9 minute read
Embedded trust
First line of defence:
No matter what job they do, staff should be aware of, and comfortable with reporting, security issues
Adyen has recently expanded into financial services on the back of a full banking licence, with a workforce that puts security at the heart of every task, says CTO Alexander Matthey. Here, he discusses its approach alongside Mark Phillips, Senior Consultant at cybersecurity consultancy Dionach
In the US, there are only enough cybersecurity workers for 68 per cent of the jobs that employers are looking to fill, across all industries, according to CyberSeek. In Europe, the staffing situation is so critical that a vice president of the European Commission used the 2022 Munich Cyber Security Conference to issue an urgent plea for public and private sectors ‘to join forces and make concrete pledges to train professionals on cybersecurity skills’. A report from the Carnegie Endowment for International Peace says addressing this talent shortage in banking specifically is one of six priorities for protecting the global financial systems from cyber threats.
Banks clearly aren’t the only targets – in 2022, supermarkets, telecommunications providers, health systems, oil suppliers and local councils were among those disrupted on an almost weekly basis in Europe. But when it comes to consumers’ – and regulators’ – relationship with the organisations that hold and facilitate the movement of money, trust and security go to the heart of it, and a business’ success, even its survival, depends on the approach it takes to protecting both.
Given that by far the biggest attack vector in any organisation is likely to be the staff who run it, security needs to be embedded into culture from the outset, according to Alexander Matthey, CTO of Adyen, a financial technology company that’s focussed on enabling merchants to accept e-commerce, mobile and in-person payments, and is well ahead of the embedded finance curve. Founded in 2006, Adyen took what many would see as the hard route to expansion: after investing in its existing licensing framework, it obtained a banking licence in Europe in 2017 and in the US in 2022, meaning it bears the full burden of responsibility when it comes to compliance. That strategy, though, has clearly worked for Adyen, which was trusted with processing €346billion of transactions in the first half of 2022 alone – an increase of 60 per cent year-on-year – by clients including global reaching €609million. And it’s because it baked in a security mindset at the outset, that it’s been able to expand both its service and its geography relatively painlessly, believes Matthey.
“It’s very important not to make security the responsibility of a certain team, at a certain moment in the process, but rather to build it into your foundation as a company,” he says. “ That’s something that a lot of people get wrong because they do great things at the beginning but then they have to stop because the security team steps in and says ‘wait a minute, now we need to redo this’.”
Mark Phillips, senior consultant at UK-based cybersecurity consultancy Dionach, which offers a range of compliance, assurance and response services and has worked with Adyen, says making security an organic part of an organisation can turn its biggest vulnerability into its first line of defence.
“The key thing is to empower employees to use security as a tool, rather than see it as a hindrance,” he says. “And I agree that you don’t want to be half way through implementing a project and then find out that a piece of tech you wanted to use has horrific security vulnerabilities. But having a clear vision and strategy that leads to defined information security objectives as an organisation, filters down to the people on the ground who are creating the software and implementing the projects.”
Alexander Matthey, Adyen
brands with huge reputations to protect, such as Facebook, Uber, H&M, eBay and Microsoft. Indeed, Adyen has more than tripled its processed volume over the past three years. Revenue also grew by an impressive 37 per cent during the period,
A company’s recruitment strategy clearly has to be in alignment with that, and Adyen’s is famously thorough. Having first undergone a Zoom call to make an initial assessment of whether they ‘fit’ the organisation, every applicant meets a member of the board or global leadership team before being hired, such is Adyen's commitment to ensuring company culture is present at all levels. “It needs to be top down, in terms of vision or mission,” says Matthey. “We want to be a security-first company and believe this is important for us. But a lot of the real work actually happens from the bottom up. Decisions on which technology to adopt or the right direction for a certain project, are typically made somewhere within the organisation and everybody should be thinking about it.”
In that way, staff are primed to react to any issues that arise and Adyen encourages them to be fearless about reporting them.
“It should be a good mixture of looking at compliance and legislation, performing assurance responsibilities and making sure you deal with the outcomes of those,” says Phillips. “Too many times, we have gone into an organisation, performed a penetration test, given them the results, given them a recommendation, an action plan… and then gone back the next year and they have the same, or almost the same, vulnerabilities.”
