By William Beer, Principal,
and Matt Hatch, Partner and EY Americas FinTech Leader, Ernst & Young LLP
For many financial institutions (FIs), digital innovation and cybersecurity seem to be at odds with each other; however, they can unlock more value when integrated. While firms may have strengths in both areas, they might not realize that the two can enhance each other and lead to greater efficiency and safety. Digital capabilities make FIs more attractive to customers, while effective, embedded cybersecurity protocols add trust to their digital offerings.
A common misconception within the industry is that cybersecurity is blocking innovation and that cyber-risk requirements from incumbent financial institutions prevent them from achieving their digital objectives. Leading FIs understand that the value of cybersecurity can be as a vital enabler of innovation: digital offerings require obtaining or retaining customers’ trust, which fuels solid customer relationships to become the long-term differentiators for FIs.
Integrating cybersecurity and digital will accelerate innovation and growth…
In addition, when financial organizations integrate cybersecurity resources into their digital teams from the start, FIs can increase effectiveness and reduce cycle times. When organizations begin recognizing cybersecurity in terms of enhancing innovation and growth—rather than just preventing breaches—FIs will generate higher values. What’s more, uniting cybersecurity and digital better positions firms to defend their services and products against cyber threats and become their customers’ trusted digital providers—an increasingly vital role amid today’s fintech-led disruption and competition.
The case for merging digital and cybersecurity is reinforced by a continuing belief among chief information officers (CIOs) across all industries that their cybersecurity defenses are inadequate. EY’s 19th Global Information Security Survey 2016–17—Path to cyber resilience: Sense, resist, react —found that 86 percent of CIOs believe that their cybersecurity functions do not fully meet their organization’s needs. And to make matters worse, the skills to tackle this issue will remain in short supply: the eighth ISC2 Global Information Security Workforce Study estimates that the global shortage of skilled cybersecurity professionals will reach 1.8 million by 2022.
…as advancing artificial intelligence (AI) and fintech intensify the pressure.
Embedding cybersecurity into digital is made all the more important by today’s fast-moving market environment. Rising use of AI and rapid growth in fintech (financial technology) are increasing the pace for all financial institutions; AI is powering a new wave of innovative, responsive digital financial-services offerings from both banks and non-banks, and the fintechs at the leading edge of this innovation are winning rapidly growing usage.
The figures tell their own story. EY’s FinTech Adoption Index 2017, based on more than 22,000 interviews in 20 markets, shows that 33 percent of digitally active global consumers now use fintech solutions. Adoption in the United States has doubled since 2015 and is now in line with the global average—with the US having the highest adoption rates in three of the top five fintech categories: financial-planning tools, savings and investments, and borrowing. And advancing fintech innovation in key aspects of cybersecurity, such as ID authentication and biometrics, is driving banks to re-evaluate their own capabilities in these areas.
However, these new technologies—combined with the rapid pace of change—are creating the “perfect storm” for organized criminals. Through application programming interfaces (APIs) and digitization of customer-facing processes, FIs are opening up their systems to introduce many new interactions—and they face new risks. As a result, the potential attack surface grows exponentially—further increasing the need to embed cybersecurity into solutions from the earliest concept stages.
How is digital transformation impacting cybersecurity?
So the message is clear: cybersecurity and digital innovation should be more integrated at today’s FIs. But why are FIs’ current digital transformation and innovation efforts raising more security concerns than in previous waves of change? For several reasons. While the move to agile design thinking and development opens up new opportunities—including faster speed to market and greater responsiveness to customer needs—it can also create new problems and risks, especially if digital and cybersecurity operate in silos.
Also, cybersecurity and IT (information technology) teams, working under the assumption of “do no harm to the consumer”, operate generally more slowly and more rigidly than their counterparts in digital innovation. On the other hand, digital’s focus on the user and design thinking can force cybersecurity teams out of their comfort zones, making them feel marginalized and behind the curve. An underlying issue can be that user experience and security often have conflicting goals—and layering rapid innovation on top can drive an even bigger wedge between the two teams.
Against this background, we often see common pitfalls arise within cyber-digital transformations. One is to consider security purely as a verification or regulatory function, rather than as an integral factor in the overall design and experience that is at the forefront of innovation among fintech companies. Another pitfall is to try to use traditional development methodologies to meet today’s fast-evolving needs. What’s required is a move toward a controlled “fail-fast-and-move-on” culture, combining design thinking with techniques such as customer-centered journey mapping and DevOps.
A key opportunity: turning cybersecurity into part of the value proposition.
FIs that get all this right can reverse the polarities on cybersecurity and transform it from a perceived drag on innovation to a positive source of differentiation with customers that is typical of the innovation seen from fintechs. EY recently worked with a major global banking institution to achieve this, replacing its legacy password login process with multiple biometric checks in its new personal-banking app. By turning cybersecurity into an integral element of a smooth and convenient customer experience, we helped to make it part of the bank’s value proposition and competitive edge.
As this project underlines, biometrics-based security is a prime area for cyber-digital innovation. Biometrics ranging from fingerprints to voice to iris recognition offer the ideal blend of unique identification and user convenience. Joint digital and cybersecurity teams will provide the ideal structure for engineering biometric integrations into mobile solutions from the ground up, creating a compelling yet secure experience that users will choose over those of competitors that require more traditional security checks. As the use of multiple digital channels (chatbots, web, mobile, voice-based Internet of Things/IoT interactions, etc.) increases, converged cybersecurity and digital team efforts will be critical to sustained success.
When integrating digital and cybersecurity teams, it will be important for FIs to carefully manage the cultural aspects of the integration. Bringing together dynamic, commercially oriented digital-innovation teams with more risk-averse cybersecurity specialists raises the possibility of culture clashes. But it equally creates opportunities for creative tension and more innovative approaches to security—underpinned by an acknowledgment on both sides that each cannot succeed without the other.
Next steps: coming together.
So, what should FIs be doing? Two things. First, evaluate whether they have disconnects between digital and cybersecurity in their organizations. Second, unite the two functions to create better, more secure digital offerings that are customer-centric and innovative like fintechs’. Trust is the bedrock of financial services, and digital offerings must foster trust, not erode it, while also meeting or exceeding customers’ expectations on ease of use. Blended digital-cyber teams are necessary to succeed in this vital initiative.