What challenges are faced by the financial sector when it comes to technology and regulations? Could the restrictions imposed mean that such organisations aren’t able to operate at their best – and instead mean that they are spending more time meeting stringent regulations than implementing technology that could enable them to work more effectively? At our recent roundtable event at the Ritz we invited some of our customers from the leading organisations within the financial sector, to discuss issues such as this and more. So…
What did we learn?
The most common thread that emerged from the evening was that excess regulation and government intervention is bad for the industry and doesn’t serve the public good. Each table came to the same conclusions that the industry should be allowed to self-regulate in regards to data security, IT and identity management. That’s not to say that there wouldn’t be stiff penalties for companies who fail in their duty to protect their data and their customers; if anything the room felt that the penalties should be far stiffer than currently proposed. We also saw that the industry wants to have more freedom to innovate. Innovation will require some changes in how security, data and personal information is handled, and it’s this innovation that will create the competitive differentiation in British finance industry players in the years to come.
Compliance vs Complacence
The whole room agreed broadly that compliance was letting down the industry as a whole. None of the “regulatory requirements” being pushed on finance providers seems to be helping prevent data loss, identity theft, fraud and the other various negative cyber incidents consumers suffer. There was a broad agreement that the answer would lie in some form of independent (non-governmental) entity which would be funded in part by the government and in part by the industry through some non-influential way who could oversee firms behavior, not from the point of regulatory compliance but from the point of view of successful results. It was also widely discussed that the industry and the pubic need to come quite a distance from where they are today with regards to how data is classified. There’s a real issue with understanding what data is actually sensitive and private vs what data is really harmless. The classification of data has massive impacts on the question of whether a breach is due to negligence or malicious action. Without understanding the true value of the data leaked, it’s impossible to determine the underlying motives of the parties involved. Was it simply hacking for sport & bragging rights; or did the attackers have some specific gain in mind? Fortunately, there are a number of solutions available today that are designed to help organizations move beyond device management and achieve data management. This is a perfect starting point for a more in-depth discussion with the experts at Exponential-e.
Technology vs Identity Management
Where once biometrics were unthinkable we seem to have reached a point with the proliferation of finger print readers in modern business laptops and smart phones that we’re willing to entertain using our biometric data as a form of identity management. The consensus of the room however was that one factor (whether that be biometrics or not) would never be enough. Identity management, as it turns out, is one of those areas where we all agreed the consumer needed to be given choice. Allowing individual consumers to decide which method of identity management they prefer from a selection of equally reasonable systems was a key feature of each table’s discussion. It was also made clear that while we can offer the use of smart devices and other modern bits of technology as one of the choices, that limiting ourselves to just these devices would be a mistake. One possible solution was in the deployment of some type of block-chain system where the tokens are not physical but also not replicable and not “owned or controlled” by anyone; meaning they could be used on a variety of devices and in a variety of ways but still offer nearly perfect identification. Perhaps the most interesting take-away however was the number of discussions around location tracking. Again, once the sole purview of scary big-brother scenarios it seems that attitudes have changed. From public safety, emergency management and as a factor in security and identity management – it seems that there are many applications for location aware technology. Smart WLAN systems are one such way to deliver location awareness and are another great starting point for a discussion with Exponential-e
DIY vs Outsourcing
It was welcoming to see that amongst this group, there was no question that the services best outsourced are those common commodity services (regardless of the importance of the data they hold or work with); and that DIY is more than an option, it’s an essential for competitive differentiation. Where perhaps the largest outpouring of agreement happened however was in the rejection of frameworks and pre-approved suppliers. It was obvious to everyone in the room that the approach being taken by the public sector would only serve to reduce competitive differentiation, agility and creativity and that the finance sector wants no part of it. C-BEST is already constraining in the options an organization covered under the rules can work with for security testing and verification. This perhaps was acceptable, but when it came to the design, provision and supply of on-going and operational outsourcing services the industry wants choice (and their own due-diligence) to reign supreme. There was also the prickly question of risk-transference and reliability. The discussions centered around whether it was ever appropriate for an outside service provider to underwrite the operational risk of failure of the systems they were operating, or whether it was sufficient for their agreements to be written to mitigate the risk. Certainly as is the case with Exponential-e; it’s common for them to provide a reverse hybrid (hosted / cloud primary, on premises backup) or through novation with separately collocated equipment.
By the end of the night it was clear that the finance industry is not content to sit still, nor to wait for outside government intervention to tackle cyber security. It’s keen to look at how it can make the most of outsourcing and the cloud while simultaneously improving the visibility and innovation capacity of their internal teams. There’s a real willingness to experiment with identity management and to develop new and innovative products and solutions for their clients. The only question is going to be how data is classified and managed in the future as IT continues to become more complex, more mobile and more accessible.