“Cybersecurity is much more than security—it's a strategic imperative”—Interview with Carsten Fritz
News, 22/10/2025
Carsten Fritz is Product Owner for Managed Application Services at Sopra Financial Technology. He has been working in financial IT for over 20 years and has evolved from a traditional software developer to a bridge builder between technology, regulatory requirements, and customer needs. There, he designs secure, AI-supported IT services that enable banks and financial service providers to operate their processes in a stable, compliant, and efficient manner.
Mr. Fritz, you originally come from a software development background. Today, you are responsible for managed services and artificial intelligence at Sopra Financial Technology. How did this change come about?
I studied computer science and entered the field of financial IT via software development—that was around 20 years ago. During this time, I learned a lot about structures, processes, and, of course, technology. But I realized early on that true added value comes from combining technology with an understanding of customer requirements. Many of my colleagues kept saying, “Carsten, you can explain complex technology in a way that customers really understand—and you understand what they need.” That was the decisive impetus for me to move more toward product development and product management.
Today, I basically wear two hats: As Product Owner for Managed Application Services, I ensure that we not only provide banks with IT, but also with solutions that fit their processes. And as the central point of contact for all questions relating to artificial intelligence, I take care of how we use AI sensibly and securely – internally and for our customers. This includes our Trusted AI Platform, which strengthens trust in AI through clear compliance and security mechanisms.
Is IT security a technology issue, or is it much more than that?
IT security is much more than a technological issue; it also affects corporate culture and mindset, for example, because a company's employees can be a gateway for cyberattacks if they are not made aware of certain dangers. Around 80 percent of damage is caused by social engineering or phishing attempts. In other words, attackers exploit human weaknesses rather than technical vulnerabilities. I recently had an impressive example of this: an awareness platform created a deepfake of our CEO within five minutes, who supposedly called me personally. The voice, the facial expressions, the choice of words – everything sounded absolutely real. If you don't remain critical, it's easy to fall for it.
That's why I say: IT security is a management task today. It belongs in the DNA of every company. Technology is only one side of the coin. The other is employee awareness. Only when both work together can true security be achieved. Of course, it remains a race: are the “bad guys” faster than us? But if we sensitize people to recognize risks and at the same time continuously develop our technologies, we have the best chance of staying ahead.
CIOs still play a subordinate role in many companies—technically important, but strategically underestimated. Do you see it that way too?
Yes, I often observe that. The CIO is responsible for systems, data, and security—and yet in many companies, he is only measured by how he manages his costs. Yet the entire business model often depends on his work functioning properly. Nowadays, people take IT security for granted. Whether it's online banking or smartphones, security is a prerequisite. The CIO ensures that this is guaranteed. But this achievement often remains invisible.
We see our role as strengthening them. With our managed services, we deliver not only technology, but also expertise and operational support. The CIO retains responsibility, but can back it up with know-how and resources. This transforms them from an administrator to a strategic designer. With our services, we provide them with the support they need to focus on strategy. This step is important in order to continue delivering effective IT in the future.
Where do you encounter the biggest weaknesses in practice—and how can banks and fintech companies avoid them?
The weaknesses usually lie where new technologies meet old structures. This is currently the case with AI. Many institutions recognize its potential, but underestimate the security issues. New technologies always bring new risks. If you don't understand them, you can't secure them properly. This means you have to take a close look at how they work, the possible attack scenarios, and the regulatory implications. There is no such thing as 100% security – but those who understand the risks can reduce them in a targeted manner. This requires expertise, experience, and the ability to assess risks economically. It is also important to be self-reflective and seek support if you do not have this expertise. After all, security must not become a cost factor, but must be economically viable.
What does a modern cybersecurity approach for banks look like?
