Security executives have a bigger seat at the table when making product decisions in the world of faster payments and online account origination. At Money 20/20 USA, industry experts discuss how technical knowledge and business issues need to be married to truly meet the realities of digital transformation and prevent fraud.
Matt McBride, chief information security officer & CIO at Modo, kicks off the conversation and highlights that the industry is significantly different to 30 years ago. “This is a Ford vs. Ferrari discussion. 30 years ago we built payments systems that went from one source to one terminal and security was not a concern. Today, we’re looking at a landscape where electronic commerce will surpass $4 trillion.”
A product problem
Jay Kaplan, founder & CEO of Synack adds that “most product managers do not want to talk about security and vulnerability until the last minute. We are conducting our security assessments with a network of white hat hackers and are shifting the conversation to the left so that security is considered earlier in the development lifecycle, before the push into production.”
McBride follows this point and says that with this shift to the left, CEOs must be approached cautiously. Asking an executive to consider security is asking them to spend thousands of dollars, so the question must be framed in terms of risk, reward and trust, which is a much easier conversation and one that is currently being had in every executive meeting.
Rob Rendell, fraud & digital identity SME at IBM, explains that large banks have a number of initiatives in play at the same time, but the fraud agenda and the product agenda must be brought together to form a common agenda. “Acquisition costs are so high now and fraud events result in a high attrition rate.”
David Cass, vice president - cyber & IT risk - supervision group at the Federal Reserve Bank of New York agrees that acquisition costs are high, but switching costs are low which is why retention of customers must be a priority and this can be done by allowing the consumer to feel trust, as Kaplan explains.
Acquisition and attrition
McBride points out that friction will exist in every and any transaction, but “there needs to be a balance between friction that gives customers a reason to trust that the banks knows what they’re doing, while also not impeding the consumer from making a payment.”
Rendell moves the conversation on to how there needs to be a “seamless, passive way of monitoring risk along the journey and augmenting information with technology. Fraud tools such as performance monitoring have squeezed fraud losses and operational expenses.”
While trust is of paramount importance, the lack of collaboration between security, fraud and info security teams is becoming a burden and industry leaders need to do a better job of translation and education.
Rendell says that a consensus of cross functional teams need to be obtained and this is all about authentication. Top tier banks are creating fusion centres, in which analysts can work together and share knowledge.
As Cass says, there are “huge benefits of looking at the commonalities of attacks and then sharing information. There is always a need for continuous education to help protect themselves and institutions.”
Comments from the Money 20/20 community
In conversation with Finextra, Edmund Tribue, risk & compliance practice lead at NTT DATA highlights that “the focus of security executives needs to be balanced between increased and more effective protection of customer PII and financial transactions, without introducing customer friction to access services.
“In the wake of recent data breaches via third-party service providers, the OCC issued new guidelines for the protection of the financial services ecosystem from internal and external attacks. Regulators expect closer alignment between fraud and cybersecurity functions to foster confidence in financial institution’s ability to protect PII, sensitive data, and the integrity of payments systems.”
Making similar points, Ben Schmitt, VP of product and information security at Dwolla says that “the unifying language of information security and business is risk management. It can level the playing field and put businesses in a position to make informed product decisions with the right guard rails, criteria and tradeoffs clearly defined.
“Given the need for robust third-party risk management, security executives are in a unique position to translate technical control considerations and deep domain knowledge (such as cryptography) during product evaluation.”
Tyler McIntyre, Bank Novo CTO goes on to reiterate the importance of collaboration between departments. "Preventing compromises and fraud is a much more complicated challenge today than it used to be. Security, risk, product and engineering have to really collaborate to arrive at solutions that work.
“Part of the reason these approaches are shifting is because you can’t just look at a fraud case and create a new blanket rule to stop it across all use cases. With product having such a wide variety of use cases and functionality, that’s not really possible without creating a bad experience for some people.
“Managing risk is no longer stuck in the basement. We have to work with the customer to reduce fraud and provide a better experience. New approaches have to proactively analyse data as it happens, and personalise some of that data to specific customers.”
Amador Testa, chief product officer at Emailage concludes the discussion on the subject. “The security executive is definitely playing a bigger role now, since his job is not only to protect the company from potential losses or risks but instead created ways for the company to sell faster, with less friction and to expand to new regions or locations while managing the risk.
“Today due to the globalised world with the internet and online environment, it is super competitive, where the consumer has many options and friction is not acceptable.”