by Ewen O’Brien, VP of EMEA, BitSight
The security ratings market is still relatively immature but it is fast growing and as such there is quite a bit of hype from the vendors that play in this space who are all jostling for position. So now with a number of offerings to choose from – some of which are marketed in misleading ways – it can be tough for decision makers to cut through the noise and put in place a ratings platform that will truly make a difference to their business.
As someone who has worked in this industry for many years, with deep expertise in ratings, I thought it would be helpful for me to dispel some of those myths about security ratings, honing in on a number of key areas that I think are important for organisations to consider. Here in the first of a series of articles, I’m putting a spotlight on the importance of integrity and context.
What I hear often in this market is that it is all about getting the highest rating. At a basic level this is true, but these ratings must be robust, stand up to scrutiny, have integrity and without context the ratings may not be meaningful to your stakeholders and/or your customers.
But before diving into what I mean about context, first off let me provide an explanation around security ratings.
Security ratings are a data-driven, objective and dynamic measurement of an organisation’s security performance. Thousands of organisations around the world use security ratings tool to address a variety of critical interconnected internal and external use cases at scale, in order to enable more effective decision making throughout their business ecosystem.
Security ratings are useful to manage cyber risk in any inter-organisational interaction where transparency has historically been lacking. Likewise, security ratings improve an organisation’s ability to manage cyber risk from business partners and understand the risk posed by a third party or supply chain business relationship. They can be used for insurance underwriting pricing, and risk management, allowing carriers to gain better visibility into the security performance of insurers in order to assess and price risk. Ratings can also be used for investment in or acquisition of a company, allowing organisations to perform enhanced cybersecurity due diligence and ongoing monitoring of the investment or the M&A target. And they enable governments to better understand and manage the cybersecurity performance of critical organisations.
Additionally, security ratings are useful for managing an organisation’s internal cyber risk by continually assessing the security posture of one’s own organisation and providing transparency to key stakeholders. They can be used to benchmark and compare performance with peers in the industry and ratings provide greater assurance to customers, insurers, regulators and other third-party stakeholders about your cybersecurity performance.
In short, security ratings provide a comprehensive, outside-in view of a company’s overall cybersecurity posture. Similar to credit ratings for individuals, security ratings deliver much more value to an organisation than simply correlating them to data breaches, for example. They are dynamic and are constantly monitored and measured, rather than being just a point in time assessment. This means that ratings can quickly highlight any changes in security posture. However, there are a number of vendors in this space who essentially enable organisations to ‘mark their own homework’ allowing them to remove legal entities, divisions, or parts of the business that might negatively impact on their rating.
Security ratings are based on the digital footprint of a company with strict governance wrapped around it and we rate everyone in a consistent way. This is important because there is no point in ‘gaming’ ratings to suit your needs as this is a short-sighted approach to the value of ratings and isn’t a true reflection of your security posture. Think about this from a personal perspective and how credit ratings work. Imagine if someone, applying for a new mortgage, was allowed to exclude those two recent mortgage defaults to improve their credit score. This in effect makes a mockery of having a credit rating and exactly the same principles apply in security ratings. This kind of disingenuous approach might enable the security group to reduce workload in the short-term i.e. you got the rating the organisation wanted, but will it make the business any more secure and will it reduce risk? To this point, we lost a large customer a few years back because the security group wanted us to remove certain parts of their business that were not 100 percent owned by them but were absolutely part of their offering and were causing them significant pain. We declined to do this and we lost the customer, but we sustained our obligation to the industry around maintaining the integrity of our ratings.
The great advantage of examining externally observable data associated with domains and IPs mapped to a rated company is that it can be assessed independently and remotely. Furthermore, because every organisation has a similar footprint, assessments can be compared and contrasted in a standardised way. The disadvantage is that this digital footprint is only a subset of the total digital surface of a business and this is where context and other factors come into play. Security ratings should be chosen on the basis that they provide contextual ratings which are not about gaming the system, but about giving true context to particular scenarios.
Most organisations don’t operate as one big silo but rather align their infrastructure to match product lines, geographic regions, divisions and segments. So we have a global or primary rating which can be combined with a self-published rating whereby companies can monitor and manage segments of their business whose structure they only have visibility into. For example, a company can monitor regional offices and compare these, or break out ratings for specific product lines.
These self-published ratings can be used for internal purposes or they can be shared with other users. Combined with primary ratings they provide a level of context no one else in the security ratings industry can match. However, where competitors often take the word of a company that an identified issue shouldn’t be a concern and remove the item from their records, it’s important to remain objective, create mechanisms for businesses to communicate context. This ultimately helps companies make better informed, risk-averse decisions.
