Security Expert Interview Series: Philippe Lopez
We recently checked in with Philippe Lopez to learn about what makes information security challenging within the financial services field and the top 3 threats to digital payments in 2021. Philippe (see his Linkedin profile here) is the Regional Chief Security Officer for Middle East & Africa (MEA) at Mastercard. He has a strong technology and cybersecurity background. Most recently Philippe was the Head of Cyber & Resilience for HSBC Commercial banking for APAC. He is a strong advocate for the cyber and digital domains and greatly enjoys mentoring, helping to uplift the workforce and service veterans across the community. Given that, make sure you do not miss his interesting insights and read the full interview below.
1. Firstly, thank you for taking part in this campaign, Philippe. Can you tell us about your professional background and areas of interest?
Thanks for the opportunity to be a part of your campaign and to be part of the cyber discussion with your community and readership.
The two decades of my professional career has been spent wholly in the security and technology domains.
The foundation of my career was set by service in the military and federal government, which made up a solid portion of the first half of my career. The second half of my career so far has been in Financial Services and global banking. Nicely capped-off so far by my work in technology and the global payments ecosystem with Mastercard.
Some highlights include the greenfields buildout of South Africa’s first digital bank to be licensed by the regulator (SARB). More recently, I had the fortune to head up the Cyber & Resilience for the Asia-Pacific region in Hong Kong for a leading global bank. Enabling business resilience through unprecedented disruption events in various Asian markets, and keeping our global business safe and secure during a global pandemic. It is usually the case that the most challenging times can act as the greatest teachers, and these times have been invaluable learning experiences for me.
Noting that over 90% of all cyber intrusion and data loss activity stems from human and process vulnerabilities, misuse, or abuse – the human aspects of security are a key area of interest and a passion of mine.
Additionally, I have a passion for safe and secure digital enablement as the world is going digital.
2. As we noticed, you are a Chief Security Officer for Mastercard for the Middle East and Africa region. Could you please share with us what are the challenges that excite you in that position?
Within our MEA region alone, in my humble opinion, we have the globe’s greatest diversity in terms of technological and backbone infrastructure development.
Regionally, we have a unique mix of advanced smart cities and smart societies leading the globe in terms of going digital, such as in the UAE and Saudi Arabia, with strong strategies for smart and secure population centers. As an example, in my home city of Dubai, His Highness Sheikh Mohammed bin Rashid Al Maktoum is a very strong proponent of cybersecurity as a critical enabler for Dubai to be one of the safest digital societies on the planet.
In Africa, we are seeing the rapid emergence of disruptors to traditional communications backbone technologies, such as 5G wireless infrastructure.
The lack of legacy infrastructure and technical debt in these emerging markets is giving them an opportunity to leap-frog other more advanced markets when it comes to digital channels and services.
This is exciting for our micro-vendors and enterprises as part of our Mastercard payments ecosystem. As digital payments platforms, peer-to-peer solutions, and real-time payments platforms will be made directly available to the on-the-ground mum-and-dad small businesses to take advantage of through mobile devices.
I am certainly looking forward to partnering with our stakeholders to meet the challenges associated with rapid digitization, and the diversity in digital and cyber maturity of our stakeholders and partners, across our 69 markets in the Middle East & Africa.
3. Please tell us what makes information security challenging within the financial services field.
The single greatest challenge in information security is that we must meet the threat head-on as a coherent “collective”.
The automated and large-scale nature of “as-a-Service” threat activity has shown us that we must work within strong partnerships to ensure that our collective ecosystem is secure.
You can see that the as-a-Service cybercrime gangs – such as DarkSide and the Emotet advanced persistent threat (APT) groups before them – wreaked havoc against entire industry sectors through some established as-a-service frameworks.
These APTs are lowering the barrier of entry for cybercrime, and consequently Public and Private partnerships in the cybersecurity space have never been more important.
Our Global Chief Security Officer at Mastercard, Ron Green, has an analogy of wildebeests versus lions: When they run as a herd, they have more protection against the lions.
This principle of collective security is very applicable in the cybersecurity domain.
In order to assist our stakeholders – whether they are Public institutions, small micro-vendors or large multinational enterprises – we are working to contribute to the security collective with our Mastercard European Cyber Resilience Center (ECRC) in Belgium.
Our ECRC has enabled us to host and collaborate with some key European stakeholders across the Public and Private sectors – including the strengthening of threat intelligence collaboration, enabling collaborative Mastercard Threatcasting and response tabletop simulations. The ECRC has had some fantastic feedback from regulators, law enforcement agencies, and our payments ecosystem partners.
