the globe in 210 countries. And I think we see around about 125 billion transactions a year. So our job is just to keep the commerce flowing, keep everybody happy and make sure everything's moving the right way and the right people get the right compensation for the right goods.

Kirsty Paine (02:08.561) You make it sound so easy with 210 countries and that many billions of transactions, that's a pretty sizeable challenge.

Paul Trueman (02:17.038) You know, it is a big number, but it  doesn't come overnight. It comes to just consistent, consistent use of how we've done our job really well and we keep on doing our job and being aware of what's coming next as well. Being aware of how payments are moving, how people are thinking about enabling new forms of choice, whether it be, you know, from it be a contactless payment choice to, to now. paying on a phone or tapping on a phone to take a payment or moving into cryptocurrencies. All of these things have got to be accounted for and all of them have got to work in the real world As we start thinking about new systems, we've got to make sure that at the end of the day, people get paid for the goods that they get.

Kirsty Paine (03:18.033) Yeah, it's absolutely true that the industry has shifted perhaps more in the last decade than it has done in the previous 50 years. It's really a lot of new challenges coming down the way and a lot of new threats, of course, as well. FX, ISACS navigating cyber 2023 report found that the most significant impact on financial services, everything going on in that landscape, all of the shifts you've mentioned.

But the most significant impact for the last year was actually the Russia-Ukraine war. Does that align with what you've seen in your industry or is it something else?

Paul Trueman (03:57.058) I mean, supply chain has fundamentally been impacted and nothing more true than the Russian-Ukraine war when you look at how the supply of, you know, cereal goods and most of the food that came out of Ukraine, but also the recognition that wars are now fought on a number of fronts and one of them is cyber.

And so we can't account that it's not just a physical war at land, at sea and air, but cyber is a critical part of that now. And nation states are using that. And whether you might talk about Russia, you might talk about North Korea. We've seen enough of things like the Lazarus Project talking about how North Korea may be involved. Even the rise in social activism, we're seeing that being used in some ways that can impact security. They may not be looking to steal money, but they may be looking to affect reputations of companies. So we're seeing security fraud and risk just changing. And what we need to do is always be at the foresight of understanding how is that changing and what do we need to do to make sure it doesn't impact, I said, the idea of trust.

Kirsty Paine (05:18.121) Yeah. And fraud is one of the things people think of first when they think of threats for the financial services. And this same report also found the most common forms of BEC for financial services are payroll division requests or those kind of fraud requests as well. You know, impersonation scam or vendor fraud. How concerned are you about BEC as a threat vector? And how do you recommend that organizations can defend against this?

Paul Trueman (05:41.742) Scams are very much the hot topic at the moment, whether we're talking about business scams as you're talking in B.E.C. or personal, people being impacted by SMS, emails, even we've seen recently this idea of, you know, calls using fake voice impersonations of your family. What's happening now is, technology is enabling us to extend those scams beyond borders. So you're seeing a lot more attacks coming through in different ways. A few years ago, it almost seemed like happy times when you said, well, you'll be able to recognise a scammer because there's always a misspelling in it. Well, you know, they were always going to solve that. But what they've done is they've started using quite smart technology.

And that is impacting. And therefore what you thought was, they're not going to do that. They are. That's where we're going to see a big rise in new technology helping us augment how we deal with those sort of things.

Kirsty Paine (07:14.669) I've heard you use this phrase before about raising all the boats in the harbor and this kind of ecosystem. You mentioned that, you know, the cross border nature of these attacks. So is it really a cross border response that you're trying to put together?

Paul Trueman (07:29.922) For that I think we're looking at attacks no matter where they come from and how they come. I think what you've got to consider is that we've all benefited across all sectors from the arrival of digitalization. The idea that we can digitize supply chains, the idea we can digitize money, the idea we can digitize anything. And that's brought major, major benefits.So digitization has been a massive benefit to society. Unfortunately, criminals have worked out that digitization is a way that they are gonna evolve as well. You think about the criminals in the old days from the Italian job or, you know, baby driver, the idea that you plan an attack and you...

you build those cardboard models that they always had to do and you pull a team together and you train, you train, you train and then one day you go out and you do a bank robbery with a shotgun and a balaclava and then you have to retire because they're going to be after you. So you've got to go somewhere and live out the rest of your life and the proceeds. That does not happen anymore, not only on Hollywood. More people are entering, and that's why it's a $6 trillion industry, the criminal activity, and we've got to do everything we can to stop it because they're taking less margin on each of these pieces, but they're taking less risk. And once they've done it once, they can repeat it. 

Kirsty Paine (09:38.521) I think the comparison with real life bank robbies is a great one because it shows just how much that model has shifted, like you say, in terms of risk, in terms of number of times you can attack and the repeatability of it. And you did mention supply chain. So obviously I've got to ask you with so much exposure in the supply chain and MasterCard as a supplier yourself as well, how do you evaluate third party risks to your business?

