The fintech industry faces similar challenges as the technology industry in terms of basic security hygiene. However, the risk for any financial institution is significantly higher because customers trust them with their money and sensitive information.
Media 7: Can you share the highlights of your career path leading up to your current role as the Executive Head of Cybersecurity at M-PESA Africa?
Tim Theuri: My interest in technology and cybersecurity began at a pretty early age when I was in primary school because I was always curious about technology. I was fascinated by the latest tech things. My passion for technology continued to grow during my undergraduate studies, where my interests in technology were refined, and I gained a sense of direction. For my undergraduate degree, I pursued software engineering as I always wanted to become a programmer, developer, or coder. However, coincidentally, I also completed my CPA (Certified Public Accountant) to have a balanced understanding of business and making money. After completing both of those degrees, I was fortunate enough to be selected for recruitment by Deloitte, where I began my career as a financial auditor before specializing in technology risk and data consulting. Following that, I transitioned to Safaricom, where I took on various roles, including audit, risk management, and technology. My big break came when I joined the M-PESA Africa family. As the Executive Head of Security, my role perfectly aligned with my interests in managing technology-related risks and contributing to financial inclusion for the African continent.
M7: Based on your experience as a systems and risk consultant, what do you think are the common IT risks faced by the fintech industry? How can those risks be mitigated?
TT: I think the first part, unfortunately, is the truth. Some common misconceptions are related to busy systems, security hygiene risks, and a perception that cybersecurity requires something complicated or advanced due to the exposure we have to security breaches, hackings, and advanced persistent threats affecting large companies. However, in my experience, most cases reveal a lack of basic security practices. Simple measures, such as regularly changing passwords, ensuring system activity is monitoring, regularly reviewing users and system logs, and keeping systems up-to-date with patches, play a crucial role in cybersecurity. The fintech industry faces similar challenges as the technology industry in terms of basic security hygiene. However, the risk for any financial institution is significantly higher because customers trust them with their money and sensitive information. Failure to apply basic security practices can lead to breaches and erode that trust. Therefore, maintaining standard security hygiene is essential for both fintech and any technology industry to mitigate risks effectively.
One of the critical aspects of cybersecurity is knowing the asset inventory, as you cannot protect what you are unaware of. It's crucial to establish a schedule for patching systems and applying security updates, as well as having well-defined user governance processes and security policies in place. Raising awareness about these policies among all users helps reduce risks to a manageable level, though it's impossible to completely eliminate them. The adage holds that the only system that is 100% secure is one that is entirely shut down.
M7: M-PESA Africa processes a massive volume of transactions daily. How do you ensure the security and integrity of these transactions, and what measures do you take to protect customer data and privacy?
TT: One of our most basic processes for ensuring the integrity of customer transactions is the customer PIN—a simple four-digit number providing end-to-end security. This PIN is known only to the customers themselves. At M-PESA, we don't have access to the customer's PIN, which ensures that their transactions remain protected and can only be initiated by the customers. However, we acknowledge that there's a possibility of customers being compromised, as we hear reports of such incidents. To address this, we run an awareness program for our customers, encouraging them to safeguard their PIN and never share it with anyone. This approach ensures that all transactions are genuinely initiated from the customer's handset.
Moreover, we prioritize security along the entire connection, from the phone to the M-PESA systems. This connection is end-to-end encrypted, safeguarding against any potential eavesdropping or tampering. Even the SMS initiated from the M-PESA site is encrypted using SSL and validated within our core M-PESA systems. Our system architecture is designed with defense in depth, similar to the layered security measures you might have at home with gates and multiple locks. We implement parametric security, security at the phone level, in the campus system, as well as in our applications and databases hosting customer data. Security is a fundamental aspect considered from the architecture stage and not added as an afterthought or bolted on later. This approach ensures that customer data and services are fully protected at all times.
M7: In your experience as an ISO lead internal auditor, what industry-specific challenges did you face when ensuring compliance with ISO standards? How are such challenges generally addressed?
