This session discussed the importance of an integrated approach – organisationally and technologically – in ensuring security and optimum customer experience.
Patrick Liu of Fusion Bank shared that as a virtual bank, it is vital to have adequate security controls and mitigation plans to protect customers.
Ricky Woo of DBS Bank, on the other hand, emphasised the importance of governance structure and processes in reviewing partners and third-party risks in open banking and customer-centric ecosystems.
In addition, Sumit Agarwal of F5 highlighted the use of a contrarian perspective in viewing standard metrics as imposed friction on users.
Key points include:
Here is the full transcript of the session:
Foo Boon Ping (FBP): Welcome to this RadioFinance session on “Identity, fraud and theft - how we fight the dangers of open banking”. I am Foo Boon Ping, managing editor of The Asian Banker. Together with our invited guests, we'll discuss the different digital fraud scenarios in the financial services industry and how financial institutions are leveraging converged systems and platforms to defend themselves against a broad array of security threats and fraud risk, and at the same time, deliver better customer experience.
The COVID-19 pandemic has fundamentally changed the digital banking landscape around the world. This has resulted in a sharp rise in the use of online platforms, with financial institutions being pushed to accelerate their digital transformation, enhance and embrace open banking, and create new ecosystems. We are pleased to have expert guests with us to give us a wide range of perspectives.
First of all, we are very pleased to have Patrick Liu, who is the chief information security officer (CISO) of Fusion Bank, a newly licensed virtual bank in Hong Kong, which is a joint venture between Tencent (the company behind the super app WeChat), ICBC (the largest bank in the world today), the Hong Kong Exchanges and Clearing, and Hillhouse Capital. Patrick has wide experience in IT and security, including security operations, risk and control, and IT audit.
Next, we have Ricky Woo, who is the executive director and CISO at DBS Hong Kong. Ricky has more than 30 years of experience in IT operations and process optimisation.
And finally, we have Sumit Agarwal, who is the co-founder of Shape Security, which is now part of the application and network security provider F5. He is the vice president of analytic products at F5 since 2011. He served as the deputy assistant secretary of defense at Pentagon and later advised on cyber policy and led the mobile product management at Google.
To get us started, I'd like to share the responses to a poll that we conducted among our online readers and followers on the topic as a lead up to the session. One of the challenges in the IT security, risk and fraud mitigation and prevention function today is that the essential part of network application security, identity management and fraud sits in different function and system within the institution and often not assessing or sharing the same data and information. This creates gaps that can be exploited by fraudsters and other bad factors in the cyber environment.
We asked this single question to our respondents: “Is an organisationally and technologically integrated approach the only effective way to ensure IT security and deliver optimum customer experience?” The 71% of the 209 people who responded agreed that “an integrated approach is imperative to ensure IT security, backed by a converged team and platform, to deliver optimum customer experience at a lower operational cost”.
Meanwhile, 17% disagreed saying that an integrated approach to managing new and emerging threats is insufficient as risk remains differentiated and customer experience may be compromised; meaning that different types of fraud would require different organisational or system approach and may not be best addressed through an integrated one. The 12% of respondents neither agree nor disagree, saying that there is value in overcoming siloed responses to sophisticated financial crime but large organisational change is slow and varies with institutional risk appetite for digital transformation.
There are further comments given by those who agreed. An integrated approach is key for strong risk management approach as it provides a holistic monitoring for better efficiency and control. Data is easily accessible and can be used in real time for decision-making and making changes. It enhances customer experience while ensuring protection against security threats during the pandemic. Those who disagreed say that an integrated approach may create systematic problems. Minor or less important systems do not need to be converged, only necessary for main ones. This may sometimes lead to less agility on responses and changes.
Now, I’d like to start our discussion with our guests. I'd like you to pick on two sides of the proposition for an integrated approach from the experience of your respective institutions. What are your thoughts about the poll findings? If you are a new digital player, would it be more natural to go for an integrated approach? On the other hand, if you are a traditional bank with legacy process, organisational setup and technology stack, would it present a greater barrier to adopting an integrated approach and achieving the desired effect?
