As CISO of GCB Bank, Albert Laweh Tetteh is championing cybersecurity transformation, risk governance, and digital trust to support Ghana’s evolving financial and regulatory ecosystem.
Albert Laweh Tetteh, the Chief Information Security Officer (CISO) at GCB Bank PLC, is a Certified CISSP, CCSP, and CISM executive with over 16 years of experience leading cybersecurity, compliance, and IT governance across Ghana’s banking sector. From managing complex certifications like ISO 27001 and PCI DSS to spearheading national cybersecurity strategy alignment, Albert has positioned himself as one of West Africa’s most respected voices in enterprise security.
With a track record at institutions including CalBank, First Atlantic Bank, and Ghana Life Insurance, he brings a rare combination of technical depth, regulatory knowledge, and strategic foresight.
In this exclusive interview, Albert shares his perspective on risk-driven cybersecurity, the future of AI in finance, and how African organizations can embed digital trust in an evolving threat landscape.
A pivotal moment came in 2018 with the Bank of Ghana’s Cyber and Information Security Directive, which catalyzed a sector-wide transformation.
Q&A with Albert Laweh
Q: You’ve held multiple senior roles across leading banks in Ghana. How has the cybersecurity landscape evolved in the region over the past decade from your perspective?
A: Over the past decade, Ghana’s cybersecurity landscape particularly within the banking sector has experienced a remarkable transformation. When I first assumed a senior cybersecurity role in the early 2014s, cyber risk was often relegated to the background, overshadowed by broader IT concerns. Security efforts were largely reactive, centered around basic perimeter defenses like firewalls and antivirus software, with limited incident response capabilities. At the time, there was little to no regulatory guidance, and securing executive support for cybersecurity initiatives was a considerable challenge.
The narrative began to shift with the rapid expansion of digital banking, mobile money platforms, and fintech collaborations. As customer transactions moved online, so did the threat actors. The introduction of e-payment systems and agency banking significantly broadened the threat surface.
Financial institutions began establishing dedicated cybersecurity departments, Security Operations Centers (SOCs), and governance structures reporting directly to the CISO. Adoption of international standards like ISO 27001, PCI DSS, SWIFT CSP, and the uptake of cyber insurance became industry norms. The enactment of the Cybersecurity Act in 2020 further strengthened the national framework, designating cybersecurity as a critical component of national infrastructure protection.
Banks within Ghana are now active members of global cyber intelligence networks such as FIRST and AfricaCERT. The focus has shifted from compliance-driven checklists to proactive threat hunting, insider risk management, red teaming, and business continuity simulations. While challenges remain particularly around building a robust local talent pipeline and addressing emerging threats like AI-enabled fraud the progress has been undeniable.
Looking back, the journey has been both challenging and rewarding. What began as fragmented, reactive efforts have matured into a cohesive, risk-based cybersecurity ecosystem, one that not only defends our digital financial infrastructure but also fosters trust in Ghana’s digital economy.
Q: As the current Chief Information Security Officer (CISO) at GCB Bank PLC, what are your key priorities for aligning cybersecurity initiatives with business objectives?
A: As Chief Information Security Officer at GCB Bank PLC, one of my key priorities is embedding cybersecurity into the fabric of the bank’s digital transformation journey. As we expand digital channels and leverage AI, data analytics, and cloud technologies to enhance customer engagement and operational agility, security must not be an afterthought, it must be integrated from the outset.
It is necessary to strengthen our cyber resilience posture through measures such as robust incident response readiness, business continuity planning, ransomware defense and embedding security into products and services are central to this effort bolstering customer trust and enabling long-term, sustainable growth.
My goal as CISO is to ensure that our cyber strategy is fully aligned with the bank’s ambition to be a trusted digital financial leader in Ghana.
Equally important is fostering a culture of shared cyber responsibility across the entire organization. We are moving beyond annual or quarterly training events to implement continuous, role-specific awareness campaigns, phishing simulations, and executive-level tabletop exercises. From frontline branch staff to board members, every stakeholder plays a critical role in safeguarding our customers’ data and the bank’s reputation.