TT: ISO standards are a set of practices that guide any company, industry, or organization in applying international best practices for their respective industries. From my experience in both Safaricom and M-PESA, I've encountered two significant challenges. The first challenge is having the specific knowledge required to apply these general standards and practices to the fintech level. It demands a dual skill set: in-depth knowledge of the financial industry and technical expertise. Additionally, understanding the actual ISO standards and their application on a general basis is crucial. Safaricom has gained considerable experience with ISO standards and holds the most certifications among Eastern Central African companies. Leveraging this experience, we have developed a tribe of ISO qualified auditors and implementers who are well-versed in ISO requirements and can implement these processes across the entire organization at all levels.
The goal is to ensure that ISO knowledge is not limited to a single individual or team. Instead, the entire organization, including champions and leads, acts as a knowledgeable source in ISO processes. This widespread understanding enables everyone to contribute to the successful implementation of ISO practices in Safaricom and M-PESA.
Read More: Q&A with Anna Pavlovska, Executive Vice-president at VIALET
In today's globally connected world, cyber risks apply without discrimination to both new and old markets, whether they are within Africa or from outside the continent. Our approach to cybersecurity acknowledges this reality.
M7: According to you, what are the most major cybersecurity threats faced by the financial and telecommunication industries today?
TT: The biggest threats faced by both industries today are also opportunities. Ever since COVID and the shift to work from home, the envelope of staff work has expanded. We now see remote work as a state of mind rather than being confined to a physical location. This seamless work from home setup has its benefits, but it also exposes us to increased cyber risks. Previously, cyber threats were primarily focused on staff while they were at their workplaces, but now, working from home has created a new set of risks. Home environments may lack the typical perimeter of security measures found in offices, making them vulnerable to cyber threats.
We've had instances where staff accidentally downloaded malware while working from home, which could have been prevented if they were at the office. As a result, we had to rethink our approach to cyber protection and endpoint security to cover employees regardless of where they work. This led us to apply security measures to safeguard data wherever it flows. Cloud security plays a significant role in ensuring that whether employees work from home or office, they are equally protected without compromising security, portability, or their ability to work flexibly.
M7: How do entities in the fintech space across different countries navigate compliance requirements and ensure that cybersecurity practices align with relevant regulations in each market?
TT: Market regulations are crucial, but unfortunately, they are not yet standardized across Africa. While we have seen improvements in collaboration among market regulators, there is still a long way to go in establishing common continental or pan-African regulations governing the fintech space. The impact of this situation is that in each market we operate in, we prioritize establishing positive and mutual relationships with the respective regulators. This approach allows us to understand their objectives and compliance requirements while also educating them about our goals. It's a partnership where both parties work together to protect the users of our system. We view it positively as a collaborative effort.
This partnership enables us to not only meet the regulators' requirements but also strive to exceed them. We don't set our benchmarks based on each regulator's demands; instead, we aim to meet the strictest regulatory requirements across all markets. Whether it's about cybersecurity or resiliency, we ensure that our actions align with all the necessary requirements, regardless of the specific market. Our success lies in maintaining a strong partnership model with regulators and consistently striving to surpass even the strictest regulatory demands in the various markets we serve.
M7: How do you stay updated with the latest trends, emerging threats, and best practices in cybersecurity? How does that knowledge apply to financial and telecommunication industries?
TT: I struggle to stay updated on my site, but I ensure I stay informed through two main avenues. Firstly, I am an active member of both the Isaka and ICQ communities due to my CISSP certification. My passion for cybersecurity leads me to research and share insights on the subject. Attending conferences and engaging with cybersecurity communities helps me stay up-to-date on the latest threats in the field.
Secondly, from a group perspective, M-PESA Africa operates as a subsidiary of Safaricom and Vodacom, both being subsidiaries of the Vodafone Group. Within this network, we have a cybersecurity community where best practices from the Vodafone Group are shared and applied across different markets. This community exchange benefits both from the telecommunications and financial aspects of our operations, helping us develop and implement effective strategies against emerging threats. For instance, when it comes to areas like artificial intelligence and blockchain, specific conferences are attended to explore ways to leverage these technologies within our fintech and telecom industries. This proactive approach helps us keep abreast of new threats and adapt our practices accordingly.
