by Ewen O’Brien, VP of EMEA, BitSight
The security ratings market is still relatively immature but it is fast growing and as such there is quite a bit of hype from the vendors that play in this space who are all jostling for position. So now with a number of offerings to choose from – some of which are marketed in misleading ways – it can be tough for decision makers to cut through the noise and put in place a ratings platform that will truly make a difference to their business.
As someone who has worked in this industry for many years, with deep expertise in ratings, I thought it would be helpful for me to dispel some of those myths about security ratings, honing in on a number of key areas that I think are important for organisations to consider. Here in the first of a series of articles, I’m putting a spotlight on the importance of integrity and context.
What I hear often in this market is that it is all about getting the highest rating. At a basic level this is true, but these ratings must be robust, stand up to scrutiny, have integrity and without context the ratings may not be meaningful to your stakeholders and/or your customers.
But before diving into what I mean about context, first off let me provide an explanation around security ratings.
Security ratings are a data-driven, objective and dynamic measurement of an organisation’s security performance. Thousands of organisations around the world use security ratings tool to address a variety of critical interconnected internal and external use cases at scale, in order to enable more effective decision making throughout their business ecosystem.
Security ratings are useful to manage cyber risk in any inter-organisational interaction where transparency has historically been lacking. Likewise, security ratings improve an organisation’s ability to manage cyber risk from business partners and understand the risk posed by a third party or supply chain business relationship. They can be used for insurance underwriting pricing, and risk management, allowing carriers to gain better visibility into the security performance of insurers in order to assess and price risk. Ratings can also be used for investment in or acquisition of a company, allowing organisations to perform enhanced cybersecurity due diligence and ongoing monitoring of the investment or the M&A target. And they enable governments to better understand and manage the cybersecurity performance of critical organisations.
Additionally, security ratings are useful for managing an organisation’s internal cyber risk by continually assessing the security posture of one’s own organisation and providing transparency to key stakeholders. They can be used to benchmark and compare performance with peers in the industry and ratings provide greater assurance to customers, insurers, regulators and other third-party stakeholders about your cybersecurity performance.
In short, security ratings provide a comprehensive, outside-in view of a company’s overall cybersecurity posture. Similar to credit ratings for individuals, security ratings deliver much more value to an organisation than simply correlating them to data breaches, for example. They are dynamic and are constantly monitored and measured, rather than being just a point in time assessment. This means that ratings can quickly highlight any changes in security posture. However, there are a number of vendors in this space who essentially enable organisations to ‘mark their own homework’ allowing them to remove legal entities, divisions, or parts of the business that might negatively impact on their rating.
Security ratings are based on the digital footprint of a company with strict governance wrapped around it and we rate everyone in a consistent way. This is important because there is no point in ‘gaming’ ratings to suit your needs as this is a short-sighted approach to the value of ratings and isn’t a true reflection of your security posture. Think about this from a personal perspective and how credit ratings work. Imagine if someone, applying for a new mortgage, was allowed to exclude those two recent mortgage defaults to improve their credit score. This in effect makes a mockery of having a credit rating and exactly the same principles apply in security ratings. This kind of disingenuous approach might enable the security group to reduce workload in the short-term i.e. you got the rating the organisation wanted, but will it make the business any more secure and will it reduce risk? To this point, we lost a large customer a few years back because the security group wanted us to remove certain parts of their business that were not 100 percent owned by them but were absolutely part of their offering and were causing them significant pain. We declined to do this and we lost the customer, but we sustained our obligation to the industry around maintaining the integrity of our ratings.
The great advantage of examining externally observable data associated with domains and IPs mapped to a rated company is that it can be assessed independently and remotely. Furthermore, because every organisation has a similar footprint, assessments can be compared and contrasted in a standardised way. The disadvantage is that this digital footprint is only a subset of the total digital surface of a business and this is where context and other factors come into play. Security ratings should be chosen on the basis that they provide contextual ratings which are not about gaming the system, but about giving true context to particular scenarios.
Most organisations don’t operate as one big silo but rather align their infrastructure to match product lines, geographic regions, divisions and segments. So we have a global or primary rating which can be combined with a self-published rating whereby companies can monitor and manage segments of their business whose structure they only have visibility into. For example, a company can monitor regional offices and compare these, or break out ratings for specific product lines.
These self-published ratings can be used for internal purposes or they can be shared with other users. Combined with primary ratings they provide a level of context no one else in the security ratings industry can match. However, where competitors often take the word of a company that an identified issue shouldn’t be a concern and remove the item from their records, it’s important to remain objective, create mechanisms for businesses to communicate context. This ultimately helps companies make better informed, risk-averse decisions.