Patrick Liu (PL): Naturally, we have a lot of data in our daily lives. In the banking industry, we try to get more data to understand our customers. This is also one of the ways we improve our customer journey. Data is important for us. We put data first when we design cybersecurity. Through that data, we understand what can go on, what is abnormal. This is something we call an integrated approach, in which we line up different business lines data in a single source, and then we analyse the data and forecast what's going to happen.
Ricky Woo (RW): DBS cannot be considered as a traditional bank, because we always put ourselves as a digital bank like Fusion Bank. From the word integrated approach, it is more or less from two angles. First, from an organisation point of view – what the organisation structure is, what the processes are, are they integrated or do they work separately? On the other side is, from a system perspective – are data separately kept or are they integrated together?
From an organisation point of view, departments and business units have to talk to each other. When they think of a new initiative, they also have to think about the interests, the concerns and the limitations from other business perspectives. In order to achieve the quickest results, there has to be an integrated approach so that all the stakeholders can sit together and share ideas and concerns. From a system perspective or data point of view, some data collected from system A can be shared with other systems or services. That should be great because some data don’t need to reinvent the wheel. Some of the behaviour and characteristic that we’ve had from one system may be useful for other systems as well both from a customer journey perspective and functionality enhancements perspective.
In terms of security, the answer should be absolute yes, because whether it is a savings and current account system or a credit card system, at the end of the day, all the data or user behaviour, including customer and our internal users, have to be fit into a certain centralised repository. These help us analyse if some unusual behaviour is happening down there so we can respond in a timely manner.
FBP: Over the last few years, DBS has gone through digital transformation. As you take on a more customer centric and digital approach to what you do, tell us what are the challenges in adopting a more integrated approach in terms of creating a single data source.
RW: The largest challenge is the readiness. If an organisation wants to implement a so-called integrated approach, does the system allow them to do it in terms of flexibility of the design, communication among systems and whether their infrastructure can support this sort of approach or not? This should be taken into consideration on day one, starting from the design phase. Otherwise, it's very hard to achieve. Whenever there's a new product being launched, there's a forum committee, which consists of all the stakeholders to make sure they are on the same page. This sort of mindset, if they are already in place, it will be much better.
FBP: Sumit, you have a wider perspective working across the financial services industry and beyond. What are the application fraud scenarios that you are seeing and how can institutions better manage this without compromising user experience?
Convergence key to better communication and preventing fraud
Sumit Agarwal (SA): The first thing to keep in mind is that criminals and fraudsters are aware of how our organisations are structured. They're aware of the methodologies, techniques, products and services we use. I have been amazed at the level of innovation among the criminal community. They hyper specialise and focus on individual parts of the task, some people are good at network breaches, they collect data, some people are good at using personally identifiable information (PII) to turn that into monetisable exfiltration schemes and so on and so forth. One of the reasons that I'm strongly in favour of a converged platform is this - the attackers literally attack the gaps between systems. They understand how a network security engineer looks at a problem and they side stack and circumvent some of those capabilities. They understand how application security engineers or fraud analysts look at a problem. And so if we aren't taking from the defensive side a holistic view and a converged view, then it just makes the job of the attacker that much easier.
Let me add another comment. I see at least 25% to 50% of total resources in the organisations I work with devoted to integration. They buy five solutions from five vendors. They spend half of their energy on data normalisation, labeling, tagging. They have a message bus and they're integrating. Half of the resources are gone, and we haven’t even began to create a new value because we've just gotten our data organised. The second problem that creates is that we as a vendor sell a product. It takes a year to implement it in the old days, and then nobody wants to change it. So, not only do you blow a lot of your resources on data integration. You slow your pace of innovation down. But when you have a converged platform that is fundamentally kind of integrated end to end, you have a lot more speed, a lot more speed to value. You don't waste all that time on integration and a lot more flexibility in plugging services in and out of that platform. That's why our whole approach and strategy has now shifted to a converged platform.
