Interview: Deniz Kaya – Perseus Information Security Consulting, CEO

Perseus Information Security builds effective security programs to protected infrastructures and enhance business operations. The security consultants bring deep and broad industry expertise to the table, with an average of 10+ years of IT security consulting experience in disciplines including compliance, data protection, application services, risk management, identity and access management, cyber security, mobility, cloud, and incident planning and response. We’ve made an interview with Deniz Kaya, CEO of Perseus Information Security about the important changes to the SWIFT CSP.

Perseus Information Security Consulting is listed on the SWIFT website as a CSP assessment provider. Before I ask you about how Perseus got listed there – tell us about SWIFT.

SWIFT is a member-owned cooperative that provides the communications platform, products and services to connect more than 10,000 banking organizations, securities institutions and corporate customers in 212 countries and territories. SWIFT enables its users to exchange automated, standardized financial information securely and reliably, thereby lowering costs, reducing operational risk and eliminating operational inefficiencies. SWIFT also brings the financial community together to work collaboratively to shape market practice, define standards and debate issues of mutual interest.

Is the cyber security initiative by SWIFT new for their members?

No, SWIFT started a cyber security initiative a couple of years ago. SWIFT developed their Customer Security Program (CSP) in response to the cyber-attack on the Bank of Bangladesh in 2016 in which millions of dollars were stolen, and subsequent attacks on other banks and corporations. They realized the need to help SWIFT members keep their SWIFT infrastructure secure, and ensure that SWIFT could maintain their industry leading position of trust, as one of the primary financial messaging services in the world.

The goal of the CSP is to strengthen the cyber security posture of the SWIFT payment network by increasing the cyber maturity of its members. The SWIFT CSP is built around three pillars: (1) securing your local environment, (2) preventing and detecting fraud in your commercial relationships, and (3) continuously sharing information and preparing to defend against future cyber threats.

They asked their members – banks basically, to submit to SWIFT on an annual basis an internal report about their cyber security readiness and how it adheres to the SWIFT recommended controls. What’s new this year is SWIFT is requiring all members to submit a 3rd party cyber security audit of these cyber security controls.

So, tell us how Perseus got listed on the SWIFT website and are members required to secure their cyber security services and 3rd party audits from the companies listed there?

Our work with central banks came to the attention of folks at SWIFT and they reached out to us and asked us to apply and go through their vetting process. SWIFT was looking for experts in the cyber security field that had worked with banks and specifically had expertise with the SWIFT cyber security controls, framework, policies and procedures.

They have been approving a limited number of providers that have strong cyber security services experience, credentials, a strategic focus on cyber security services and a good reputation and commitment to customers in the financial industry. Members of SWIFT are not required to use the companies listed on the SWIFT website – but SWIFT has already vetted these companies as a service to their members and this allows them to find experts quickly.

Is there a financial penalty or any type of penalty if a bank or member of SWIFT does not submit an audit or fails an audit?

First – don’t fail the audit. Second, no, SWIFT does not issue a fine if a member is not compliant.  But when SWIFT introduced the requirement for their members to attest to their level of compliance with this framework, they also included a communications channel to let other members know of the audit result. This attestation then acts as an indicator to SWIFT, the member, their regulators and counterparties of the security posture of the member.

So, other member banks will be able to see how your bank performed in a CSP/cyber security audit and decide if they want to continue doing business with you based on your level of compliance. It’s not unusual – as an example, for the U.S. Federal Reserve to reach out to a SWIFT member who is in non-compliance with their CSP requirements and put pressure on them to “right their ship”. Banks have told me that the U.S. Federal Reserve has been known to cut banks off if they are not in compliance – which makes for a pretty good incentive.

Nevertheless, compliance is not the only goal. Putting in place the SWIFT Customer Security Controls Framework (CSCF) controls not only enhances the security posture of an organization – it also serves as a way to demonstrate their maturity to third parties. Counterparties and regulators, encouraged by SWIFT, are increasingly using SWIFT CSCF compliance, as a way to enhance their evaluation of third-party cyber risk – potentially replacing or reducing costly audit activities.

How can SWIFT member organizations meet this challenge?

The first option is to integrate the SWIFT Customer Security Controls Framework (CSCF) into the governance of their organization, making the processes standardized and, when appropriate, part of their normal operations. The second option is to design or alter their systems to limit the impact of the SWIFT requirements. Organizations seeking to reduce the impact of compliance are also changing the way they use the SWIFT service to reduce their SWIFT footprint, and structuring their networks and systems to limit where the controls need to be applied.

Deniz, I did go through the website for Perseus Information Security Consulting and found that your company provides a wide range of IT consulting services. How did you get into consulting for banks?

When you do great work at a fair price, your customers will refer you to their friends and associates. IT Directors at banks are looking for expert consultants they can trust and rely on and are familiar with the banking environment – and we deliver in those areas. Most of our work has come from referrals, that’s how we got into the banking sector and other sectors as well like: refineries, gas pipeline projects, digital grid, various utility projects, airports, manufacturing, national defense and so many more. We have delivered our services to various clients in over 40 countries around the globe over the last 5 years.

Back to the SWIFT cyber security requirements – do you provide the 3rd party auditing service as well as remediation services?

We provide attestation support across the globe, with Tampa, Florida as our global HQ. We provide the 3rd party audits and assessments and we also have a number of services that can assist with the implementation of the SWIFT CSCF. These range from integrating the CSCF controls into the existing risk, governance and IT processes, to performing gap assessments, through to technical transformation of key systems, security, and network controls. The areas we cover include, Identity and Access Management, Privileged Access Management, Network and System Architecture, Security Operations and Cloud transformation.

Generally speaking, what’s been the experience of you and your team working with the SWIFT member banks?

Well, the banks may be under pressure to meet these SWIFT requirements and their budgets may be tight – but speaking for myself and my team – we all love working at banks. The folks that we have worked with at banks are smart, dedicated and passionate about securing their networks and have been very open to working as a team to get the job done.

And finally, how do you initially engage with a bank?

It’s different this year. Up until now, a SWIFT member could prove its compliance with the CSP by means of a self-attestation that the company did by itself. Most companies were honest with their fulfillment levels and reported these truthfully to SWIFT. SWIFT now wants to put an end to this. Starting this July, such an audit by independent third parties will now become mandatory. We offer an initial one- hour consultation, which is free – this is not a sales call, but an hour where both parties exchange info – ask and answer questions.

These audits are relatively inexpensive and most banks will require a formal quote, then issue a purchase order and then schedule the audit. For a bank to begin a conversation with us just takes a phone call to 813-925-9582 or visit our website and hit the “Begin the Discussion” button at the top of our home page – pretty simple.