Cybersecurity is a business and people issue


When it comes to cybersecurity challenges and lessons, companies’ focus must be on people, processes, and technology to ensure that everyone is on board to fight the scourge of cyber-attacks, says Josh Souchon, CIO at Sasfin.

Speaking at the CIO South Africa Cybersecurity Summit held on 20 February, Josh Souchon, CIO at Sasfin, highlighted the fact that, when it comes to implementing strategies to mitigate cyber-attacks, both the business and staff need to buy into the solution.

Sasfin, which provides financial products and services for business and wealth clients, realised several years ago that it needed to pivot from a technology-centred cybersecurity strategy to a holistic one that focused on people. This strategy, said Josh, covers people, process and technology, with an emphasis on the human line of defence.

To get there, the financial services company went back to basics to sort out its technology shop and then pivoted to its people-first strategy. This approach involves educating both its staff and its clients. “We are focusing extensively on training and awareness of both our people and our clients. Those who didn’t complete training are five times more at risk.”

Josh noted that “Sasfin follows a top-down strategy crafting process” that includes “active participation during the process of key business representatives from the Group CEO, COO, CRO, internal audit, group CFO, plus all senior IT managers”.

After this process, said Josh, the crafting stage is done in conjunction with the three business pillars and then its support functions. This approach is revised each year and Sasfin follows a ‘crown jewels’ approach based on client data and financial transactions.

With the strategy in place, Sasfin also has a formal cyber-incident response plan that is tested on an 18-month cycle basis through independently-run simulation tests plus annual audit assessments covering penetration testing, phishing simulations and environmental access testing. “No one knows when we will do the simulation, it just happens. These did cause a lot of panic, but it showed our cyber response plan worked,” said Josh.

As a financial services company, Sasfin has to prioritise client data and financial transactions. “We allow the audit team into the building to try to penetrate the system. It’s really about doing a holistic approach,” said Josh.

To evaluate the effectiveness of the cybersecurity plan and implementation, Sasfin uses several levels of checks, from real-time dashboards to daily monitoring as well as annual and 18-monthly assessment processes. At the same time, as a financial services provider, it participates in industry forums such as the South African Banking Risk Information Centre, which facilitates information exchange and cooperation between its members, regulators, and law enforcement when it comes to banking and financial crime.

Sasfin also leverages off analysts such as Gartner in terms of their research reports on global facts and figures as well as trends, Josh explains. All the relevant data is reported through governance structures from the executive committee to the board, as well as the relevant regulators.

To ensure that everything is implemented properly, the financial services institution extensively partners on a best-of-need basis with companies from Microsoft Azure globally to Mimecast, CyberArk (for privileged access management), SailPoint (for user access management) to KnowBe4 for client and staff training and awareness. “Cybersecurity resources are scarce globally, especially in South Africa, so effective partnership is paramount.”

Key lessons Sasfin has learnt, said Josh, is that it’s a business and people strategy and not a technology process. “Although technology is key, people are your first line of defence with the human firewalls being critical to any ongoing successful cyber-strategy.”

As Josh pointed out, it’s not about how high you can build your walls, rather it’s how you respond to incidents. As instances across the world, and especially locally, increase, they have shown that no defence is absolute, it’s rather about how your people respond daily when it comes to attacks such as DDOS and phishing.

“It’s not about being attacked, but how you respond. You need to address the basics first, get the tools, and ensure the back door isn’t left open” said Josh. “We are all in this together and we are far more effective through collaboration and learning from each other than doing it on our own.”

Related articles