Collective security is the domain’s greatest challenge – and something that I enjoy working towards every day because it means working with my peers and building trusted partnerships to help us all.
4. What are the top 3 threats to digital payments in 2021?
Technology disruptors such as Automation, Artificial Intelligence, and Machine Learning are being researched and adopted by cybercrime actors.
Cybercrime forums and the Darkweb community are buzzing with talk about Deepfake technology, advanced distribution approaches for phishing, the evolution of as-a-Service frameworks, and the like. All of which leverage disruptor technologies in order to scale campaigns at unprecedented levels.
Noting the above, three top-of-mind threats are:
- As-a-Service frameworks. As-a-Service attack and exploitation frameworks are lowering the barrier for entry. The recent May 2021 Colonial Pipeline attack and DarkSide framework showed that these attacks can scale out of control with the actions of criminal affiliates causing the real strategic effects. Although this was an attack on non-financial critical infrastructure, the indiscriminate nature of these volume-based attacks is a real threat to the payments ecosystem.
- Supplier Assurance. Attacks on the supply chain have dominated 2021 so far. Globally, financial services and the wider industry have been impacted by vulnerabilities in the Accellion File Transfer Appliance, Solarwinds Orion platform, and we have seen Microsoft Exchange-related issues such as the Hafnium exploitation. Cybercriminal threat actors are smart and are a business, so they will choose the path of least resistance where they can. Suppliers can be perceived as a weak link in the ecosystem.
- Threat to the human layer is a perennial risk. As a cyber intrusion point of entry, humans are extremely susceptible. The amplifying pressures of fact-paced delivery to support business speed-to-market, and the paid evolution of our ways of working, will continue to keep the threat to our colleagues as one of the highest.
5. What key steps should payment service providers take to protect their organisations as well as customers against these security threats?
Threat actors continue to present more varied, more sophisticated, and more innovative ways to scale attack vectors. Luckily, as I stated earlier, their objectives fundamentally remain the same: disruption of services, and or financial gain.
Of course, payment providers are privileged to have excellent reference frameworks in the Cards Industry Data Security Standards (PCI – DSS) and EMV security standards.
More generally, cyber risk needs to be identified, quantified and mitigation strategies need to be developed. We need to be able to truly learn and speak the language of cyber risk eloquently. When done effectively, this enables the business decision-makers to make the decision that is needed to maintain critical operations and protect corporate and customer assets. So cyber risk management, as a function, is the base control that threads everything together to get the business outcome we need.
From a technology layer perspective, our analysts at Mastercard have told me that we have seen an average of 47 distinct cyber products in a corporate environment, and the challenge is how to extend them to the much larger attack surface. As an industry, we need to realise that most products were not meant for this scale. So, we need to understand how to layer them as part of an orchestrated program.
In the end, I have always sort to implement technology controls that at least cover what I see as the minimum baseline – and I have always been a fan of the Australian Signals Directorate Top 4 (now evolved into the “Essential Eight”) – as this gives security leaders some very practical guidance on the controls that mitigate over 85% of cyber intrusions. Other nations and industry best practice bodies definitely have similar very good reference frameworks, and this might be my Australian bias coming to the fore, but I have leaned on the Essential 8 as a “go-to” throughout my career. It has been proven to be an ageless companion reference time and again for me. I commend your readership to at least review it for themselves.
Regardless of the priority of controls you implement, a well-orchestrated security program complemented with a good workforce behavioral and hygiene strengthening program, will see a strong reduction of cyber incidents, and set you up for success for response and recovery.
My Mastercard colleagues and I often speak about the basics and simplifying the message to our business partners. As part of that, we promote that companies should consider the 4 p’s: Protect data assets by quantifying cyber risks; Prioritize cybersecurity initiatives based on a risk/return calculation; Practice for the breach – because it will likely happen; and Prevent the attack by enabling employees and contractors to become the first line of defense.
These concepts are not new, and most organizations have adopted elements of them. The agility with which organizations implement these 4 p’s will allow them to accurately measure, forecast, and manage risk. This is the difference between those that overcome cyber-attacks and become resilient, versus those that are overcome by them.
6. One payment security trend that is gaining prominence is tokenization. Besides increased transparency, what are the benefits of tokenization for organisations?
Tokenization has actually been around for a while now, a technology which Mastercard has been a global leader in designing and implementing for many years.
Simply put, tokenization refers to converting a digital asset into a digital token so that it behaves the same as the original asset. In our world of payments, the payment token can carry an extra level of security to protect sensitive payment data.
We use tokenization in combination with encryption to achieve the level of security required to protect and safeguard sensitive payment information in any form factor.
