When it comes to technology upgrades, especially large-scale security enhancements, the halls of IT departments are filled with vivid illustrations as to why “rip and replace” is not an optimal strategy.
It’s a touch-and-go process that is sometimes likened to changing the engines on an airplane mid-flight, and at the core of a conversation, PYMNTS hosted with a panel of experts, including; Fastly Senior Vice President Dana Wolf, Cross River Bank Technology Chief of Staff Jesse Honigberg and Bank Independent Director of Information Technology Greg Solomon.
As much as the advent of advanced technologies — and platforms — make it easier to approach and deploy new security offerings, this group was also cognizant of a spoiled for choice type of risk security teams face in the form of “tool sprawl.”
In a nutshell, adding on new security features while legacy systems still mark financial institutions (FIs) can be a tactical headache. No firm wants to replace a bad process with a new bad process.
An infrastructure-agnostic approach, said the panelists, may offer the best and smoothest path to a digital transformation.
Done well, security and innovation can be synonymous and can help FIs serve younger, digitally savvy consumers where they want to be served (across channels, especially digital ones).
Do it poorly, noted Fastly’s Wolf, and the FI’s relationship with those younger consumers may be at risk.
“They expect that great experience and they expect security off the bat — and any slight deviation makes them not trust and move on to the next thing,” she said.
Cementing that trust level, bringing DevOP and other operations within the FI together to embrace a digital upgrade is no easy task — in fact, it’s mainly aspirational.
Back to that airplane analogy, then. Cross River’s Honigberg said that when the plane is on the ground, so to speak, the key to making sure it can be airborne is to perform maintenance bit by bit, incrementally, as needed — before the screws come loose.
“Whether that’s a plane or a bank, you have to think about the same thing,” he said. Honigberg recommended that banks build a “foundational” base of security — and build or extending functionality here and there.
Along with the incremental approach, it’s important to make things as transparent as possible, he said, to improve the client experience.
Yet the client experience is not a uniform one — banks have different clients, after all, for different services. Digital-first (maybe even digital-only) millennials will have entirely different expectations and security needs than check-writing boomers. Give people the right tools, transparently, said Honigberg, and customers will chart their own paths through banking apps and platforms, embracing self-service functionality along the way.
Fastly’s Wolf said banks need to make those self-service activities interesting — or banks risk losing customers, who will be quick to abandon FIs’ platforms. Banks, said Solomon, also must eye channel shifts in real time.
“Banks have to evolve with customers’ needs. And the security behind [new offerings] has to evolve with as well,” he said. Otherwise, there will be gaps in how check-writing customers may be served as they pivot to mobile capture or other features housed within an app.
Privacy Is Part Of Security
Wolf noted that as consumers move increasingly online, data privacy is part of the security equation.
PYMNTS’ own data show that 60 percent of consumers are worried about how their information is being used online.
Read more: Pros Blame Consumer Uncertainty For Slow Uptake Of Open Banking
And as Bank Independent’s Solomon said, any approach toward banking security “really comes down to how you’re going to protect your customer’s data and your company’s information.”
At least some of those concerns can be mollified by, as Honigberg said, an explanation of PCI certification and SOC implementations.
“Depending on who your customers are and what they care about, those are substantial investments you make that underscore your commitment to being at the table,” he said. For FIs’ commercial clients, he said, external validations and certifications are par for the course and go a long way toward cementing relationships.
No Easy Fix
Beware the mindset that says when it comes to security, all one must do is embrace the platform. Platform implementations, said Honigberg, are easy to start and tough to finish. Wolf recommended that a platform initiative be tied to an incremental process.
“The rip and replace is maybe more along the lines of ‘lift and shift,’” said Honigberg. “And so maybe you’re lifting your legacy data center and you’re shifting workloads to AWS or Azure. And when you’re doing that, you’re thinking about how you’re securing those workloads, how you’re optimizing them, how you’re thinking about the messaging bus infrastructure.”
See also: Five Steps To Modernize FI Tech Stacks Without Doing Rip And Replace
Solomon noted that banks must grapple with the decisions tied to on-premises and cloud systems. Though banks cannot be agnostic to how things change and evolve, they can be infrastructure agnostic — and good third-party SaaS solutions have value no matter who the providers might be.
Being open-minded can pay dividends, according to the discussion. Linking up with the right providers, said the panelists, helps avoid “tool sprawl,” and helps FIs use money judiciously.
Said Honigberg: “It’s a reasonable approach to being agnostic and flexible while still maintaining some of the scale and getting out of as much of the commodity delivery aspects of it as possible.” Being flexible, added Wolf, means FIs can avoid misconfiguration, which is a point of vulnerability for data breaches.
FIs that embrace platforms in an incremental way identify gaps and plug them, said the panelists, can gain better visibility into the customer experience.
Said Honigberg: “It’s not necessarily about checking the box to say you have ‘something’ [for security] — it’s about making sure your customers understand how you deliver it and that big get how to use it and extract value.” Visibility, said Wolf, and studying data in real time, leads to control. Control is more important than ever in the age of the pandemic, in the work-from-home environment when DevOp and security teams are far-flung — and of course, banks, as ever, are regulated entities.
See also: FIs Elevate Their API, Web App Strategies With Performance-Enhancing Security
As Honigberg remarked, amid the great digital shift, banks have been allowed to accelerate things that they thought they could never do or weren’t ready for … especially when it comes to more complex, more nuanced business processes.
Added Solomon: “It’s an ever-changing environment as technology evolves and our requirements change from year to year — and keeping up with that is a challenge.”