1. Home
  3. News
  5. Cybersecurity Strategies

Cybersecurity Strategies

Fuat Demir, Head of the Information Security Department at Türk Ticaret Bankası, gave an interview to CIO Update magazine cybersecurity and next-generation defense strategies. You can read the interview conducted by Tuba Balta below

Globally, cyber threats now target not only systems but also business continuity directly. How are these global challenges impacting Türkiye, particularly the financial sector?

In recent years, there has been a significant shift in the nature of cyber threats. Previously, the goal of attacks was to steal data or gain access to systems. Today, however, attackers aim to disrupt services and undermine trust in the organization. Global ransomware groups and organized cybercrime networks are targeting organizations' business continuity. This situation becomes even more critical for the financial sector.

In Türkiye, the banking sector has achieved a high level of security maturity thanks to strong regulations and years of investment. However, this situation makes our country a visible target due to our role in regional and global structures. Additionally, the widespread adoption of digital channels and payment systems is expanding the attack surface. Therefore, the focus of CISOs is no longer solely on ensuring system security but has shifted to managing business continuity and customer trust together.

In your opinion, what should the ideal balance be between a CISO and a CIO/CTO? How does your collaboration with the CIO/CTO create synergy during the design phase of projects?

The relationship between the CISO and the CIO/CTO should be viewed not as a control mechanism but as a design partnership. While the CIO/CTO is responsible for innovation and speed, the CISO focuses on managing risks. With the right approach, these two objectives do not conflict; rather, they complement each other. At the core of this balance lies the integration of security into the process from the design phase onward.

With the "Security by Design" approach, security is addressed from the outset, not after the project is completed. This approach not only reduces risks but also accelerates processes. Because security requirements that emerge in the final stages cause delays, whereas decisions made in the early stages eliminate this issue. It is important to remember that the role of security teams is not to stop projects, but to collaborate in finding answers to the question, "How can we implement this securely?" Ultimately, a strong CIO-CISO collaboration is one of the fundamental prerequisites for organizations to act both swiftly and securely.

"When managing 'extended ecosystem' risks, how do you monitor and standardize your partners' security levels?"

Today, a significant portion of an organization's risk surface no longer stems from its own systems but from its business partners. Software vendors and fintech companies have become an integral part of operations. Consequently, third-party risk management has become a critical discipline. One of the most important points in this area is adopting a differentiated approach based on risk levels rather than evaluating all business partners uniformly.

Business partners working with critical systems undergo stricter controls. While initial assessments are important, continuous monitoring is now indispensable. Being promptly notified in the event of a potential vulnerability or breach is of great importance. Security standards and notification obligations in contracts have also become fundamental components of this process. Additionally, given that even the most trusted business partners may pose risks, we must ensure integration with secure architectural frameworks. Today, an organization's security is only as strong as the security of the entire ecosystem it operates within.

In the past, CISO offices were often viewed as "obstacles." How do you assess the shift in cross-departmental communication from this perspective toward a "collaboration-focused" structure?

In the past, security teams were often perceived as a structure that slowed down projects. The primary reason for this was that security was treated as a control mechanism introduced at the very end of the process. Today, this approach has changed significantly. Security is no longer seen as an obstacle to innovation but as a fundamental component of sustainable digital transformation. The most critical aspect of this transition is integrating security into the process from the design phase onward and fostering security awareness across teams. In modern organizations, security teams position themselves not as a structure that performs checks at the end of projects, but as a strategic business partner enabling secure innovation.

In your view, how should a CISO master the art of translating a technical risk into a "financial risk" or "reputational loss" for the board of directors and business unit leaders? How do you explain to them that cybersecurity is not a "cost center" but a "competitive advantage"?

One of a CISO's most important tasks is to translate technical risks into a language the business world can understand. Boards of directors want to see the impact of these risks on the organization rather than technical details. For this reason, cyber risks are typically explained in terms of financial impact, operational disruption, and reputational risk. This approach makes decision-making processes more concrete and understandable. Concrete examples and incidents from similar organizations also help clarify the risks.

Since trust is one of the most critical elements in the financial sector, cybersecurity investments should not be viewed merely as a cost item. A robust security approach enhances customer trust, protects brand reputation, and enables organizations to secure a stronger position in digital competition. From this perspective, cybersecurity is not merely a structure that reduces risks; it is also a competitive advantage that enables organizations to build trust.

Finans sektöründe güven en kritik unsurlardan biri olduğundan siber güvenlik yatırımları yalnızca bir maliyet kalemi olarak değerlendirilmemelidir. Güçlü bir güvenlik yaklaşımı müşteri güvenini artırır, marka itibarını korur ve kurumların dijital rekabette daha güçlü bir konum elde etmesini sağlar. Bu açıdan bakıldığında siber güvenlik, yalnızca riskleri azaltan bir yapı değil, aynı zamanda kurumların güven inşa etmesini sağlayan bir rekabet avantajıdır.

As a CISO, what is the biggest innovation or technology in the cybersecurity world that excites you the most?

In recent years, the most notable development in the cybersecurity field has been the integration of artificial intelligence into security operations. This development is not merely a technological advancement; it also signifies a transformation that fundamentally changes how security is managed. In traditional security operations, teams often faced an overwhelming number of alerts, which could lead to critical logs being overlooked. Artificial intelligence enables the analysis of large datasets in a very short time, allows for rapid anomaly detection, and facilitates the identification of threats much earlier. However, we also know this transformation is not one-sided. Targeted attacks are now being developed using artificial intelligence. This places us in a race where both defense and attack sides are AI-driven. In the future, the differentiator will be organizations that not only use AI but place it at the center of their operational processes.

Do you foresee cybersecurity evolving into a structure like "embedded security" within business units in the future? What will be the role of Türk Ticaret Bankası in this vision?

The future of cybersecurity is moving toward an "embedded security" approach. In this model, security moves beyond a central team to become a natural part of all business processes. Software development, product management, and business units treat security as an integral part of the design. Thus, security is not an afterthought but a fundamental component of the system. This approach also fosters shared responsibility. Security becomes a shared responsibility of the entire organization, not just the CISO's.

As Türk Ticaret Bankası, our approach aligns with this vision. We position security not merely as a protective mechanism but as an element that supports digital growth. This perspective both strengthens security and accelerates our business processes. Consequently, security evolves from a supporting function into a central component of our business model itself.

You can access the full interview via thislink.