Security ratings enable organisations to manage their own risk and the organisations that they do business with. This in turn creates a standardised model of risk by which organisations can be measured, allowing for better business decisions. But if a vendor suggests that you can manipulate data yourself to improve your ratings, then understand that this won’t improve your own security posture, and it could in fact create threat vectors that you are currently blind to.
REACHING THE NOT-SO DIGITAL NATIVES
By Garry Hamilton, Group Business Development Director, Equator
It’s 2020. There’s no denying that banks and financial institutions have found themselves in a war against the tech giants in recent years. But can they win? Can consumers ever be truly satisfied? Or will institutions in this space stick with what they know regardless of how well it is working? In the digital-first now, FS companies have moved into an uneasy but rewarding landscape. Just as with consumer goods, they find themselves in a space where they no longer innovate ahead of consumer aspiration and demand, instead finding themselves increasingly under pressure to catch up.
The experiences consumers have with global giants such as Google, Amazon, Facebook and Apple (GAFA) define their expectations for all digital experiences. To stay up to speed, FS companies need to understand the shift in consumer demand as well as the multitude of threats to a business model that’s seen as traditional and staid. In short, they need to prepare.
The paltry, taped-together digital offerings from the incumbent financial service brands no longer stand. However, these brands still go to market with products and services defined by internal processes and limitations, giving little consideration to true service design principles or customer experience.
Thankfully this is changing, in part by credible (and incredible) upstart fintech companies, chipping away at the monoliths. At Equator, we work with several brands in this space, including Santander and Virgin Money, all of whom have realised the tides are changing. Major finance brands are no longer looking for the sharks in the water that come after all they do, instead realising that it’s a multitude of piranhas that pose the most significant threat.
Case in point: TransferWise has demonstrated that something as mundane as foreign exchange can be made fresh; Atom Bank has shown that a lean approach to savings and loans can drive solid business without being so reliant on rate, and Starling Bank has demonstrated that a serious focus on making the tech work can yield excellent results. Consumer choice for financial services has never been greater.
The hidden threats that GAFA may pose on traditional finance brands are, as yet, not fully realised. Apple has already demonstrated its ambition in the US with its digital credit card offering. Amazon has Amazon Pay and shown interest in the insurance market. Facebook is out there with its (stumbling) cryptocurrency effort, and Google’s feature-creep into aggregation (and payments) indicates a genuine and poorly understood threat from some of the wealthiest and most capitalised tech companies in the world. It’s hard to imagine a reality where consumers reject financial services from these brands.
But for incumbent brands in this space, the opportunity to maintain success lies in two key areas. Firstly, data. While it’s commonly understood that this is the currency that enriches the GAFA businesses, consumers’ financial behaviours are still broadly out of reach. Banks and financial institutions with historically loyal customers are sitting on a gold mine of data that can be turned into actionable insights. Insights that could deepen loyalty, increase relevance and make historically uninteresting and stuffy institutions appear modern and relevant.
Secondly, these organisations have significant human knowledge capital. These people know how the wheels turn, how to negotiate regulation and compliance, and how to manage risk. When you look to the most successful start-ups, their success is less borne of wealth, but more of knowledge and how financial systems operate. That cannot be underestimated. Banks and financial institutions need to strive to keep their staff loyal – not just the traders with their extreme bonuses. They’re not the ones that tech businesses would come after.
Getting a financial service off the ground isn’t cheap, but that’s not something GAFA worry about. Instead, it’s the complexity of negotiating the regulations and marketplace. What FS brands need to watch out for is that the fintech piranhas do not become sharks – not necessarily through growth but through acquisition and consolidation. Acquiring TransferWise, Monzo or Starling Bank is still pocket change to these organisations. And they DO have the technical wherewithal to bring autonomous platforms together and make a success of it, something high street banks and insurance companies have proven incapable to see through.
To survive and thrive, financial brands should take advantage of the one thing they’re historically good at – assessing and mitigating risk, with the critical difference being that keeping it the same as it’s always been is no longer the safe option. At Equator, we’ve already seen clients, such as AXA and Lloyds, acquire or partner with fintech start-ups. There’s a real effort from the high street banks to deliver a Monzo-esque functionality to their customer base. And we see real innovation in everything from insurance to loans and savings.
But there is still a long way to go. Regulation in the UK has been reasonably balanced between control and competition since 2007. However, technology continues to outpace the law, and we need to keep the pressure on the regulators to allow for new customer engagement models, new ownership models and new ways to deliver financial products and services.