Security ratings enable organisations to manage their own risk and the organisations that they do business with. This in turn creates a standardised model of risk by which organisations can be measured, allowing for better business decisions. But if a vendor suggests that you can manipulate data yourself to improve your ratings, then understand that this won’t improve your own security posture, and it could in fact create threat vectors that you are currently blind to.
TRANSFORMATION IS NON-NEGOTIABLE FOR BANKS LOOKING TO DELIVER VALUE IN A POST-PANDEMIC WORLD
Andrew Warren, Head of Banking & Financial Services, UK&I, Cognizant
In addition to responding to changing customer expectations, higher operating costs, new technology, and an evolving regulatory landscape, financial services organisations now also face the uniquely challenging business environment created by COVID-19. The economic consequences that are unfolding rapidly and unpredictably mean that banks must double-down on both their efficiency and customer experience agendas. In light of this, the need to modernise legacy banking platforms will gain sharper focus as banks emerge into the post COVID-19 landscape, driven by the need to focus on value for customers and agility to change and shift operations quickly.
If banks are to remain strong and stable and make real progress with their efficiency and experience agendas, transformation is non-negotiable – but it can be risky and have high rates of failure. So how can banks pursue their transformation agenda, while addressing the very real risk that modernisation of legacy banking platforms presents?
Communicating value across the business
Banking transformation may have traditionally been the domain of the IT function, but the impact on current and future value means it should be on the agenda of a much wider set of senior executives. This includes the CIO and COO but should also be as far reaching as the Chief Risk Officer, Chief Financial Officer, Chief Digital Officer, and Chief Experience Officer.
When we talk about value in the context of transformation it can mean multiple things. In monetary terms, transformation can reduce the total cost of a bank’s IT infrastructure, with legacy equipment 55 per cent more costly than cloud data. More importantly however, transformation often results in moving from highly manual orientated processes to more efficient, automated – and therefore accurate – processes. In turn this can lead to more informed and tailored products and services, internal process efficiencies, enhanced cybersecurity, advanced analytics, and reduced risk, especially around fraud and malicious activity. These all add significant value to customers, as well as operational and regulatory imperatives.
Furthermore, viewing transformation through a value lens should tie it to a range of specific financial and accounting metrics that ultimately measure success. That includes both those that reflect the protection and extension of current value, as well as measuring the extent to which transformation will support the capture of future value. Financial services organisations have a huge opportunity to create greater value for customers from innovation in products and services. Changing market dynamics are creating a basis upon which banks and others in the industry can evolve their offerings and organisations.
In much the same way as we have already seen in retail, for example with Amazon and AliBaba, and media platforms, such as Facebook and Netflix, customers are adjusting to a new way of banking that is changing expectations. To keep up, banks need to increasingly provide easy-to-use digital-first services across their products, as well as introduce new tools to help customers manage their money in the 21st century. And there is no doubt that the fall-out from COVID-19 will likely further drive the degree and extent of digital adoption.
Traditionally, financial institutions take many different approaches to transformation, such as developing sleek new customer experiences to compete or developing new platforms and partnering with fintechs. But achieving success for more mature banks is more challenging given the obstacles presented by their legacy platforms. Comprising complex, customised systems, these are expensive to run and very costly to change.
The inevitability of change
To truly transform operations and experience, many banks are now having to face up to the reality that they cannot move forward without banking platform transformation. That means they must – in one way or another – replace their historic systems with more modern, cost-effective, and flexible platforms. That is going to be essential to stand up the capabilities required to enable digital products and deliver the truly revolutionary experiences that customers demand.
Recognising this, many banks are now considering their options. Some have already started down the challenging path and hit bumps in the road. A very small number have successfully executed their ambition to create a platform for the future. All banks contemplating transformation should take lessons from both the successes and the mistakes. These will be critical to inform their plans.
What are the next steps?
There are a number of essential transformation steps to consider that will help realise value from investment as rapidly as possible, provide an appropriate level of delivery confidence and manage exposure to the operational risk normally associated with such changes. These include:
1. Business strategy must inform every step of transformation – ensure that the approach to platform transformation is tightly aligned to the wider business strategy.
2. Design a strategy-aligned roadmap for delivery – a transformation roadmap should clearly set out the logical order in which business outcomes will be delivered. Here again, that needs to align with the value that the organisation is seeking to achieve, with incremental progress determined by business priorities. This involves making appropriate use of modern delivery methods, such as agile, and making sure that everything that is done satisfies and is frequently assessed against the relevant value criteria.
3. Assess technology selection against business value – organisations often undertake detailed and exhaustive market, functional and technical assessments when reviewing new products and suppliers. This often means either the technical assessment dominates proceedings and / or new technology platforms are selected without a clear line of sight to the value required. Poor product selection is a risk as a result, as well as a lack of understanding of how products should be deployed to inform the sequence of delivery required by the transformation roadmap.
