The changing profile of cybersecurity decision-makers
Martin Rudd, CTO, Telesoft Technologies, explores the changing profile of cybersecurity decision makers in his latest exclusive with FinTech.
Cybersecurity hasn’t always been a priority for businesses. Until recently, arguing for changes in process or the need for new technology was an uphill battle. After all, the majority of an organisation’s C-suite and board members will have tended not to be especially tech-literate, much less concerned with specific issues such as security. As a result, the pleas of engineers and those tasked with maintaining threat intelligence would often fall on deaf ears.
Things are different today, however. For one thing, the rising threat of cyber-attacks has become hard to ignore. High profile data breaches make the news on an almost daily basis, with financial services firms coming under attack 300 times more than organisations in any other industry, according to Boston Consulting Group. In addition, the profile of those charged with making decisions around their organisation’s data security is changing. Many of those now entering the workforce - and taking seats on the board - understand digital technology, and have the expertise and experience to recognise and address the situation.
Changes in circumstance mean individuals must now take a different approach to the way they introduce and discuss cybersecurity with decision-makers. But, at the same time, it’s important they consider those ‘old school’ board members whose knowledge of technology may be less advanced.
Generational and technological shifts
A Korn Ferry study into the demographics of the C-suite found the average age of members to be 54. While that’s at the older end of ‘Generation X’, they’re technically the first digital natives, having grown up witnessing first-hand the evolution of modern computing and the internet.
This is good for business. According to research from MIT Sloan, companies with digitally savvy boards significantly outperformed other companies in terms of revenue growth, return on assets, and market cap growth. Indeed, Gartner reports a growing demand from businesses for board members with skills in areas of technology such as AI, machine learning, and cybersecurity; this is fuelling the increase of greater board representation from organisations' more technical areas. Engineers and members of IT and tech departments are no longer seen as isolated back office employees, they actively empower the frontline and their knowledge of digital tools is wanted at the highest level of management.
Even if companies aren’t proactively aiding it, the evolution to a more tech-savvy C-suite will likely happen organically as generations progress. With the expectation that Millennials will account for up to three quarters of the workforce in the next five years, that digital knowledge will naturally move upwards. That means decisions around the adoption of new cybersecurity technology is going to be based on more than simply what it is or what it protects against, there will be a bigger picture to consider and new questions to be answered; does it fit with the company’s culture? Does it enable seamless interactions between employees and customers? Does it provide a solid framework for the adoption of future innovation? Technology, and cybersecurity in particular, will be a vital driver within a business’ everyday life.
In the present, however, a mixture of C-suite capabilities means that each board needs to be approached in different ways when it comes to initiating conversations around adopting new technology. While there might be less need to spell out the advantages of the technologies in very simple terms, differing priorities means some individuals will still need to be convinced of the benefits of focusing investment in cybersecurity over other options that may produce more obvious returns. For these more ‘old school’ decision-makers, a more evidence-based pitch approach is likely to be the most effective.
- Can Libra deliver in the fight against financial crime?
- Data sharing: the key to a digital banking revolution?
- Preventing concurrent fraud in real-time payments
- Read the latest edition of FinTech Magazine, here!
Persuasive facts and statistics
Attacks can be extremely costly - recent research by IBM and the Ponemon Institute put the average total cost of a data breach at £2.7mn - and they’re increasing at a terrifying rate. The number of data breaches reported by UK financial services firms to the FCA in 2018 was 480 percent higher than in the previous year.
Of course, the cost goes far beyond refunds and reparations. Obligations under the GDPR mean breached organisations could find themselves liable for eye-wateringly high financial penalties. British Airways, for example, was fined more than £183 million after hackers stole the personal details of half a million of its customers. Perhaps the most costly ramification, though, is the damage to reputation. Share prices and brand trust drop, customers leave and potential ones look elsewhere. For some, a major breach can be fatal.
