A few weeks ago I attended the InfoSec World Expo in Orlando, Florida where I had the privilege of listening to and learning from some of the smartest people in the information security industry. Among an overabundance of financial service professionals were hackers, government intelligence officials, private sector security consultants, researchers, and authors.
I was surprised by both the number of financial service professionals in attendance and the spectrum of their employers. The Federal Reserve, bulge bracket banks, regional banks, and online and full service broker dealers. Yet there was a noticeable lack of industry representation from software and technology vendors that support financial service firms (FinTech). Nowhere could I find anyone from a capital market technology vendor, or a security exchange, or a clearing house. I struggled to understand why these providers of strategic services so vital to the financial community were so startlingly absent from this event. Are these FinTech providers insulated from the threats that the financial service providers and the government in general have succumbed to over the past few years?
There was a similar dearth of CEO’s, President’s, CIO’s or CTO’s. Most of the attendees were direct reports of the technology leadership and almost no strategic or client focused representation was noticeable. This brought me to my second question – Are security issues in today’s world not important enough for the most important?
I hope to answer both of these questions within this brief article.
Roger Cressey, a well-known terrorism analyst, gave a rather animated keynote. His argument, similar to many others at the show, was that the United States Government is ill equipped to deal with the growing threat of cybercrime. Moreover, the private sector may be even more poorly equipped. Most of the cyber crime is not coming from kids in a basement or a lone wolf, said Cressey, but rather from foreign governments, even those considered close US allies. Highlighting cyber attacks such as the Navy’s F-35, Google’s breach in 2009, Operation Trident Breach in 2010, Nasdaq and London Stock Exchanges breaches in 2010, and the European Union headquarters attack in 2011 cemented his argument that no one is really ready for growing threat of cyber terrorism.
Others at the conference discussed the cloud and its ramifications on security, particularly the highly sensitive information possessed by financial related services. Many security professionals argue that moving information and services to the cloud to cut costs is a bad idea, with most of the companies not having a contingency plan for major breach. Furthermore, once companies move information to the cloud, bringing information back to their own local data centers is a problem few executives can answer. Overall, most argued that expense related technology changes that impact security should be done on a very select and very diligent basis.
My third take away from the conference was that many of the cyber attack are not direct attacks on corporate infrastructure, but typically well placed “phishing” attempts where corporations are infiltrated from an employee’s computer through file sharing or social media related sites. In this situation with limited security infrastructure to help neutralize these types of cyber attacks, diligence is your best weapon. My discussions with industry professionals informed me that these attacks are becoming more complex and harder to detect, to the point that they are almost impossible to prevent.
In the month since the conference I have had time to reflect and speak with many colleagues, clients, and friends about security and the issues addressed above. Most agreed that cyber security is becoming a major challenge and most also agreed that nothing will get done until there is a major attack, whether it be a breach where substantial information is stolen or a freezing of highly sensitive and important infrastructure. Most also agreed that these issues are not on the agenda for most C-level executives because they have not been important enough.
This is where I would like to make an argument on value.
Many companies are occupied with thinking through strategy, planning product initiatives, executing on top line growth and eliminating unnecessary costs, all with the intent of driving increased shareholder value, and rightly so. Up until most recently, the major concern for FinTech companies, the goal that would facilitate all of the preceding goals mentioned, was simply ensuring uninterrupted service. However, today the operational risks, although perhaps not well identified by most, are game changing and demand attention.
Imagine that a major FinTech company that archives client information, including family holdings, and brokerage commissions, is breached and the securities stolen. You can imagine the destruction in value, lost clients, major shakeup in C-level management, negative media exposure, and the quickly deteriorating share price. The more important question is not related to the individual firm, but rather the industry in general. What would happen to the sector’s value? Would everyone experience a decline in capitalization? Would the smaller more nimble entrepreneurial company experience an even greater decline in value – a flight to quality?
It seems more than possible that a major breach to one FinTech company can have a systemic effect upon the entire industry. The only way a firm can be protected from this value erosion is to ensure that they have well documented and strategically aligned security program, with full C-level participation.
Although the threat of a flight to quality is ever present, it seems that entrepreneurial companies have an advantage in ensuring a well thought out and strategically aligned security program. Unlike most of the large FinTech providers, these smaller FinTech companies are more nimble, with fewer infrastructure needs, allowing the instillation of a viable program that addresses cyber security issues in the manner above.
Cybersecurity and cybercrime are game changers for FinTech companies, yet many C-level executives are currently unaware of the real risks they pose and some will unfortunately fall into their grasps.
Bankers typically discuss how to assist companies with increasing shareholder value through growth, but in this case it seems important to discuss how you may save value, or even create value, in a way that may have been previously overlooked. It’s my advice that you reconsider your security strategy, re-analyze your needs, re-consider the ideas from the IT staff, and, most of all, engage the entire organization in your plans.