M7: M-PESA Africa is expanding into new markets, including Ethiopia. How do you adapt your cybersecurity strategy and practices to accommodate the unique challenges and regulatory requirements of each new market?
TT: At M-PESA Africa, our vision and mission revolve around applying comprehensive cybersecurity controls for all markets, regardless of whether they are new or well-established. We do not differentiate when it comes to cybersecurity; all markets receive equal attention. Our commitment is to ensure that all controls are uniformly applied across our vast estate, without any discrimination or differentiation.
To achieve this goal, we take into account the requirements of all regulators, implementing even the strictest regulatory demands consistently across all markets. This approach allows us to maintain a consistent and level playing field for cybersecurity controls, reducing our overall cybersecurity risk to the minimum possible. In today's globally connected world, cyber risks apply without discrimination to both new and old markets, whether they are within Africa or from outside the continent. Our approach to cybersecurity acknowledges this reality and ensures that all markets are equally protected from potential threats.
Read More: Kraken's Head of Banking and Payments, Maximilian Marenbach discusses their platform and the future of cryptocurrencies
The dynamic nature of cybersecurity in the technology industry applies to enterprises involved in content creation and those seeking to build a brand image and connect with customers.
M7: We would like to know your opinions on thought leadership. According to you, how can thought leadership shape a company's brand identity?
TT: M-PESA Africa, being the largest and most significant mobile money service, has established its brand based on creative and innovative ideas. Our focus on developing leadership and prioritizing customer service with new and innovative products has strongly connected us with our customers. As a result, we are the largest mobile money service in all the markets where M-PESA operates. This sustainable growth enables us to achieve our mission of financial inclusion and empowering our customers. Moreover, our strong brand presence has helped us connect with customers globally, even in markets where we don't have a physical footprint. This means that if we were to expand to new markets, we would start on a positive note with a well-recognized mobile brand, M-PESA.
M7: Considering the dynamic nature of cybersecurity and the need to drive impactful information technology changes in enterprises, what strategies do you recommend for content creation and advertising to effectively communicate an organization's expertise and insights to your target audience?
TT: The dynamic nature of cybersecurity in the technology industry applies to enterprises involved in content creation and those seeking to build a brand image and connect with customers. In summary, they must understand their target audience and fulfill their needs to become successful companies. Passionately understanding and serving the customer is what differentiates leaders in this field. While there are numerous strategies that can be adopted, the key lies in building a staff culture that is dedicated to serving the customer with passion. This principle holds true for any enterprise, regardless of whether they are involved in cybersecurity technology or not.
M7: How do you foresee the future of cybersecurity in the fintech industry as it continues to embrace and adopt new innovations like digital wallets, blockchain, and open banking? What are the key cybersecurity considerations that will arise with these advancements, and how do you envision addressing them to ensure the security and trustworthiness of financial services in the evolving fintech landscape?
TT: Combining two of my passions, cyber security, and blockchain security, I have given numerous talks on how these fields can be combined. From the fintech industry perspective, let me start with blockchain. As we all know, blockchain originated from a cybersecurity perspective, with Bitcoin being the first successful blockchain product. Over the past 12 years, the fintech industry has witnessed the continuous evolution and experimentation with blockchain technology. We keep a close eye on these developments and explore how to leverage them securely, including innovations like open banking and trustless security.
Artificial intelligence is another aspect that has gained significant attention recently. However, as customers understand and utilize these technologies, they become intrinsic and essential, moving beyond just hype. As leaders in the fintech industry, we must embed these technologies and advancements to provide value to our customers. Regarding cyber security considerations, we consistently update ourselves on evolving cyber risks. Before rolling out any product to customers, we conduct a thorough security review to ensure it is secure from the customer side to the system side. We strive to eliminate any vulnerabilities or potential malicious uses. We are one of the first companies to have a public bug bounty program in collaboration with our partner, HackerOne. We engage white-hat hackers on the Internet, providing them access to some areas of our system. If they identify any vulnerabilities, we conduct a paid bug bounty and promptly address and fix those issues. Cyber security is deeply ingrained into our approach to new technologies and advancements.