Rob Lay, Customer Solutions Architect in UK & Ireland, Fujitsu
We live in a world that is characterised by innovation, and FinTech is the latest significant demonstration of this. As with many areas of IT, businesses are looking for ways to make their business processes more efficient, more dynamic, less onerous from a management perspective, and fundamentally more profitable. FinTech is a great example of this by enabling faster, more effective payments and financial transactions which carry a significantly lower administrative overhead. Thanks to automation, businesses are able to reduce overheads, deliver better customer service and therefore drive better profits and customer satisfaction levels.
But these advancements also carry risks. The same businesses that benefit from the advances in technology – not just in FinTech but across IT – can also suffer should customer data get lost or payments get intercepted. This is nothing new – FinTech has not introduced any new challenge – but it is another example of how a company must consider its broad risk portfolio when looking at new innovation.
With security rapidly becoming a non-discretionary spend item at board level, and the increasingly digital nature of business, companies need to ensure more than ever that they include security as a standard part of how their business functions. This includes technical elements such as ensuring that security is included in the software development lifecycle, but also has to extend to the broader business.
Development of an information or cyber security strategy, and more importantly the alignment of this strategy with the broader business goals is key to ensuring its inclusion and that it has the appropriate support from stakeholders. However, few businesses will have unlimited security budgets, and equally will be wanting to prioritise spend on innovations that will help drive the business forward such as FinTech. So the challenge remains – how can businesses develop an approach that allows them to apply appropriate levels of investment in the correct places to enable the business to deliver against its goals whilst remaining secure?
A risk based approach is the best route to take as it allows the business to determine their risk appetite, based on their business strategy, market conditions, and the competitive market place. This allows businesses to remain agile, changing their risk appetite as necessary and ensuring that they are able to mitigate their risks accordingly. More importantly, businesses should strive to understand the threat landscape that they specifically face. The sheer volume of threats that exist today means that trying to protect from everything is a route to failure. By working with partners and drawing on sources of threat intelligence, companies can develop a view of the threat landscape which is relevant not only to their sector, but to their business. The result is the ability to accurately target security focus and investment, ensuring that the company is able to mitigate those threats that pose it the most significant risk.
One of the most important aspects of the risk based approach, is to develop an ongoing risk management process that allows businesses to ensure that they are able to manage and understand their risk on an ongoing basis. Whilst a risk assessment is a key part of this, it only provides a point in time view of the risks that the business faces. Risks change and develop over time and it is important that businesses are able to understand these changes and ensure that the mitigation for those risks is reviewed and changed as appropriate.
Companies should also remain cognisant that whilst they can maintain a risk based approach to securing their business, they should also remain ready to respond in the event of a breach or incident. Many companies do not have sufficient mature incident response processes in place to ensure that small and potentially insignificant incidents do not end up becoming major issues. Businesses should look to develop, mature and practice incident response processes to ensure that all the relevant staff and business areas understand their roles. This will help businesses respond quickly and efficiently to issues and incidents when they occur.
In general, businesses should always look to embrace new technologies, ways of working and automation capabilities, however this has to be done in a way that aligns with the businesses’ strategy and the threat profile that it faces. Once these are understood, informed business decisions can be taken that allow companies to remain competitive and in control despite an ever changing threat landscape.