INNOVATION that drives high growth for any company has to be able to move freely – they have to be able to bend the rules a little and move quickly and creatively to stay on the cutting edge, while also creating products that can bring real value to their customers. However, such practices are usually seen to be hampered by the strictures placed upon such creators by their risk controllers, the cybersecurity guys who would really rather things didn’t change so fast.
The way it usually works is that the innovators try to bring in the latest technologies that could accelerate a company’s workflows and drive better experiences for their customers, but risk managers are usually wary of new tech that has not withstood the test of time, especially when some softwares are open source, making their vulnerabilities largely unknown until it’s too late.
Usually, these two want results in a situation where the wants of the innovators and the wariness of security experts are are at odds with one another.
Financial services operator Visa’s head of risk in Asia Pacific Joe Cunningham said:
“There seems to be this see-saw between innovating with speed, aggression and creativity, and the idea of maintaining good risk practices.”
According to Cunningham, the conflict between the two sides are arbitrary – in fact, they are both the two sides of the same coin.
Innovators and risk controllers don’t need to be at odds with one another, instead they should be working together to improve the overall customer experience while also protecting their customers from fraudsters and hackers. Cunningham, speaking at the recent Bank Tech Asia 2017 conference in Kuala Lumpur, draws on his own experience at Visa to illustrate the issue.
He had spent six years as the company’s head of innovation, where he brought on many new technologies and trends that could be introduced into Visa’s data center. Whilst he was based in San Francisco, Cunningham was constantly in conversation with startups that were unravelling the traditional modes of operating financial services and sought to break all the rules in Visa with the potentials of these new technologies.
“There was the idea the company needed to make a major change as the world around it was changing,” he recalls, before explaining when he moved to Asia, he was also moved into a new role, as head of risk. The ironic twist of fate meant Cunningham, who had spent much of the last decade working in innovation, had to effectively move into the shoes of the enemy.
What Cunningham learned when he switched out his “innovator’s hat” into a “controller’s hat” is that “innovation and risk have to go hand in hand,” noting both sides need to acknowledge the importance of the other, in any company, in the digital age.
“We need this idea of bringing and allowing disruption into the industry, whilst at the same time protecting what’s really, really important.”
At the heart of an industry like the financial sector is trust. Visa took the 60 years it has been in operation to cultivate their customers’ solid trust, an asset that underpins the brand as well as the integrity of their payment services.
“That trust is absolutely essential, therefore maintaining the security and integrity of those transactions and educating and managing how the brand experience is brought to life,” Cunningham said. He said without the weight of a history’s worth of flawless service and reliable security, Visa would never have been able to achieve what it has today and it is largely because of the company’s commitment to protecting their customers, which is the foundation of their work.
— samantha 🌶✊🏼 (@sam_sicilipadi) July 5, 2017
There are three reasons why companies today need to be constantly on the edge of their seats when it comes to risk management in the age of lightning speed innovation: the unbundling of banking services brought about by the technological revolution, the centrality of data today and the huge information asymmetry between users and criminal gangs.
The biggest disruption that has been caused by the technology revolution has meant banks have largely lost their monopoly on financial services – when small startups begin picking at specific financial services such as remittance, payments and insurance, they wrest away business from banks by giving users particularly wonderful experiences.
“There are startups looking at the banking industry and saying ‘The banks don’t have to provide everything, connect everything, they don’t have to provide all those services’,” Cunningham said. However, these startups are also largely focused on growing bigger and moving faster, which means they do not apply the same rigorous tests to new technologies and protections, resulting in increasing vulnerabilities for their users.
Furthermore, these startups are also extremely data-driven, which has helped them glean highly accurate insights about the desires and pain points their customers face. Cunningham notes companies who are able to manage data at scale will usually find themselves achieving a higher level of success compared to their counterparts who do not.
But data also causes serious issues, especially when startups and organizations fail to preempt the potential vulnerabilities in their systems. “There’s still too much of it that’s unsecured, too much sensitive data flowing across the ecosystem,” Cunningham said.
“As the financial services industry becomes more and more unbundled, as more players enter the market, and there are more intermediaries and third party service providers, the number of touch points for sensitive data becomes exponential.”
Analysts at Gartner estimate between 2020 and 2025, the number of connected devices collecting and producing data will rise to between 20 to 50 billion. Those devices, and our society’s increasing reliance on card and digital payments, will dramatically accelerate the amount of sensitive data that could be used against us by criminal gangs, a situation which is exacerbated by the asymmetry between users and hackers.
“Criminal gangs that are global, sophisticated, well organized and well funded,” Cunningham said. He said users do not have the same understanding as these consortiums do about the weaknesses in our systems.
In order for businesses to make the most of the data they have, as well as the technologies available to them, leaders have to begin paying attention to two things, according to Cunningham: responsible innovation and security by design.
“What we want to do is underpin this idea of responsible innovation,” he said. “Security needs to be designed in from the very beginning,” rather than as an afterthought.
“It is not enough to bolt on security at the end, it was never good enough, it is definitely not good enough in the digital world.”
The variety and changing landscape of banking today means solidifying the trust customers have in their card providers is increasingly important. If businesses do not step up to the plate soon enough, they could easily lose the trust of their customers, and thus their opportunities to spur further growth. However, controllers can’t hide behind their firewalls forever – they need to constantly be on the lookout for new technologies that can help them improve the way they work.
The answer to the innovation and risk debate, according to Cunningham, lies in the middle, where both sides are in constant conversation.