Lastly, we recognize the power of strategic partnerships. Through active collaboration with regulators like the Bank of Ghana, industry peers, and global threat intelligence communities such as FIRST, we ensure the Bank remains adaptive and informed in an increasingly complex threat landscape.
Q: You’ve led ISO 27001, 27701, PCI DSS, and several other compliance projects. What advice do you have for CISOs navigating complex regulatory environments in Africa?
A: Having led ISO 27001, ISO 27701, PCI DSS, SWIFT CSP, and national cybersecurity compliance initiatives across multiple African banks, I’ve come to understand that regulatory complexity in our region is not simply a matter of ticking boxes it’s about building sustainable trust and resilient organizations.
My foremost advice to fellow CISOs is to treat compliance not as an audit event, but as a strategic journey toward business resilience. Africa’s regulatory landscape is evolving rapidly, with data protection laws, national cybersecurity acts, and sector-specific directives emerging across jurisdictions. The real challenge lies in the lack of harmonization, overlapping requirements, and limited implementation guidance.
Equally important is building proactive relationships with regulators. Instead of waiting for audits, it is necessary to engage early seeking clarification where needed and, where possible, contributing to policy conversations. For example, I’ve actively engaged the national cybersecurity authorities of Ghana on the practical challenges of meeting certain regulatory requirements such as source code escrow within modern agile and SaaS development environments.
Q: Many organizations struggle with building a strong security culture. Can you share how your Cybersecurity Champions program helped promote awareness across your teams?
A: Like many banks, we faced the challenge of making security resonate beyond the confines of the IT and cybersecurity teams. Policies and mandatory trainings alone weren’t moving the needle. What we needed was a human bridge between cybersecurity and day-to-day business operations and that’s exactly what our champions became.
We selected and trained enthusiastic employees from across departments, empowering them to act as cybersecurity advocates within their respective teams.
Through regular knowledge-sharing sessions, updates on emerging threats, and incentive programs that rewarded cyber vigilance, we equipped these champions to promote secure behavior, escalate suspicious activity, and challenge unsafe practices.
Most importantly, cybersecurity began to shift from being seen as a “technical” responsibility to a shared organizational value.
Our Cybersecurity Champions didn’t just raise awareness, they fostered a culture of collective defense. In an era where human behavior often determines the success or failure of cyber defense, that cultural shift has proven more powerful than any single tool or policy.
Q: With your experience managing 24/7 Security Operations Centers (SOCs), what are the biggest challenges in incident response readiness, and how do you overcome them?
A: Managing a 24/7 Security Operations Center (SOC) has reinforced a critical truth: incident response readiness is not just about tools, it’s about preparation, coordination, and clarity under pressure. One of the most significant challenges we faced was ensuring cross-functional alignment during an incident. While technical teams can detect and contain threats quickly, delays often occur when engaging operations and business units—especially when regulatory obligations or reputational risks are at stake.
To address this, we developed a comprehensive incident response playbook and a crisis management policy that clearly defines roles, responsibilities, and escalation paths across the entire organization, not just within cybersecurity. We conduct regular tabletop exercises and live simulations involving executives, operations and business staff.
Finally, alert fatigue and analyst burnout are real in a 24/7 SOC environment. We implemented shift rotations, rule optimization to reduce false positives, and continuous skills development to keep morale high and responses sharp.
In the end, incident readiness is built on constant rehearsal and continuous improvement.
As the military often says, “Hard training, easy battle.” The more we prepare during peacetime, the more effective and confident we are during a crisis.
Q: Given your background in both auditing and technology implementation, how do you balance risk management with enabling innovation in financial services?
A: With a background that bridges both technology implementation and internal auditing, I’ve often found myself navigating the delicate balance between two essential forces in financial services: innovation and control. The pressure to digitize, personalize, and accelerate service delivery is relentless. However, as we embrace transformative technologies such as AI, cloud computing, and open APIs, we must also contend with an increasingly complex risk landscape.