In the last few years at Equator, we’ve assisted many major financial institutions take on tomorrow by helping them innovate and bring new products and services to life. We’ve helped Virgin Money bring their innovative B banking service to life, pioneered original service design in the most mundane of places for Tesco Bank and a lot more besides. We know that there are many enthusiastic brands out there looking to take on tomorrow and bring digitally-enabled services to life. But the sector still has some growing up to do. Crucially, it needs to accept that the disruption that came after the 2007 financial crash has nothing on what is around the corner
We’re still only really getting off the ground with the second payment services directive. Open banking is creeping in. We’ve yet to see the promised liberation of the payments sector (which should be huge), and it’s fair to say we should expect more niche disruptors to emerge, as money continues to pour into the sector. And that’s not even covering off the effect that machine learning and automation will continue to have in the industry over the coming years. If you ever dared to think finance was dull, get ready for a disruptive and exciting time.
RISK VS REWARD: IS AI TAKING OVER?
Xavier Fernandes, Analytics Director at Metapraxis
A study by Oxford University academics into “The Future of Employment” in 2013 prompted apocalyptic headlines which stated that in the future 40% of jobs will be automated thanks to advancing technology.
The researchers subsequently claimed that the truth was in fact a little more prosaic; rather than facing complete automation, the research found that 40% of jobs faced some aspect of automation in their activity. So with new ‘AI processes a likely reality for almost half us, what does that mean for our current roles and should we be worried?
The fourth revolution?
The first industrial revolution saw machines replacing muscle, both human and animal. The second and third saw electrical power, mass production and computerisation revolutionise the job market. Now, with daily headlines of AI as an employment superpower, there is some concern that AI is bringing a fourth revolution, and with it, unknown circumstances.
This ‘fourth industrial revolution’ is defined by replacing brain power with machines. Our thinking capacity is what inherently sets us apart from other species, so it’s not surprising that any encroachment on it triggers some existential angst.
Evolve to reap the rewards
While many businesses still don’t fully understand the capabilities of AI, those who fear its development are, instead of embracing it, missing all the benefits that it can bring to the workplace. Businesses that utilise AI appropriately are seeing vast improvements across their entire value chain; better customer experience, reduced costs, and more insightful analysis to support management decisions.
AI is particularly useful for supporting tasks with repetitive activity, for example, performing financial checks and assessing large sets of data within financial services firms. AI performs particularly well within this context, spotting outliers before a human expert would notice them, allowing impending problems to be flagged and avoiding costly mistakes.
There is also an increasing focus on maximising customer lifetime value through the use of AI. Being able to predict existing customers’ needs as well as track trends in their financial circumstances is supercharging the old cross-selling approach with testable, predictable outcomes.
With potential benefits like these on offer, management teams of innovative financial services are increasingly relying on AI to help them with some of the heavy-lifting of analysis. Using advanced data capabilities and learned behaviours, AI analyses market trends to provide predictions of future performance. This insight is invaluable and allows management teams to change direction and correct any problems accordingly. This offers a huge advantage over those that have not adopted such tools.
Supporting the workplace
Algorithms and AI are typically ‘smart’ at doing one, tightly-constrained task, but they can be less helpful with many of the activities that humans find straightforward. In most white-collar jobs, automation tends to replace certain tasks in the job, rather than the role in its entirety, as the need for human intelligence is still highly necessary. In particular, we still need human input to first challenge, and then synthesise, this information before taking action. Employees should therefore work with the business to proactively identify what areas of their role could be automated, so that they can focus on the areas that add real value to the business’ commercial goals.
Challenging AI is certainly still important. We know that algorithms can be much better than humans on certain, bounded tasks. However, many algorithms rely on existing data sets to build their understanding. As a result, when a business unit has ‘symptoms’ that fall outside of that body of knowledge, the algorithm may suggest the wrong course of action with costly results.
Indeed, even with plenty of data, algorithms will reflect any biases the data set contains. We’re seeing this with some legal sentencing algorithms where there is evidence that they are treating disadvantaged people more harshly. Getting the answers to why and how far we should trust our algorithms should therefore become an everyday part of any job affected by AI.
Rather than depending entirely on AI for all decisions, workers should be taking all these new, AI-generated insights and using them to complement the human decision-making process. No manager of a complex business ever has enough time to sieve through all the analysis available, but with AI driven algorithms able to flag up any issues and indicate where action needs to be taken, we may find that we have some AI ’colleagues’ who will cover our backs and suggest innovative options. Yes, there will be times when the algorithms get it wrong, but as long as we’re watching out for those, the future is bright.