Ultimately, once just a nice-to-have, the case for robust cybersecurity is clearly very persuasive, and can be hard for any board member to ignore. It’s now key to the survival of every business. But, as the threat landscape continues to evolve, so too does the knowledge and experience of the C-suite. Persuading decision-makers to invest in a security solution may not be as straightforward as simply presenting an overview of its benefits. For many, the conversation has matured. For others, the facts should speak for themselves. There’s simply no ‘one-size-fits-all’, selling security today requires new strategies.
For more information on all topics for FinTech, please take a look at the latest edition of FinTech magazine.
Open Finance: The future of data sharing
Data: What is it good for?
Although most of us probably don’t consider it as such, data could be regarded as one of the most recyclable commodities on Earth. Every day, consumers produce it, companies collect it, extract the value, transform it into actionable insights, and then create new products and services for the market. From here the cycle continues, and the results it’s produced for financial service institutions (FSIs) so far have been favourable.
Data sharing can be best understood as a consent-based agreement by which privacy is waived in a limited capacity for commercial purposes. Customers gain products that have higher relevance to their lives while FSIs reap enhanced marketing and development opportunities. In Deloitte’s article ‘’, the overall FSI benefits of data sharing are summarised into three categories:
- Inbound data-sharing (acquiring data from third parties) = enriched decision-making.
- Outbound data-sharing (sharing owned data with third parties) = enabling companies to draw on capabilities otherwise undeveloped within their own organisation.
- Collaborative data-sharing (inbound and outbound sharing of similar forms of data) = allowing companies to create richer, larger and more comprehensive datasets than siloed efforts could achieve. This is particularly important as forming ‘data lakes’ becomes more popular.
And yet, despite the mutual beneficiality of data sharing, there still exist several potential drawbacks and aversions to overcome. For customers, there is a persistent reluctance to share sensitive data - found that approximately 44.3% of US fintech app users experienced some degree of discomfort, whether related to account balances, loan history or investment information. Worse, a conducted on behalf of IBM found that only 20% of respondents “completely trust” organisations to properly maintain their data. With incidents of compromised security involving major companies like Capital One and Microsoft still making headlines, this is, perhaps, not unsurprising.
For institutions: better decision-making, access to third-party capabilities, greater scale of data
For regulators: support for innovation and competition, enables effective system oversight
For customers: access to higher quality and more efficient products
For institutions: competition hindered by lack of secrecy, could breach privacy regulations, could potentially alienate customers by appearing ‘omniscient’
For regulators: possible breach of customer privacy
For customers: personal data could be mishandled or misused
(Above from World Economic Forum)
Data sharing is also not without risks for FSIs themselves; creating such a forthcoming environment could erode competitivity by handing too much information to rivals, complex and evolving privacy regulations like GDPR and PSD2 could be breached by unforeseen tech developments, or companies could simply alienate clients by appearing too omniscient for comfort.
Among VC firms and investors data sharing is an important decision-making component, particularly during early-stage investment. Michael Conn, Chairman, CEO, and Co-Chief Investment Officer at Zilliqa Capital, explains, “It is important that the target investment team be open and willing to share the data reflecting their performance to date, the market opportunity and any other metrics that would help demonstrate why they are a better investment than another in the same space.” However, at the same time, Conn clarifies that the value of data today can sometimes be overemphasized; for Zilliqa Capital, the quality of a potential investment’s team is often more of a determining factor. “The fact is that most, if not all businesses, will at some point be forced to pivot away from their initial plans - see Amazon. It is just not possible for data analytics, at least as of now, to prove itself superior to gut instinct when evaluating the quality of an investment target’s team.”
If not fully utilisable as a resource for decision-making, then, what’s needed is a re-evaluation of data sharing, both in terms of its place within modern finance and the methods by which its present shortcomings can be overcome. Open Finance and API (application programming interface) technology could represent such an opportunity.