What do you think needs to be done to improve, improve supply chain security in the financial services sector? It's such a hot topic with every sector we talk to. 

Paul Trueman (10:11.97) We used to talk 10 years ago about securing the transaction, and securing the interaction, thinking about identity, how it plays with the transaction. We've been for years now talking about securing the ecosystem, because it's no good just thinking about it in isolation of the transaction.We do it with all of our bags now. We run them through process we have that we offer to everybody in industry, saying, come and talk to us, we'll run an assessment of you independently before we've stepped through the door. We don't need a data agreement. We can look how your website's behaving and we can kind of work out where your potential threat is. 
We can do that right now so everyone, anybody that works with us can approach us and we'll help them do that because our view is you raise all the boats in the harbour, they improve their standard and from there we can help them not only assess third party but now people are interested in fourth party and nth party so if my suppliers are doing the right thing from a commercial perspective, even from an ethical perspective, an ESG perspective for example,what about their suppliers and what about their suppliers? 

Kirsty Paine (12:35.537) And that's fantastic when you have the power and the size that MasterCard does, and you can use that to create a real ecosystem shift. I think that's a fantastic use of that. 

Paul Trueman But boards and C-suite, they're all about managing risk. The question is, do they understand the level of risk? Do they understand how to assess risk? Do they understand how to even create the first measurement on that? And that's where we've really taken a lot of that technology now. You've got to think about where are your suppliers, how are your suppliers, what's happening in terms of geopolitical changes, what's happening in terms of climate changes where we're seeing the floods in Bangladesh or major fires taking place. And you go, how do we make sure that our supply chain isn't too connected to one place where our business will stop because that stops. And I think that's, we're going to see a lot more effort in that area where more boards, more C-suites are saying, help me really. quantify and understand the level of risk we've got in our business.

Kirsty Paine (14:24.269) Yeah, and that's crucial that communication piece and speaking a language they understand. And I know that often regulation talks and it wouldn't be a conversation about FSI if we didn't talk about a bit of regulation here. After the 2008 crisis, there's also a lot to comply with. New pieces from the EU, the Digital Operational Resilience Act or DORA, as that's commonly known. We have the UK FCA, Financial Conduct Authority. How does legislation affect your sector and security in your industry and the way that you're working and the way you're thinking?

Paul Trueman (15:00.414) You've got to embrace regulation for the most part regulation is designed to keep us safe and everybody else safe so by applying that well in a thoughtful manner that's great. I think a key part also is that we work on everything from EMV to PCI DSS. We're working on regulation. In fact, quite often we're creating the standards that then get adopted. And then if they get adopted, so recently the work we did around changing contactless payments and making it more secure. The good thing about that is if you're developing standards that everybody can apply to, and those standards mean that you improve security and you improve consumer convenience, it'll get adopted. Make it more difficult for the consumer, they won't do it. 

Kirsty Paine (16:24.441) I’m sure I speak for a lot of listeners when I say thank you for contactless payments, both the convenience and the security. We've spoken a bit about resilience in the supply chain and the need to make sure that you have some leeway there and some sort of cushion for continuing operations when you need to, but what's your take on resilience more broadly? How does that impact MasterCard in the way that you operate?

Paul Trueman (16:52.618) Resilience is at the center of everything you do. If you're handling 125 billion transactions and you're expecting a kind of five nines up time, you just can't be down. So resilience is center. If the type of attacks we're getting, if the type of threats we're getting are changing, resilience needs to change.

We've talked for a long time about the gap between the fraud people, the risk people, the cyber people and going, look, you've got to understand the threats going to come in from the right hand side, not where it used to always come in through the front door. And so understanding the resilience model as in how it operates across your business is a critically important part of how we move forward. And just like, as I said, you know, boards going, I didn't really, not really understanding that was going to happen is not an excuse.

So being more on the front foot and thinking how it's going to change and how it might impact. And if you don't know how it's impact, ask someone  And there's a massive amount of expertise because keeping money safe has required a lot of effort over time. And we're very successful at it as an industry. 

Kirsty Paine (18:54.301) Yeah, I know that many see financial services as the leading sector when it comes to resilience and that kind of capacity to bounce back and recover. Lots of those services are incredibly crucial for the average citizen, but for businesses, just your day-to-day life. So as we move into this new world where we have cryptocurrency and more digital assets in the financial system, how do you see that affecting not just the cyber threat landscape, but also the regulatory environment?

