Secure Your Digital Transformation with These 3 Steps
Bankers are bullish on digital transformation. According to 2018 research by the Boston Consulting Group, 86% of financial institutions agree that digitization will upend the industry and permanently transform the competitive landscape. Despite that overwhelming opinion, only 43% agree that they have a clear vision of what a digital transformation looks like and a plan in place to execute that vision.
Make no mistake: It’s not that they aren’t trying. Research from KPMG illustrates that banks are gobbling up fintech companies at breakneck speed, and the $50.8 billion in global fintech investment in 2017 more than doubled to $111.8 billion in 2018. Still, investment alone can’t solve the complex technology infrastructure challenges that stand in the way of complicated digital transformations for some 86% of financial institutions.
It takes more than tech
Drawn by cost, efficiency, and scalability, financial institutions are racing toward a digital future in the cloud. There’s infrastructure as a service, software as a service, platform as a service, and many more, and it’s the lines of business in finance that are driving the push. But the cloud is still relatively new, and many of the organizations that are adopting such solutions are making the leap before they’ve learned what cloud computing entails.
Whenever personally identifiable information is involved, regulatory groups are close behind. All too often, however, information security and compliance are secondary thought processes for the institutions pursuing digital transformations, which increases the risk that customer data could be lost or mishandled. While the Gramm-Leach-Bliley Act, Financial Industry Regulatory Authority, Payment Card Industry Data Security Standard, and other laws and governing bodies outline how to achieve regulatory compliance, collaboratively working toward that goal is proving to be a challenge for financial institutions.
At the end of the day, a successful digital transformation is about understanding the threat vectors and mitigating the associated risks in a collaborative way with constituents aligned. The problem is that these groups speak different languages and have different levels of technical expertise, so deciding who should be part of the initiative and how to get them aligned is not an easy proposition. To make matters more difficult, many organizations are attempting to steer the digital initiative after they’ve already begun to adopt cloud infrastructures, creating an even more contentious situation when stakeholders bring their disparate goals into a single room.
Compliance officers, information security personnel, line of business leaders, and other stakeholders are rarely in perfect alignment within an organization. Instead, one of the biggest challenges financial institutions face is the us-versus-them mentality of various groups. To overcome this obstacle, it’s vital to create a data governance strategy that balances business operations and financial performance with other components such as customer service and regulatory compliance.
The group usually responsible for this strategy is your center of excellence (COE). A COE is a collection of people representing an organization’s operations, business, and compliance departments (among others), whose goal is to ensure that data is an available and effective asset. The COE assembles the necessary participants and places them on the front lines of data governance, ensuring that all voices are represented and that all needs are met.
The people in the COE perform their role with a few factors in mind — namely, the rest of the organization’s personnel, the technology the company relies on to perform certain functions with data, and the processes that dictate how these functions are performed. As a result, the organization can tap into a more holistic approach to data governance. For example, when legacy systems can no longer meet a need or power a new process, a COE will work toward a long-term solution that preserves data quality and availability instead of opting for a hasty workaround that further complicates systems and processes.
Once you’ve created a COE, you’re ready to start taking the first steps on your digital transformation journey. To set your organization up for success, follow these three steps:
For a digital transformation strategy to have a shot at being successful, it needs to include representation from the various interest groups. True alignment will require input from everyone and agreement on why the digital transformation initiative is important. The “why” behind any initiative will depend on the specific organization, its internal requirements, regulatory drivers, and other unique factors. When everyone agrees on the “why,” the group can begin to discuss the “how.”
Alignment is also key because it helps a team decide which parts of a strategy take priority. Even if your digital transformation team is made up of the highest performers in your organization, you can’t accomplish everything at once. Prioritizing different parts of a strategy is key because it gives you a road map that you can then put to use.
One of the biggest mistakes that organizations make is to purchase and apply capabilities before the strategy is complete. They go on a Black Friday shopping spree, buying security software and a whole host of premium capabilities, and then go into implementation mode without any idea what risks or vulnerabilities are being addressed. That process is, at best, far from effective execution. At the worst, it’s an expensive exercise in futility that results in negative progress for the organization’s digital transformation.
Instead, all strategies should start by identifying the kinds of data that are creating security risks. Begin with a baseline that establishes how data is currently used in the organization, and then move to the gaps and vulnerabilities present in your platform. The next step is to paint an ideal picture of the life cycle of data in the company: What’s different in this ideal scenario, and how can those goals be broken down into achievable steps? Only by identifying the data and the dangers can you begin to decide which tools you need in order to build new processes that contribute to the overall risk mitigation effort.
Too many organizations want to check a box and then never have to worry about it again. To create a system that enables a digital transformation while reducing the associated risk is to put a process or operating model in place that continuously changes, evolves, and improves. It’s not just about creating a COE. You also need to design a cadence at which that COE will regroup and verify how well the process works and what areas need to be better maintained.
The cyber threatscape never stops modifying, so your security posture should be similarly fluid. Today, ransomware is one of the most prevalent threats faced by cybersecurity teams. Tomorrow, something else could very well take its place. As your focus shifts and evolves, make sure your team members have clearly defined responsibilities. It’s important to shore up security gaps as you undertake a digital transformation, but it’s equally vital to ensure that old risks don’t return when processes or personnel change.
The advantages of a digital transformation are massive, ranging from an improved experience for customers to a quicker time to market for new products. Unlocking these advantages and achieving your transformation won’t be easy, but the results will be well worth the effort.
author: Brian Olearczyk