Other parts of this series:
It’s hard to remember at this distance, but the IT security function for most businesses has its roots in the relatively humble work of compliance. That hardly describes its mission-critical purpose now, which is to actively keep cyber bad-guys out—to protect data and systems whenever possible and, when it’s not, to help the company bounce back to normal business operations as quickly as possible.
In this fourth and final blog in this series on cyber resilience in financial services (for background, see our very first post), I want to look ahead and reflect on how cybersecurity may evolve in the coming years.
Let’s look at security starting from its origins as a support function. Support functions in general—finance, procurement, HR and so forth—have evolved from their traditional emphasis on “efficiency” to focus more on the value-added services they can bring to create greater business value and help deliver on business goals.
This is a cycle: A critical support function should first focus on performing its objectives (such as closing the books), then evolves to be more efficient. Finally, with the operational aspects running smoothly, it builds on top of that and positions itself as an adviser to the business.
What value-added services will the cybersecurity function bring to the business in the future? Three should be especially important:
1. Creating a more effective customer experience
In financial services, the security function plays a large role in how the customer experiences your company. That’s because the first step with most interactions with a financial services firm is to prove that you are who you claim to be. Let’s face it, that experience is pretty clunky for the most part, requiring a password with a requisite number of digits, special characters, etc.
Password management among many consumers is not what one might call a “leading practice.” A recent survey of US online users from the Pew Research Center found that about half of adults keep track of their passwords by writing them down. And the two most popular passwords continue to be “password” and “123456.” Not comforting to cyber risk professionals.
The use of single passwords like these is increasingly risky both to the consumer and the company. A large percentage of people keep their passwords in their head, but with so many accounts in so many different places, one can be forgiven for forgetting one or two of them from time to time. (Especially because experts recommend using a different password for each site.) Increasing numbers of people have two-factor or multi-factor authentication, but right now that’s being used by only about half of those surveyed by Pew Research.
In other words, password management and use ultimately become an unpleasant experience just at the beginning of a customer interaction.
What’s the best approach to take? The goal of security in financial services should be that identification and authorization become so sophisticated that it actually recedes into the background. The effect then would be much like the experience of walking into your local bank branch where people know you and greet you by name.
With technologies such as facial recognition software and biometrics, that kind of scenario could become commonplace—but only with the right balance and controls.
Biometrics are typically weaker than a password. However, by using biometric identification to prove that you are in possession of a device, such as a mobile phone, the combination can be strong. Similarly, combining analytics about usage patterns and location can help mitigate risks.
Security professionals should provide the leadership and guidance to balance ease of use with strong authentication. These should not be after-the-fact requirements added to new products but the driving force of the new customer experience.
2. Supporting the renaissance of “bricks-and-mortar” banks
Banks have been cutting back on bricks-and-mortar branches for years, moving instead to apps and online services. However, that is starting to change and banks are opening new branches again. The industry went through a phase where the “branch of the future” would be machines and screens, but who wants to use those when you have a screen in your pocket? Instead, branches should become a hybrid where you interact with people to perform more complex transactions or get advice—think, Apple, Inc.’s “Genius Bar.” In a bank, however, you’ll still need to prove who you are. The identification approach will likely blend use of the device in your pocket with various biometrics technologies.
Security profesionals are positioned to help design the seamless flow between physical identification and the online experience. Historically, the branch would have asked for a driver’s license or other government ID to prove who you are, but that is clumsy in today’s digital world and open to abuse by forgers. It is much harder to forge the digital fingerprint of the device in your pocket and the interface is much simpler for the customer. It should be sufficient to touch the phone to a near-field communication (NFC) reader to authenticate that you are who you say you are.
3. Analyzing risk exposure
Security should also play a large role in judging your exposure to others that you’re dependent on—customers, third parties or subsidiaries. We’re seeing a rapid expansion of available technologies that support rapid security and technology risk assessments.
Frankly, some of those assessments live up to their promise and others do not. Some run an extremely complicated analysis that takes several days and includes checking a client’s hosting, searching on the dark web, analyzing customer and employee sentiment and social media, and much more.
That kind of analysis can be useful in several ways. Some banks are starting to use this process before lending money in their commercial lending processes. Many other firms are monitoring their third-party providers and proactively reaching out when they see issues.
The security function has an important role to play here in providing guidance to the business in the evaluation and use of these risk assessment offerings. Professional advice is essential, and who better to give that advice than your security people?
In the insurance industry, these assessment methods and tools are becoming essential as providers move into the area of cyber insurance. In the U.S., the cyber insurance market is growing at about 20-30% year-on-year. As that market matures, the techniques for rapidly assessing cyber risk should start to be married to a growing actuarial database of actual losses, helping to refine the tools and increase their accuracy, at least for managing a portfolio of risk.
Whether we like it or not, IT was never built to be maximally secure in the first place. Significant sums of money are going to be spent locking things down and (hopefully) shutting out the bad guys. In the process, we expect to build a mature set of security capabilities that can become a differentiator for companies that can leverage those capabilities to make smarter decisions in their business dealings in addition to securing their own assets.