Paul Trueman (19:37.87) Change will always happen. So let's accept that that's going to happen. The next point is how do you then embrace understanding what that could be and make sure truthfully, a lot of the technologies that are within our power are able to see. We're trying to make sure that by the time they come to available to the public that we've already worked out the protocols and made sure everything's safe. But things moved quite quickly. When you think about cryptocurrency, there was a big spread there. Embracing that allowed us to kind of be able to look at all the exchanges and go, who's operating to the better standard. But equally, people are talking about Gen AI regulation. And the general view is you don't want different regulation, you want to expand what already works to be able to encompass a new world. Because if not, you end up with different regulations. So we need to do some good expansion and some quick expansion around how that will be used and how it can be misused. Cause the problem is never the opportunity people use. It's the unintended consequences of the technology we need to be considering.

Kirsty Paine (21:56.713) I think that's an interesting parallel to draw out that cryptocurrency in some ways is an extension of the financial system. And so continuing the regulation that makes sense will simplify things for everyone in terms of where they stand suppliers, vendors, and maybe the same approach for generative AI is key actually. It's great to hear that you're enthusiastic about its potential applications as well. 

Paul Trueman (22:21.986) We can control what we can do with it at various points. We can't control what someone who has nefarious views are going to do with it. What would good people use it for? How would you use it? And how would you protect against people misusing it?

Kirsty Paine (22:56.349) That's very sage advice and absolutely agree that it's not the time to turn a blind eye, it's the time to engage with the technology and try to use it 

Paul Trueman (23:08.63) To your point, if you think about everything that's ever happened from payment through your card to use of PIN to contactless to using your phone, digital wallets, all of these and then cryptocurrencies, it's all about enabling consumers with choice. And no one's going to fight against choice because choice is good. But what you want to know is that wherever you've got a choice, that your choice options that the person's got are safe.

Paul Trueman (23:38.442) But if they want to be able to enable new technologies, why wouldn't you try and help them make good choices, but do it well?

Kirsty Paine (23:46.409) So what resources would you recommend for organizations who are working in financial services or in the financial sector to try to improve their security maturity and just, you know, keep on top of the latest threats, in fact, not just FSI is all industries perhaps.

Paul Trueman (24:09.586) It's all industries, let's be clear. I think being able to get a third party assessment is a real, so from a risk perspective, being able to get a third party assessment of your risks on a cyber front is absolutely, is the absolute thing to do, I think the other area that people are really looking at now, and I think it's been around for years, but I think it's getting even more prominence is the whole world of identity.

I always think of trust being a combination of knowledge and recognition. I need to have some knowledge about you and I need to be able to recognize you. And then once I, if the knowledge changes about your behavior changes, I change how I recognize you. And now when we move digital, where we're really not in front of people, but actually the transaction happening, so I think identity and this idea of cyber risk assessment of the two areas, I think, are the hot topics at the moment.

Kirsty Paine (25:50.893) Identity and trust, this keeps coming up in our conversations, in fact, and I wonder, alongside that, perhaps, are there any initiatives that you're involved in or that you see as particularly leading in that area?

Paul Trueman (26:02.11) did a report called, you can find out Digital Planet, it's through the Fletcher School, it's called the Digital Intelligence Index, that looks at around about 80 countries across the world and worked out where they are on their digital trust journey and what their momentum and score is. It's used really a lot with governments, it's free resource. that led us to a lot more work, and I'm quite involved with the digital trust work being done at the World Economic Forum. Because they're trying to get their head around, well, what does digital trust look like? And in fact, we have created a framework. For me, the challenge is not how would I score myself, but how would someone score me? from a company perspective. And I think there'll be a lot more work done on that in the next couple of years, because the question of what and where we can trust is gonna be one of the most critical things going forward.

Kirsty Paine (27:13.205) It's great that you're not marking your own homework. We will link to all the resources at the end of the podcast as well. So thank you for sharing those. So as we look forw ard, what's your approach currently to promoting cybersecurity awareness in your organization today?

Paul Trueman (27:38.574) A lot of people talk about, are we training enough people? How are we keeping them constant on their training? And then how are we making sure that we are retaining them? The piece that's really interested in me is a little left field. I'm really interested in not being doing work with Oxford University. In fact, we create a program called Cybersecurity for Business Leaders. And the principle is, I'm trying to make sure that the next generation of senior leaders are actually going through some training where they start to understand how technology works, how it-
what can be used on the defense side and the CISO side, et cetera. They're not training to be CISOs, but they're training to be well-rounded senior managers. And I think that's a critical part 

Kirsty Paine (29:25.665) I think that's really critical. And we talk a lot about, you know, how CEOs often come up through marketing or finance or sales. Not many of them come up through the technical routes and by the time they're leading a business, they haven't got the vocabulary to challenge. And it's about making sure your CISO is empowered and they're delegated to. But also you need to have that accountability. You need to be able to challenge and know what's going on. So it sounds like a great program to intervene in that exact space that we're seeing that gap.

