By Altaz Valani, Director of Insights Research at Security Compass.
The combination of digitisation and innovation has fundamentally changed the outlook for companies within the fintech and financial services sector. In a time of unprecedented disruption, the rate of change is accelerating, and these organisations face crucial decisions as technology shifts with customer expectations and changes in the regulatory landscape.
However, innovation if not properly implemented can come with a price, and in many cases, that price is a greater risk of security breaches and new vulnerabilities. These technology-led initiatives — from digitisation to robotic automation, AI, and biometric authentication — are expanding the amount of customer data at risk as well as enabling more sophisticated cyber-attacks. As a result, the financial services system faces challenges, both internal and external, in managing innovation-driven cyber-risk. Internally, challenges around technology and expertise; externally, challenges around coordination with regulators and across the industry.
In a way, this is hardly surprising. The competitive nature of the fintech and financial services sector means that they need to innovate and scale quickly to achieve a faster time to market. The fintech sector is expected to continue growing and be worth $300bn by 2022, so it is understandable that many companies are eager to ensure they can grab as much of the pie as possible.
However, the increased appetite for innovation and growth needs to be balanced with robust security and risk management to mitigate and avoid any breaches. Security risks are continuously evolving with each new digital product offering and service, along with changes to corporate compliance and data handling. The business impact of cybersecurity vulnerabilities introduced by innovation can seriously hamper service delivery and market growth, which makes the need for robust cybersecurity strategies all the more important.
The cloud conundrum
For several years, the cloud has been the most significant recipient of both investment and innovation in the financial services sector. With most companies moving their IT infrastructure to the cloud, the next round of adoption will be driven by the migration of core business applications in line with both enhanced and new customer service offerings. Many of these organisations are rapidly developing and deploying new apps for the digital world directly in the cloud, while cloud service providers continue building on what they can offer their customers via analytics-as-a-service or automation-as-a-service capabilities.
However, in the rush for cloud adoption and deployment, it is vital to ensure security and compliance requirements are being met as well. The strategic alignment of security and digital delivery is one of the more complex challenges for executives in the financial services space, and increasingly, organisations are turning to Balanced Development Automation (BDA) to solve it.
BDA works by aligning DevOps with security; ensuring that security is “baked” into the software development process. It acts as a guide through every step of software development by enabling DevOps teams to deliver secure products.
To ensure success and competitive edge in the long run, organizations will need to create synergies between DevOps, security, and business teams.
With an increasing amount of data and apps moving to the cloud, the risk of managing cybersecurity risk becomes critical. Historically, due to the perceived value of the information held, the financial services industry is one of the primary targets for data breaches. Migrating to the cloud increases the attack surface of applications.
All this serves to make the need to balance innovation with due diligence at the start of the product development cycle even more vital within the financial services market. Businesses need to consider the different layers in the product development cycle and ensure that security checks are built into the process from the beginning.
Firstly, security must equip the development team with an awareness of what is required from a security controls point of view. The same goes for risk and compliance. There are certain guardrails that need to be set and developers need to know from the start that working within those parameters is part of their job.
Secondly, while the first line of defence is executing, the next stage must be the examination of the metrics based on existing controls as well as new and emerging risks. The result may be the creation of new controls, but they need to be injected with an understanding of impact. This impact will be based on cost and business exposure. Ultimately, it is a business decision to determine the right risk threshold.
The final stage of the BDA process lies with the traditional audit and senior management boards, who offer a governance perspective and ensure that the business is protected and has strong assurances in place. Metrics collected from the two stages above are rolled up into this and the KPIs measured at this level are based on core business concerns — compliance, resilience, reputation, cost, and so on.
These three stages provide firms in the financial services sector with a BDA program that is aligned with business objectives while constructing appropriate guardrails that govern the execution and delivery of the software. This alignment is what enables DevOps and security teams to execute development in a balanced way to enable the business while managing their risk.
Ultimately, the success or failure of a modern financial service company can depend on how it balances the innovative use of technology while maintaining privacy and protecting its customers. To capitalise on emerging growth opportunities, financial firms need to be flexible in adopting new technologies, such as the cloud — while complying with regulations and protecting the company’s reputation. The key lies in this delicate balance between moving forward, managing threats, and maintaining data privacy.
Therefore, by adopting BDA to identify and address risks at the very start, remediation costs for the financial services industry can be significantly reduced and security is built into all applications from the beginning. Organisations can also get real-time traceability of security controls that have been implemented. Ultimately, this approach allows companies to align security, compliance, and risk priorities with business needs.