Weekly FinTech Tip: Understanding the Concerns of Your Security Team and Doing Your Part Will Get You to “Yes”
“My security group always says no, John. So, all of these innovative ideas you have? They’re useless to me because my security group will not let me do it.”
“Have you talked to our risk people? They’re not going to let us do any of this.”
I can’t tell you how many times I’ve heard those very words from leadership at banks and credit unions all over the world.
“My security group always says no”.
Let’s talk about what you can do to help, and how you can change that no-based culture in your organization.
If you’re a digital strategy were a stool, one of the legs would definitely be security. It would be the most important leg on that stool. Why? Because if you lose the trust of your customers or your members, you’re done before you’ve even started. That means your credibility and your relevance is on the line, and it’s based on your security. Every other day, we hear about a hack. Equifax gets hit. Wendy’s. Home Depot. T.J. Maxx. The list goes on and on. Do you want your name added to that list? Absolutely not. What do you do? One option is to say, “no” to everything. If you don’t take any risks, then there’s no chance that you’ll ever be hacked. But that’s not going to help you survive in the new digital world. You’ve got to figure out how to calculate those risks, find out when to take them and when not to, and, most importantly, hire people that will help you find your way through this process.
I’m often asked, “Why do so many security engineers say, ‘no’ so quickly? Sometimes I don’t even get the whole word out of my mouth before they say, ‘no'”. Well, there are a couple different reasons. One may be that they’ve been burned before. Maybe they’ve been told, “Hey, this is a great idea”. Everybody has blessed it and they worked with you and all of a sudden, that got out the door and there were problems. Maybe they don’t feel like you’ve done your homework before you go and bring a product to light. It’s important that you do a risk evaluation on that new product, and that means thinking ahead to what could happen if that product service or program were compromised. What is the risk to the organization? What would you do about it? Sometimes security engineers need to know that before they can make a determination. The more homework you do, the more likely you are to succeed in delivering your new service, product, or program. Finally, sometimes a reward doesn’t match the risk. Yes, maybe you could get some extra loans. Maybe you could drive your mortgage numbers up. But is it worth the risk of your reputation, your security, and the trust of your customers and members?
So, how do you get to, “yes”?
1) Do your homework. Are other organizations doing this, and if they are, how long have they been doing it? What precautions do they have in place to mitigate the risk of doing it? You have to look around and find out what’s going on before you bring something like this to the table.
2) Evaluate the real risk of this happening. If, for instance, someone broke into that new mortgage service, is there data in there that’s important, or is it just a risk of reputation? If you can play that tape to the end, see what would happen, and communicate that to security people, you have a much better chance of getting the service program or application out the door.
No one wants to be Richard Smith. Richard Smith is the CEO of Equifax, and he is testifying in Congress about what happened at his organization. Let me tell you that there are many people who think when these hacks happen, “Oh, they were incompetent in their security”. Equifax is a big organization, and I can promise you that they were not incompetent at their security. Don’t fall into the trap of thinking, “Well, we’re better than them”. We’re all just two mistakes away from being hacked.
Security is about balancing risk, reward, and utility. Good luck to you, and I hope that you’re working with your security people. Understand that they have a difficult job, but also understand that you have to do your part to get to, “yes”.
For more information on overcoming digital gridlock in your organization, check out my book, Breaking Digital Gridlock, available on Amazon and anywhere books are sold.
Thanks for listening, and subscribe to my channel using the link below for notifications whenever we post a new video!
Premiered on March 28th, 2019