4. Assess your readiness for change – unsurprisingly, given the sheer scale and velocity of change that business leaders must deal with, resistance to change is often a key reason given for the failure of banking transformation projects. However, it is crucial that the ability of the organisation to deliver and adopt the operational, technical, and cultural changes required to support transformation is comprehensively assessed and done early.
The impact of COVID-19 paired with and the demands that financial services organisations face from all directions, make change an inevitable necessity for the most. The approach to delivering a successful banking transformation, underpinned by a modernised platform, will vary dramatically from bank to bank. However, above all, businesses need to ensure that value drives every aspect of change explicitly linking transformation strategy and investment with the realisation of value.
THE INDICATION OF A DEEP RECESSION AND HOW TO PLAN
Nick Gold, MD of Speakers Corner
All the indicators are that the UK will be heading into a deep and painful recession come the Autumn. How bad, and indeed for how long, are the unknowns, but businesses need to use this time to start to look ahead and plan for the future. But how can a business plan when the future is uncertain?
Nick Gold will discuss why the planning needs to start now by creating an entrepreneurial culture within the business that liberates employees to come up with new ideas, to test the market, speak to their customers and find new opportunities. He will also explore how this needs to go hand in hand with a creative employee reward and incentive programme.
The Entrepreneurial Mindset seems, over time, to have become confused and assimilated with a ‘start-up culture’. This might be the case in an actual start-up of course but an entrepreneurial mindset should exist in all businesses, whatever size or heritage.
Even more so, in times of crisis and uncertainty, the entrepreneurial mindset is a necessity for any business to survive and more so, thrive. It allows both leaders and employees to embrace the unknown, accept the uncertainty we find as being part of the challenge, rather than being a blocker to progress.
The ‘Start-Up’ mode is an aura where the vision or idea is clear but the direction of delivery is uncertain, an agile approach and wrong directions are not only common place but welcome within a business where they are learning the path for the successful growth of their business idea and company
As businesses grow and mature, the processes within the business are refined and developed and the mindset shifts to an environment where the whole picture can be captured, analysed and evaluated at the outset. This, from a strategy and planning perspective is a much more attractive and robust offering, it gives greater visibility to the outcomes and risks of a project, it ensures the effective monitoring of the project and it means the future is clear.
The business landscape is a fascinating place now where there is no historical precedent as to what the future holds. At whatever stage of the lifecycle of the business, in marketplaces which are at different levels of maturity, business leaders need to embrace this new mindset and allow their employees to to rediscover, or even just discover, their entrepreneurial mindset.
This will require a change in the way businesses operate. Employees will start to feel liberated, spending less time developing the business plan which has a hypotheses, method, outcome and conclusion, and transition to a culture where the path to an idea is embraced as a test bed for possibilities. It is a place where budgets aren’t clearly allocated in advance but rather the opportunities are continually assessed so resources are refined and directed to areas as ideas open up.
The obvious challenge is that this fluid approach might work for businesses who are not established in a marketplace or defending a position as they have no legacy to protect. It is much harder and more complicated where customers are expecting certain service levels and ways of working. But with an entrepreneurial mindset, this should be seen as an opportunity to build closer relationships, to test new ideas, to spot problematic trends and develop solutions.
The truth is that an entrepreneurial culture has always been presented as a polarised extreme to established business or process) culture. This is simply not true. While there is no doubt that a business trying to marry up different cultures to create a hybrid model has a much more challenging task, but the rewards are so much greater.
The starting place has to be the right vision, delivered from the top level of the business and then implemented so every employee not only buys into the vision that has been laid out before them but they actually start owning the vision too.
In the case of the established business with a secure customer base, the customers also own the vision. Effectively the vision is no longer a top down approach but is actually the values and purpose of the business itself. This ownership means that employees will be more willing to make decisions and take risks in the areas that they are focussed on as they can see how the choices they make can and will effect trying to attain the vision.
The entrepreneurial mindset means that every employee, regardless of role within the business, feels that they are able to contribute to the vision. It means employees are not restricted by job title or role, they are liberated by the vision. It means skill sets are transferred to exploit opportunities.
Business leaders which understand this will develop an incentive and professional development plan for employees. As time moves on and employees start to see the opportunities for themselves within the business, the entrepreneurial mindset we have talked about now starts to become deeply embedded within both the business and employees.
The single most critical aspect to this, the one change that is required for any business as the landscape looks ever more fraught and even more so uncertain is that the business trusts it employees.
It requires leaders to understand that any IP that it owns, any products that it has developed, any brand loyalty or reputation it has developed and maintained over the years, this is now secondary to empowering its people within it. The employees are both the custodians of the brand and responsible for delivering the vision. Above all else, this is the critical aspect for business leaders trying to create an entrepreneurial mindset for the company at a time when forecasting and planning has never been so abstract.