For example, our tokenization engine – Mastercard Digital Enablement Service (MDES) – allows consumers to store payment account information in mobile wallets, e-commerce platforms, and mobile devices without exposing the original sensitive information.
Other key benefits of enabling tokenization services like MDES, are in the improvement of user experience.
When coupled with frictionless authentication services such as biometric authentication (e.g. Face ID or Touch ID), it becomes a low-latency method that brings a favorable user experience for merchants and consumers at the check-out or when making an online payment.
This is a real example of security being an enabler to truly improve the customer experience and reduce transactional latency.
Additionally, if a mobile device is lost or stolen, the token can be simply revoked and the banks, merchants, or consumer exposure is minimized.
I personally love using digital wallets to store my payment information. Not only do I enjoy that satisfying “bing” when a transaction is authenticated, but Tokenization gives me confidence that my hard-earned money and my personal information is safe and secure whilst making that very easy transaction. I am a bit of a digital payments geek though – so please forgive me if this feeling is not shared!
7. What is the most important piece of career advice you would like to give to people who are just getting out of university and are interested in a career in information security?
My primary tip: “Don’t forget how lucky we are to be part of this cyber profession. Realize the importance of what you will be a part of and realize your immense responsibility to our community and wider society. You will be a key part of enabling a safe and secure digital life for the future. You will be part of a profession that protects the very livelihood and digital identity of your family, your colleagues, and the community”.
At Mastercard, my colleagues have a passion for uplift and support the next generation when it comes to cybersecurity. We understand that cybersecurity is a key enabler for the digital ecosystem. We also understand that we have a corporate responsibility to contribute and give back to the education sector and inspire more diversity to make our function better overall – that’s why we get behind key STEM programs like Girls4Tech. We’ve reached more than one million girls in 31 countries. The original goal of 200,000 girls by 2020 has now been superseded by a goal to engage five million girls by 2025.
There are so many other tips I can share, and if you find yourself with some time, you can find some other tips my LinkedIn article, “Five Steps for a Cyber Wannabe to join cybersecurity”, here: https://www.linkedin.com/pulse/five-steps-cyber-wannabe-join-cybersecurity-philippe-lopez/
8. Where do you go for inspiration or resources that you use in your own personal development?
Firstly, I truly believe that cybersecurity requires earnest passion and interest in the subject matter for you to stand out, add value and succeed. So, if at any point in your career you find yourself being disinterested, my personal advice is to find and move to a part of cybersecurity that sparks that interest and passion again – this will be key in finding your personal inspiration.
To find my inspiration, as I developed, changed roles, and evolved through my career, I referred to vastly different types of resources.
At the start of my career, I was just trying to understand the basics – so understanding and being familiar with best practice frameworks and standards like SABA, COBIT, NIST Cybersecurity Lifecycle, OWASP, Cloud Security Alliance, Mitre ATT&CK framework, etc. was something that I invested time to build out my domain fundamentals.
Then at some point, after I gained some base experience something clicked in my mind – and a handful of controls stood out. This handful of controls was my go-to and proved to be an ageless reference for me: the latest form is the Australian Signals Directorate Essential Eight (based upon the old DSD Top 4 first released over a decade ago). It helped me focus on controls that are truly effective for cyber intrusion mitigation. When you gain confidence and can articulate a simplified approach, you become a lot more valuable to the business.
On a daily basis, I subscribe to a few feeds to keep me abreast of the key alerts and focal items in the cybersecurity domain – SANS Newsbites is a great resource, Brian Kreb’s blog always has some great takeaways (especially for payments and financial services), and as Mastercard has a strong partnership with the Financial Services Information Sharing and Analysis Center (FS-ISAC), I am a member of a few key groups as part of this membership. I know that FS-ISAC may not be accessible to some of your readership, however, I would strongly commend membership to your business leadership, as it opens up a great network to lean on when times are tough.
I also believe it is critical to understand your business strategy to secure it, i.e. what are your business drivers for your industry? I am a member of the Forbes Technology Council, and Forbes has some great content and material that will give you insights into your key sector and business drivers. I also read Harvard Business Review for strategic insights. Knowing what makes your business tick and the strategic trends will help you stay one step ahead in knowing how to influence the decision-makers.
Finally, since I call Dubai home, and my daughter is learning Arabic, I am also trying to force my old brain to learn the Arabic basics with a daily Pimsleur program during my drive to work. My brain is not geared for this – and I feel I am failing miserably at this, but I will persist! I would be happy for any of your readers to reach out separately and give me any tips to learn Arabic!
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.