Striking the right balance begins with early engagement. In every major transformation be it core banking modernization, cloud migration, or fintech collaboration we embed risk and cybersecurity considerations from the outset.
Secondly, we employ a risk-based framework rather than a one-size-fits-all approach. Not every initiative requires the same level of control. By classifying innovations based on business impact and criticality, we ensure that security and compliance efforts are prioritized where they matter most preserving agility while protecting customer trust and regulatory integrity.
Q: Cloud security and IAM are major themes in your work. How are you approaching Zero Trust and identity governance in the banking sector today?
A: In today’s cloud-first and hybrid work environment, traditional perimeter-based security models have become obsolete. We’ve embraced a modern security architecture rooted in Zero Trust and robust identity governance because in the digital era, identity is the new perimeter.
Our Zero Trust journey began with a strategic focus on identity governance and access control. We implemented fine-grained role-based access, automated user provisioning and de-provisioning, and enforced strict segregation of duties.
Privileged Access Management (PAM) and Multi-Factor Authentication (MFA) have become standard for both internal and external users, providing an added layer of assurance.
But Zero Trust extends far beyond authentication. We’ve deployed continuous monitoring and user behavior analytics to detect anomalies in real time, reduce the risk of lateral movement, and respond to threats before they escalate.
In banking, trust is our greatest asset. By adopting Zero Trust principles and embedding strong identity governance, we are not only protecting our systems, we are reinforcing the digital trust that underpins every customer relationship.
Q: You’ve also worked as a trainer and technologist. How important is upskilling in cybersecurity, and how do you structure internal training to keep teams resilient?
A: As both a cybersecurity trainer and technologist, I’ve seen firsthand that tools alone do not defend an organization, people do. In an environment where cyber threats evolve daily, upskilling is not just important, it is essential. The difference between a contained incident and a catastrophic breach often comes down to how quickly and confidently an organization and its people can respond.
In institutions I’ve had the privilege of supporting, we’ve adopted a layered and structured approach to internal cybersecurity training. The foundation begins with role-based learning: SOC analysts undergo intensive technical drills, while risk managers, auditors, and compliance officers engage in workshops on threat modeling and regulatory frameworks.
Our training methodology is deliberately diverse. We blend hands-on labs and red/blue team exercises for technical teams with phishing simulations, webinars, microlearning modules, and face-to-face sessions for non-technical staff.
We recognize that upskilling is not a one-time event, it is a continuous cycle. To sustain this, we have built partnerships with certification bodies and academic institutions, while nurturing a strong internal knowledge-sharing culture through regular sessions and communities of practice.
Q: Looking ahead, what emerging threats or trends should CISOs in Africa and beyond be preparing for in the next 3–5 years?
A: As CISOs across Africa look toward the future, we must prepare for a cybersecurity landscape that is becoming increasingly complex and dynamic. The next 3 to 5 years will challenge not only our technologies but also our agility, foresight, and strategic resilience.
One of the most significant emerging risks is the weaponization of artificial intelligence (AI). Cybercriminals are already exploiting generative AI to launch highly personalized phishing campaigns, deepfake fraud, and automated attacks at unprecedented scale. These developments raise the stakes for social engineering and identity compromise, making it imperative for organizations to strengthen identity verification and awareness across all levels.
Equally concerning is the rise in supply chain and third-party attacks. As financial institutions accelerate digital transformation and deepen integration with fintechs, cloud providers, and API ecosystems, the attack surface is expanding.
In parallel, we are witnessing a trend toward regulatory convergence and stronger enforcement across African jurisdictions. With data protection, cybersecurity, and digital finance laws maturing, CISOs must navigate complex cross-border compliance requirements while building resilient systems aligned with international standards and best practices.
Lastly, the cybersecurity talent gap remains a pressing challenge. To secure the future, we must prioritize the development of local expertise, invest in continuous upskilling, and foster the next generation of cybersecurity professionals.
While the future is unpredictable, one truth remains: proactive, intelligence-driven, and business-aligned cybersecurity will define the next generation of resilient organizations across Africa and beyond.