The keyword is zero trust. This means that no system or user is trusted blindly, but only granted as many permissions as are absolutely necessary. This principle greatly minimizes the attack surface. In addition, activities are monitored
using technical measures such as endpoint security, network monitoring, and encryption. But the intelligent use of new technologies is crucial: AI can, for example, recognize patterns in communication flows that indicate attacks – or automatically flag suspicious transactions in the area of anti-financial crime. This allows anomalies in millions of data records to be identified quickly and effectively before damage occurs. It is important to keep humans in the loop. While AI takes care of routine work and recognizes patterns, humans can concentrate on evaluating these detected anomalies. We refer to this as “human in the loop”: humans and machines working as a team.
What role do regulations play—are they more of a brake or an accelerator?
I definitely see it as an accelerator. Regulation forces companies to consciously address risks. Requirements such as DORA are not there to block progress, but to promote resilience. The legislator is essentially saying: “Know your risks, plan your measures, and make sure you can continue to operate even after an attack.” For me, this is not a balancing act, but a holistic approach. The same applies to the AI Act. It creates clear framework conditions under which we are allowed to use AI – and obliges us to take ethical and security-related aspects into account. When you combine the two, you get a robust, trustworthy system – and that is exactly the goal.
What distinguishes Managed Service 2.0 from previous approaches?
With our Managed Services 2.0, we offer customers a modular range of solutions that enable them to control and improve their processes holistically and in line with their specific needs. This means, for example, that we integrate security and regulatory compliance right from the start – even in the design and development phase. In traditional projects, the system is often developed, tested, and then handed over to operations. Only then do the security teams come into play, who have to familiarize themselves with the finished product. This costs time and money and leads to friction losses.
We do things differently: our security and compliance experts are involved from the very beginning. We check directly how inputs are secured, how reports are generated, and how vulnerabilities can be detected automatically. The result is a service that is secure from the ground up – not a patchwork quilt, but a well-thought-out overall concept. We call this Managed Service 2.0 – and for the customer, it is an all-round carefree package in the best sense of the word: secure, compliant, scalable, and immediately productive.
How do your customers respond to this approach?
Very positively. We have a customer, Helaba Invest, who also talks about his experiences in our Tech & Tacheles podcast. The topic there was “Delegating risk management with a system.” The conclusion was clear: if responsibilities are clearly defined and there is mutual trust, managed services are not a loss of control, but an enormous relief. Customers know what they can expect from us and guide us in a targeted manner. Communication on an equal footing is particularly appreciated. We don't just talk about IT, but also about the underlying processes in the company. This is where I can really play to my strengths by tailoring technical support precisely to specific needs. This creates mutual understanding and means that our customers feel they are being taken care of – both professionally and technically.
How big is the market potential for managed services and AI solutions in the financial sector?
The market is significant—especially for medium-sized banks. Many institutions do not have large IT departments of their own, but must meet the same regulatory requirements as large banks. This is exactly where our support comes in. We bring technical expertise, regulatory experience, and the ability to intelligently connect old and new systems. This applies, for example, to mainframe technologies, where expertise is often lost, as well as AI-supported applications. With our Trusted AI Platform, we offer a compliance-compliant, easily integrable solution that is specifically tailored to banks. We have observed that around 20 percent of institutions have already implemented initial AI pilot projects. Many of them are now faced with the question: How do we put this into productive, regulated operation? This is exactly where our AI platform offers a compliant framework – in a secure and scalable implementation.
Mr. Fritz, when you look ahead, what role will AI play in the cybersecurity of tomorrow?
AI will set the pace. But it will not replace humans—it will empower them. AI helps us perform recurring tasks effectively, precisely, and reliably, recognize patterns, and identify risks. However, humans remain the decision-makers. Their intuition, critical thinking, and ethical judgment are skills that AI does not (yet) possess. I therefore see the future in symbiosis: AI as a reliable assistant that reduces complexity, and humans as conductors who make the right decisions. This is the only way to create a secure, resilient, and sustainable IT landscape.
Carsten Fritz will host a webinar on October 30, 2025, in cooperation with the Banking Club, on the topic of “Your bank is only as secure as your weakest IT system.” More information and the opportunity to register for the webinar can be found here.
Do you have any questions for our experts?