WHY DIGITAL TRANSFORMATION IS CRUCIAL FOR BANKS
David Murphy, Managing Partner, Financial Services EMEA & APAC at digital consultancy Publicis Sapient Over the past five years,...
REACHING THE NOT-SO DIGITAL NATIVES
By Garry Hamilton, Group Business Development Director, Equator It’s 2020. There’s no denying that banks and financial institutions have...
THE ‘LEGO-IFICATION’ OF BANKING IT AND THE RISE OF DIGITAL FINANCE ECOSYSTEMS: FOUR PRIORITIES FOR BANKS IN 2020
Danny Healy, financial technology evangelist, MuleSoft The advent of the open banking era and continued emergence of fintech has...
WHAT TO DO WITH YOUR LIFE SAVINGS, RETIREMENT AND INSURANCE POLICIES WHEN EMIGRATING
By Renier Hugo, Alexander Forbes Certified Financial Planner With South Africans increasingly opting to live abroad, a hot topic...
MOBEY FORUM: BANKS’ BIG OPPORTUNITY IN DIGITAL ID WON’T LAST FOREVER
New report offers strategic insights for banks following in-depth review of seven prominent digital ID schemes across Europe and North...
THE END OF YEAR TAX CHECKS THAT COULD SAVE YOU THOUSANDS
Charlie Reading, Founder and MD of Efficient Portfolio After HMRC’s tax return deadline at the end of January, it can be...
RISK VS REWARD: IS AI TAKING OVER?
Xavier Fernandes, Analytics Director at Metapraxis A study by Oxford University academics into “The Future of Employment” in 2013 prompted...
HALO TRUST USES ADAPTIVE INSIGHTS FOR STRATEGIC BUSINESS PLANNING
Cloud-based financial planning helps HALO Trust deliver greater benefit to communities affected by war Adaptive Insights, a Workday company,...
IS DATA PROTECTION AND PRIVACY RELEVANT ACROSS ALL STRATA IN INDIAN SOCIETY?
A Study by Pensaar Design With CGAP Pensaar Design has been working on a research study with CGAP to better...
THE RISE OF CHALLENGER BANKS AND HOW LEGACY BANKS ARE TRYING TO KEEP UP
Jean Van Vuuren, Regional VP for UK, Middle East and South Africa at Alfresco The finance world has been...
NEW STUDY: AI HELPS ORGANISATIONS GROW PROFITS 80 PERCENT FASTER
Global research highlights how organisations are capitalising on emerging technologies to enhance finance and operations for competitive advantage Organisations...
UK START-UPS MUST MAKE THE MOST OF A SMALL WINDOW TO CAPITALISE ON INVESTMENT OPPORTUNITIES, FOX WILLIAMS WARNS
Despite rising investment, Brexit and growing interest from tech giants could cut off start-ups’ opportunities in 2020 While a...
XPEDITION UPGRADES MORE THAN ONE MILLION OPENWORK CLIENTS TO THE DIGITAL AGE
Xpedition, leader in the implementation of cloud-based business applications, has deployed a new system which has digitally transformed the customer...
ORACLE AND MICROSOFT BRING ENTERPRISE CLOUD INTEROPERABILITY TO EUROPEAN CUSTOMERS
Today, Oracle is announcing the continued expansion of its cloud interoperability partnership with Microsoft with a new cloud interconnect location in Amsterdam....
THE EMOTIONAL AND FINANCIAL COST OF WORKING WITH OUTDATED TECHNOLOGY
Slow Tech Could Waste 24 Hours of Worktime a Year In this digital age, businesses are hugely reliant on technology...
HOW TECHNOLOGY IS FUTUREPROOFING STOCK MARKET TRADING
Tony Shaw, Executive Director, London Office and Head Sales UK & Ireland at the Swiss Stock Exchange Markets are shifting,...
REVEALED: THE TOP 10 COUNTRIES THAT ARE REDUCING THEIR RELIANCE ON OIL
Ben Lobel, Copywriter at DailyFX New tool charts global commodity trading over the last decade The UK has reduced its...
‘MOVE FAST BUT DON’T BREAK THINGS’ – WHY FINTECHS WILL COME TO LOVE REGULATION
Alex Johnson, Director of Portfolio Marketing, FICO The guiding ethos of fintech is move fast and break things. It’s...
OFFSHORE COMPANY FORMATION TACTICS FOR SMEs
James Turner, Director at company formation specialists, Turner Little Starting a business brings with it its own set of challenges,...
EMV® 3DS – PAVING THE WAY FOR SEAMLESS AUTHENTICATION
Jean Fang, Product Manager, FIME The growth of e-commerce, m-commerce and remote commerce transactions is showing no signs of...