Paul Trueman I think the classic is before you click. And I use that, I use that phrase that all the time, which is I see an email and I go, I don't know that person, that person, that's not how that person would normally talk to me. Remember that knowledge and recognition. I think the idea, you know, just to think before you click, just kind of look at it and go, what? Just put it up into spam check.

Kirsty Paine (31:10.377) Think before you click is great advice. Very hard though when you're on holiday, you think it's been rejected. It's a very clever social engineering panic.

Paul Trueman (31:16.446) Second thing is never do it on a mobile. I always, every time I've been caught, I've done it on a mobile. I've been in a moment, I'm moving around, I do it. Now I think, I don't know, what's, look at that when I get back to the office on the PC.

Kirsty Paine (31:29.077) Yeah, I've heard this is paraphrased as be ready to check your emails, which means you have the time, you have the patience, you be ready to check them, which is probably my personal advice. I think that's great advice. Think before you click. So on the theme of advice, what is the best advice that you have received from someone you've worked with, someone in the industry that really has helped you in your career today?

Paul Trueman (31:50.222) God. Years ago, I was given a recommendation to speak to someone. He was a retail director. I went to see him and the first thing he said is, he gave me two pieces of advice. First is find something that you like doing that others think you're good at. Just do that. And if you enjoy doing it and they think you're good at it, great. And then he followed up with them. I should be careful on this one. He said,

And then the next time you meet, come back and tell me what your long held ambition is. And if your ambition is to become CMO, he was then very rude, but he just said, don't bother coming back. Because what he was saying is, what are you after in your life and how is what you're doing going to help you get there? And if it isn't, then get yourself a new skill and then move towards a plan. And I think, you know, find something you like doing and others think you're good at. It's a great starter for anybody.
right here and I use it with my, when I'm using my mantra schemes with people, I tend to put that one up.

Kirsty Paine (32:49.369) Okay, and that nugget of wisdom as well about not aiming for a job title, but aiming for more what you want to be and the skills you're going to need to get there, I think is no offence to any CMO who might be listening, that's probably more the point that was meant to land. Super. And so because we like to end on a high note as well, we just want to ask, finally, what's the biggest failure that you have had that you've really learned from? Good to always end on a failure, but you think it's important to

Paul Trueman (33:02.175) It was. It was.

Kirsty Paine (33:15.733) I think people are aware that failure happens, it's a normal part of growing. Yeah, I know, I know, but I believe everyone's had a story like this, whether it's accidentally toppling your big computers or everyone's had something like this.

Paul Trueman (33:17.75) This is for security people, seriously. I think you need to know when, you need to know when to stop. So we admire that we're doing something and then we go a little, I'll put more effort in, I'll really push it, I'm really gonna go for it. And it's still not working. And then you realize things are not looking right and you keep on pushing. You've got to know when to step back from the edge, take a cold hard look at it and go, I've got to stop this or I've got to stop this project. I remember actually selling a project and.

I knew in the end the restrictions being put on me were so heavy that I just would never be able to deliver it. So I actually got it to the point where everybody went, this is great. And I went, right, and now I'm going to tell you why I'm going to kill it. But it needed to happen because no one wanted to face into the challenge that we were getting was insurmountable. And once they saw the evidence, they went, yeah, I get the point. So being able to kill your own things is a really important part of that process.

Kirsty Paine (34:25.937) It's a really interesting point because that psychology, that human psychology of sunk cost, once you feel like you've invested so much time and effort into something, just a little bit more, just a little bit more, but sunk cost is a very key principle, I think, in helping you to know when to stop. You kind of recognise what's happened has happened.

Paul Trueman (34:41.166) Well, yeah, I've also seen it thrown at CFOs, which you look at the other way, which is you regard sunk cost as lost cost until you get it back. And it's like, no, and sunk cost, the original cost was only to get you to the position to be able to see the wider view and make a decision once. But if you had never put that money in, you were never allowed to see the view. And that's a really important part too. And it's a

Our thing says that money is now against you. It's on your debt line until you get above it. The fact is no one else was allowed to see what you saw because you invested getting through the door in the first place. So there's quite a lot of things that we need to rethink on these. But again, it's all about being able to make the right call at the right time. And then again, knowing when to push on and knowing when to stop. And if you think about the biggest failures, I learned from that too. When you go too far and think, I'm gonna...

I'm going to make this happen and then you're going to go, you know what, in hindsight, no. Ha ha ha.

Kirsty Paine (35:38.733) Thank you so much for joining me today, Paul. It's been fantastic to talk to you. And it's, it's clear you have such a range of insights and wisdom from across the industry. Thank you so much for taking the time and sharing your expertise with us. Thank you.

Paul Trueman (35:54.006) Lovely to see you, Kirsty.