NO SAFE HARBOUR FOR DIGITAL BANKING
by Konstantin Bodragin, Business Analyst and Digital Marketing Officer at Bruc Bond At the beginning of 2020, the future...
CAN TECHNICAL INNOVATION HELP FINANCIAL SERVICES FIGHT BACK AGAINST FINANCIAL CRIME?
By Charlie Roberts, Head of Business Development, UK, Ireland & EU at IDnow It’s no secret that the financial...
ARE MIDDLE EAST ENTERPRISES PREPARED FOR THE FUTURE?
Deloitte releases 2020 tech trends report Deloitte’s 11th annual report on technology trends captures the intersection of digital technologies, human...
ONLINE STOCK BROKERS ARE BENEFITING IN 2020
2020 has changed our lives in dramatic ways. Thanks to COVID-19, many of us now work from home. Rather than...
COULD COVID-19 BE THE CATALYST FOR DIGITAL TRANSFORMATION IN FINANCE?
By Simon Bull, Sales Operations & Business Development Manager at Aqilla We are all now living in a new...
WHY OPEN BANKING SHOULD BE EVERY MARKETER’S BEST FRIEND
By Kathryn Wright, CSO, Upside To date, Open Banking has been mainly utilised to help consumers with account switching...
TOP TECHNOLOGY TRENDS FINANCIAL INSTITUTIONS SHOULD INVEST IN TO BRIDGE THE GAP IN REMOTE WORK
Chirag Shah, Senior Vice President, Fintech & Innovation Lead, Publicis Sapient More than ever before, technology is critical to...
TOP 5 LINKEDIN PROFILE OPTIMIZATION HACKS FOR ASPIRING BANKERS
According to Firmex, finance professionals cannot afford to be not on LinkedIn. A significant number of organizations acquire talent in...
TAPPING INTO THE DATA GOLDMINE: THE FUTURE OF DATA-DRIVEN CREDIT MANAGEMENT
Willand Brienen, product owner at Onguard Data, and the insights it reveals, can offer organisations a vast number of...
ENLISTING TECHNOLOGY TO HELP FIGHT FINANCIAL CRIME
By Rachel Woolley, Director of Financial Crime Fenergo Million-dollar properties, private jets and parties on luxury yachts with celebrity...
TRANSFORMATION IS NON-NEGOTIABLE FOR BANKS LOOKING TO DELIVER VALUE IN A POST-PANDEMIC WORLD
Andrew Warren, Head of Banking & Financial Services, UK&I, Cognizant In addition to responding to changing customer expectations, higher...
HOW MILLENNIALS CAN GET AHEAD WITH THEIR MONEY
Granville Turner, Director at company formation specialists, Turner Little. Millennials are often painted as globe-trotting creatures that spend more...
STOPPING THE CHARGEBACKLASH
By Gabe McGloin, Head of Intl. Merchant Sales @ Verifi Brands have been encouraging consumers to move their shopping...
CONSUMERS ARE READY FOR BIOMETRIC PAYMENT CARDS
Lina Andolf-Orup, Head of Marketing at Fingerprints We’ve come a long way in the evolution of digital payments. Magnetic...
WHY IT PAYS TO MAKE CYBER SECURITY PART OF THE M&A DUE DILIGENCE PROCESS
Anurag Kahol, CTO at Bitglass Mergers and acquisitions (M&As) enable business leaders to adapt fast to new opportunities. Whether...
GOING FOR INVESTMENT IN CENTRAL EUROPE: START-UP LIFE OUTSIDE A TRADITIONAL TECH HUB
A Q&A with Bence Jendruszak, Co-founder and COO at SEON At what stage did you realise you were going...
CLOUD ALLOWS BANKS TO BASK IN CHANGE
by: Elliott Limb, Chief Customer Officer at Mambu As a new era of banking takes off, the cloud is...
COVID-19 WILL DRIVE FINTECH ADOPTION – BUT AT WHAT COST?
By Ian Bradbury, CTO – Financial Services at Fujitsu UK Even before the impact of Covid-19, the financial services...
HOW TECHNOLOGY IS POSITIVELY IMPACTING COMPLIANCE AND HOW IT IS HELPING TO STREAMLINE PROCESSING TIME AND COST FOR FIRMS
By Joe Woodbury, Director – Investment Management Solutions at Lawson Conner (part of IQ-EQ) Private Equity & Real Estate...
TECHCOMBANK AND COMPASS PLUS CELEBRATE 15 YEAR MILESTONE IN BANKING PARTNERSHIP
Since issuing the first Visa card 15 years ago using solutions provided by trusted partner Compass Plus, Techcombank, one of...