By Altaz Valani, Director of Insights Research at Security Compass
The financial services industry is forecasted to be worth $300bn by 2022, but despite this fintech companies are still facing important decisions when it comes to their digital transformation plans.
Between ever increasing customer expectations and the requirement to comply with changes in the regulatory landscape, fintechs are under increasing pressure to ensure innovation is properly and securely implemented.
The risk for a financial services firm of a large-scale data breach or software vulnerability being exposed could see operations paused and substantial penalty fines issued by regulators in the event of a serious security breach. However, the impact of such a scenario goes beyond the financial, with damage to brand reputation also a significant factor.
From biometric authentication and Robotic Process Automation (RPA) to Artificial Intelligence (AI), the ever-increasing adoption of new technology within the financial services industry is only deepening the volume of customer data at potential risk.
Threats from the inside and outside
Managing this risk carries both internal and external challenges for fintechs. Internally, the main areas of concern are typically focused around ensuring there is the required cyber skills, knowledge and expertise within the team; while externally, keeping up to speed with regulation is just as demanding.
This means that balancing a desire for innovation and growth with robust security and risk management processes is absolutely vital for fintechs. Just as the nature and variety of cyber threats continues to grow and vary, every new digital service and product carries an ever-evolving range of security risks.
Managing the cloud
Due to the perceived value of the information held, the financial services industry has traditionally always been one of the main sectors for targeted data breaches. Consequently, many financial services organisations have focused their IT infrastructure on the cloud as a solution.
However, cloud migration actually increases the attack surface of applications, which is why the need to meet security and compliance requirements cannot be overlooked when deploying new apps directly in the cloud or developing automation-as-a-service or analytics-as-a-service capabilities.
Aligning security and digital delivery strategically is therefore one of the most complex challenges facing financial service businesses. As a result, many are turning their attention to Balanced Development Automation (BDA) as a solution.
Aligning security with DevOps – BDA
In order to try and ensure a competitive edge in the long term, fintechs must create synergies between their business, security, and DevOps teams. This is where BDA can play a vital role because it aligns DevOps with security, ensuring the latter is ‘baked’ into the software development process.
BDA acts as a guide through every step of the software development process, ensuring security checks are built in from the beginning, ultimately enabling DevOps teams to deliver secure products. This is essentially a three-step process:
1) Security should equip the development team with awareness of what is required from a security controls perspective, and likewise for risk and compliance. Developers need to know from the inception what these parameters are and factor them into their work from the start.
2) The second stage is examination of security metrics based on existing controls and emerging risks. The end result of this might be creating new controls, but they have to be developed with an understanding of impact based on cost and business exposure. It is ultimately a business decision to determine the right risk threshold.
3) The third and last stage of the BDA process sits with governance at an audit and board level. Metrics collected from the first two stages are rolled into this and KPIs measured at this level are based on core business concerns around areas including compliance, resilience, reputation and cost.
These three stages equip fintechs with a BDA programme that is aligned with business objectives while constructing appropriate guardrails that govern the execution and delivery of the software. With this alignment, DevOps and security teams can execute development in a balanced way while managing risk.
Matching innovation with security
The success or failure of fintechs today can often depend on how they are able to balance the adoption of new technologies with maintaining the privacy of their customers and the security of their customers’ data.
This is a delicate balance that requires action from outset to identify and address risks. By building security into applications from the very beginning of the software development lifecycle, financial services companies will be able to align security, compliance and risk priorities with the overall business goals.