Open Finance’s value proposition
“Open Finance is all about empowering customers,” explains Jack Wilson, Head of Policy and Regulatory Affairs at TrueLayer. “It gives customers the ability and the right to re-use their financial data in new and innovative ways. It does this by giving a role to third-party providers, who securely retrieve data and put it to work for the customer.” These actors can do so in a variety of ways, such as:
- Consolidating multiple held accounts into a unified view
- Facilitating electronic data transmission that eliminates the need for physical documents when applying for financial products
- Using account data as a form of identity verification
These capabilities are utilised in one of Open Finance’s most widely discussed aspects: Open Banking. Defined by as “a collaborative model in which banking data is shared through APIs between two or more unaffiliated parties to deliver enhanced capabilities to the marketplace,” Open Banking allows for a more direct consumer-bank relationship. The APIs themselves can be of three distinct models: public, partner and internal, each of which has specific functions and benefits. Regarding the latter, these include overall cost reductions, increased operational efficiency, enhanced innovation through collaboration with developer communities, and greater security.
“Consumers are increasingly demanding financial data aggregation services through APIs because it makes personal financial management much easier,” says Thomas J. Curry, Co-Chair of the Banking and Financial Services group at Nutter and former US Comptroller of the Currency. “Banks and fintechs each want to be the primary portal for financial services and they are competing to keep or obtain the customer relationship.”
Public: APIs used by external parties to develop new apps and products. These often facilitate innovative results as a consequence of broader community engagement.
Partner: These APIs create a more integrated connection between business partners, suppliers, etc. They offer better security, lower operating costs, and enable API monetisation opportunities.
Internal: Only used by developers within a single enterprise, internal APIs offer cost reduction, better efficiency and greater security. However, they also lack the potential with regards to integration and innovation.
(Above from McKinsey & Co)
“Open Finance, which broadens out the types of accounts accessed, could offer yet more benefits for both customers and companies,” adds Wilson. He cites the following:
- Aggregated savings and investment data, bringing more holistic financial oversight to consumers.
- Granting access to data that can bring value-added services, such as financial advice, “robo-advice”, better ID verification, and KYC.
- Empowering third parties to carry out fund transfers between customer accounts (savings, ISAs, investments, etc) and initiate account switching.
Security: The elephant in the room
Carried out in its most ideal form, then, Open Finance’s benefits for both customers and companies makes it an attractive proposition. However, there remains what McKinsey calls the topic’s “elephant in the room”, security. Data sharing in any capacity should be a central concern, with each dataset’s value accorded an appropriate level of protection, and customers need to understand how and why some data is used. “[I]nformed consent requires understanding the implications of sharing before approving —no small feat when the reflexive clicking of ‘I Agree’ on an unread set of terms and conditions is standard,” said McKinsey in ‘Data sharing and open banking’. Curry believes that cybersecurity and the protection of data form the major concerns for fintechs and banks regarding APIs’ functionality. “[In the US] Section 1033 of the Dodd Frank Act makes it clear that consumers have a right to their financial information. Some progress has been made in developing voluntary standards for APIs but regulatory clarity is needed. The Biden CFPB (Consumer Financial Protection Bureau) will likely develop a more concrete regulatory framework for APIs.”
Therefore, it seems clear that, in addition to general clarity regarding data sharing policies, what customers really need are examples that demonstrate why APIs are beneficial and what Open Finance can do for them.
A recent between TrueLayer and UK digital bank Monzo provided one such demonstration. With customers using Open Finance as a payment method for online gambling, Monzo needed a solution to protect its at-risk customers by blocking transactions to certain gaming sites. TrueLayer was brought on board to implement an enhanced API capable of notifying the bank whenever a customer with gambling restrictions on their account attempted to pay via Open Finance. TS Anil, Monzo’s CEO, praised the API and stated that it was “simple to build, proven to work, and will help protect hundreds of thousands of people.” The finance industry’s accumulation of such examples will be pivotal in convincing consumers that data sharing can be responsible and useful for safeguarding them.
Data sharing through Open Finance is ultimately a path towards greater convenience, better products and services, and significantly cheaper operations for FSIs. Making sure that customers are aware of these benefits, concludes Wilson, will be the aim of the game. “At the very least, dealing with physical paperwork and documentation in financial transactions will become a thing of the past."