As a security advisor, he’s well aware of the critical shortage of specialist staff. “There are not enough people who want to come into the industry to do penetration testing, or who can deliver the services at the right governance, risk and compliance (GRC) level,” he says.
Which is why the ‘positive vibe’ Adyen’s security-first strategy has created across the organisation, helps to future-proof the business against both the evolving financial crime threat and its ability to deal with regulatory changes introduced to control it.
“Security plays a really big role in every single job within Adyen – from an account manager who is handling merchant data, to an engineer working on our product, to network infrastructure people who are building tech,” says Matthey. “Obviously, different skills are needed, but it’s about staff understanding that they are the very first line of defence when dealing with whatever they do in their job. Security needs to be part of the assessment of what they do and that can be done very easily.”
Adyen avoids playing the blame game when a weakness is identified. Rather, it sees it as a positive, according to Matthey.
“If you found it, it can be fixed,” he says. “You need to build a culture where you allow teams and individuals to make mistakes, and a safe environment where they can talk about it, fix it, and learn from each other.”
It comes back to that ‘first line of defence’ theory.
Mark Phillips, Dionach
“If somebody clicks on a phishing email, do they say ‘I’d better keep it to myself a nd hope nothing happens?’. Or will they be proactive and say ‘I’ll tell our internal security team I might have done something wrong’. This is certainly the better approach, but requires a culture that enables people to act correctly.”
PUBLIC OR PRIVATE CLOUD?
Adyen has deliberately chosen not to use the public Cloud for its platform. Instead, it hosts its main systems in separate data centres in dispersed locations all over the world to ensure global coverage. It owns, administers and manages all its servers.
“One of the reasons we do not use Cloud is that you introduce a new set of risks that you have to cover and – compared to on-premise – you have much less control,” maintains Matthey. It also means the organisation needs to retain people who understand the specific risks associated with the public Cloud – which, given the current skills shortage, is an added challenge.
The apparent cost benefits of Cloud, in his view, therefore, don’t necessarily pay off in the longer term. “People underestimate how much time you spend to make that setup secure,” he says.
Others have come to the same conclusion, according to Phillips, because Dionach is now seeing a slowdown in adoption. That hesitancy might be being encouraged by regulators across the world, including the Financial Industry Regulatory Authority (FINRA) in the States, the Prudential Regulation Authority in the UK, the European Banking Authority, the Monetary Authority of Singapore, and the Bank of France, all of whom have voiced concerns, ranging from heightened risk of security breach to systemic risk of outages within the financial system, if too much of it is reliant on a handful of public Cloud providers.
“Whenever you hear the term ‘public Cloud’, you’ve just got to replace it with ‘someone else’s server’ and that gives you a better way of analysing the risk that’s involved with your data,” says Phillips.
THE SECURITY-LITERATE BOARD
Matthey maintains that it was to Adyen’s advantage that ‘the people who founded the company, the people sitting on the board, understood how important security is and how important it is to find a way to scale that into a bigger organisation’.
Other financial providers do not always have that level of expertise at the top of the corporate tree, says Phillips, which is why Dionach now offers clients a virtual Chief Information Security Officer (CISO) – allowing the combined knowledge of Dionach consultants with experience of different organisations and cultures to convey information to a board.
As increasing numbers of non-financial players enter the financial market through embedded products, that knowledge is likely to become even more valuable to boards that are aware of a rising tide of financial crime and are concerned to protect their organisations’ reputation from being damaged by it. At the same time, ‘regulators all around the world are tightening the screws, which is a positive thing’, says Matthey. “The ecosystem will move more towards finding very specific providers for services that are fully regulated and very secure, and can deliver the set of services that are needed to turn it into something useful for end-customers.”
It’s why he believes that Adyen’s white-label approach will continue to be successful as a very secure way of providing payment services: “Because we take care of the regulatory side, backed by our banking licences, allowing clients to tailor their services in a secure way to the real needs of their customers’.”
