When it comes to technology upgrades, especially large-scale security enhancements, IT service rooms are teeming with striking illustrations of why “extract and replace” is not an optimal strategy.
It’s a tactile process that is sometimes likened to changing the engines of an airplane in mid-flight, and at the heart of a conversation, PYMNTS hosted with a panel of experts including; Fastly Senior Vice President Dana Wolf, Cross River Bank Technology Chief of Staff Jesse Honigberg and Bank Independent Director of Information Technology Greg Solomon.
As the advent of advanced technologies – and platforms – makes it easier to approach and deploy new security offerings, this group was also aware of a type of risk that security teams face in the form of a “spread of tools”.
In a nutshell, adding new security features while existing systems still mark financial institutions (FIs) can be a tactical headache. No business wants to replace a bad process with a new bad process.
An infrastructure-independent approach, the panelists said, can offer the best and smoothest path to digital transformation.
Done right, safety and innovation can be synonymous and can help FIs serve younger and digitally savvy consumers where they want to be served (through channels, especially digital channels).
Do it wrong, Fastly’s Wolf noted, and the FI’s relationship with these young consumers may be at risk.
“They expect this great experience and they expect security from the start – and any slight deviation prevents them from trusting and taking the next step,” she said.
Consolidating that level of trust, bringing DevOP and other operations together within the FI to embrace a digital upgrade is no easy task – in fact, it’s mostly an aspiration.
So let’s come back to this analogy with the airplane. Honigberg of Cross River said that when the plane is on the ground, so to speak, the key to making sure it can be in flight is to perform maintenance bit by bit, gradually, as needed – before the screws do not come loose.
“Whether it’s an airplane or a bank, you have to be thinking about the same,” he said. Honigberg recommended that banks create a “core” security foundation – and build or extend functionality here and there.
Along with the incremental approach, it’s important to make things as transparent as possible, he said, to improve the customer experience.
Yet the customer experience is not uniform: banks have different customers, after all, for different services. Digitally-driven (maybe even digital-only) millennials will have totally different expectations and security needs than baby boomers who write checks. Give people the right tools, seamlessly, Honigberg said, and customers will make their own way through banking apps and platforms, embracing self-service functionality along the way.
Fastly’s Wolf said banks need to make these self-service activities worthwhile – or banks risk losing customers, who will quickly abandon FI platforms. Banks, Solomon said, must also monitor channel changes in real time.
“Banks have to evolve with the needs of customers. And the security behind [new offerings] must also evolve with it, ”he said. Otherwise, there will be gaps in how customers who write checks can be served when they switch to mobile capture or other features hosted in an app.
Privacy is part of security
Wolf noted that as consumers move more and more online, data privacy is part of the security equation.
PYMNTS ‘own data shows that 60% of consumers are concerned about how their information is being used online.
Read more: Pros blame consumer uncertainty for slow adoption of open banking
And as Bank Independent’s Solomon said, any approach to banking security “really depends on how you are going to protect your customer data and your business information.”
At least some of these concerns can be allayed by, as Honigberg said, an explanation of PCI certification and SOC implementations.
“Depending on who your customers are and what concerns them, these are the substantial investments you make that underscore your commitment to being at the table,” he said. For business clients of FIs, he said, external validations and certifications are an integral part of the course and go a long way in cementing relationships.
No easy solution
Beware of the mindset that says when it comes to security, you just have to embrace the platform. Platform implementations, Honigberg said, are easy to start and difficult to complete. Wolf recommended that a platform initiative be linked to an incremental process.
“Rip and replace is maybe more of the ‘lift and shift’ type,” Honigberg said. “And so maybe you lift your old data center and move the workloads to AWS or Azure. And when you do that, you think about how you secure those workloads, how you optimize them, how you think about the messaging bus infrastructure.
See also: Five Steps to Retrofitting FI Tech Batteries Without Tearing and Replacing
Solomon noted that banks must grapple with decisions related to on-premise and cloud systems. While banks can’t be independent of how things change and evolve, they can be infrastructure independent – and good third-party SaaS solutions have value, regardless of the vendor.
Open-mindedness can pay off, depending on the discussion. Connecting with the right suppliers, the panelists said, helps avoid “tool spreading” and helps FIs use money wisely.
Honigberg said: “It’s a reasonable approach to be agnostic and flexible while still keeping some of the scale and avoiding the commodity delivery aspects as much as possible.” Being flexible, Wolf added, means FIs can avoid configuration errors, which is a point of vulnerability for data breaches.
Financial institutions that incrementally adopt the platforms identify the gaps and fill them, the panelists said, can gain better visibility into the customer experience.
Honigberg said: “It’s not necessarily about ticking the box to say you have ‘something’ [for security] – it’s about making sure your customers understand how you deliver it and the big guys know how to use it and extract value. Visibility, Wolf said, and the study of real-time data lead to monitoring. Control is more important than ever in the age of the pandemic, in the work-from-home environment when DevOp and security teams are far away – and of course, banks, as always, are regulated entities.
See also: Financial Institutions Improve APIs and Web Application Policies with Performance Improving Security
As Honigberg pointed out, in the midst of the great digital shift, banks have been allowed to speed things up that they thought they could never do or that they weren’t ready for … especially when it comes to more complex and nuanced business processes.
Solomon added, “It’s an ever-changing environment as technology evolves and our requirements change from year to year – and keeping up with that is a challenge. “