I wanted to address some of the comments that I saw in the survey about the importance of the best product in a particular category versus a converged platform. I came up with a quick analogy that I just want to walk you through. Three of the most popular consumer devices over the last 40 years - a Sony Walkman music, an early cellphone that weighed like two pounds and the first ever digital camera in 1975. The story over the next 30 to 40 years, each of these devices got more powerful. By the end of that 35-plus-year journey, the devices were magical. They were the stuff of science fiction, thousands of songs, global cellular connectivity and huge amounts of megapixels in these special purpose devices. And they were inexpensive enough for hundreds of millions of people to afford. But in 2007, a device emerged, which was the worst in all categories – worst camera, worst music player and worst phone. The only virtue of the iPhone in 2007 is that it was fully converged. Now, some of you might argue that it had an application development environment and a web browser, and that's true. But that really just speaks to the further convergence because when you converge all these technologies then only do you have the ability to open them up.
Let's look at what that convergence did. Here is ride-hailing in the 1950s. You stand on the street, you raise your arm and you call a cab. Here is the same activity 50 years later. There's no change, it's the same activity. But when you add that converged device, in less than five years, the entire world began to change its behaviour in this fundamental human activity of standing on the street and hailing a cab. Within 10 years, this literally changed from New York City to the back alleys in Mumbai. You go to India and you can hail a bike ride on Uber, Lyft and on the equivalent local converged services. So that's all a build-up to the fact that we're getting to the point of convergence in security. I hate to take such an aggressive stance, but on those of you who disagreed, the convergence is going to happen whether you agree or not. The question is - are you going to be able to take advantage of it?
The four areas that I want you to think about deeply that are converging are: network security, application security, fraud and identity. Most of the organisations that I work in, these are strongly siloed. They try to share information and data but they have those problems of lots of time and energy spent on integrating the data, different cultures, brittleness and rigidity. Once they've integrated the data it's hard for somebody to change what they're doing because it breaks a downstream system.
I want to give you a quick case study of how that works on Amazon. I'm using a customer that represents all of the use cases that I've seen. Think about this in terms of volume, billions and billions of something that happened on the front door to something that only affects a few thousand users, that's the scale, and many orders of magnitude of the security fraud, identity and analytics problem that happens to large enterprises like your own. On the homepage, or on the sign in page of any one of your large enterprises, you may have hundreds of millions or billions of bot attacks or transactions over a year. This requires a fundamentally different type of strategy and approach, very high transaction volume and very speedy sub 20 millisecond real-time reaction to problems. Failure to do so results in enormous amounts of traffic entering the environment and drowning out all of the other signal. So one of the things that's so amazing about the bot problem is that it seems so simple but until you solve it, it actually undermines so many of these other things that are happening inside organisations.
The second problem that I see in large organisations is scraping. Plaid, Mint and Yodlee in the US are examples of financial aggregators who scrape data. Plaid just sold to Visa for $5 billion in January of this year, and their entire business is getting the username and password from a user and scraping all of the account information. They also have read-write capability and they can actually move money if the user wants them to. So this is a serious problem. Users are giving their credentials to a third party and the third party has multifactor authentication (MFA) tokens. The user will log in, fulfil the MFA challenge and Plaid will harvest the token, and so will Mint and Yodlee. It's really an amazing thing that represents a further deepening of the challenge and the problem but its semi legitimate. It's not criminals and fraudsters. Fraudsters do not operate at the scale of billions of anything. They're operating at the scale of tens of thousands. They are simulating a legitimate identity that belongs to one of your users in order to move money, transmit funds, steal bank balances and so forth. So it’s a very different scale in terms of volume and set of capabilities that are required to solve this problem.
And finally, you have an amazing thing that I haven't seen everybody else talking about which is the usability of the legitimate user. What happens while we're chasing down the fraudsters, the scrapers and the bot-based adversaries is that we end up imposing a great deal of friction on the legitimate end user. Here's an example of that. The user doesn't memorise the memorised secret. We call it the memorised secret. It's something the user knows. But in fact, the user often forgets. And this creates a massive usability problem. And so by having a converged platform that uses signal collection and telemetry to solve a bot problem, that then brings into identifying legitimate human versus legitimate non-human which is the scraping problem. That then turns into fraud telemetry which says, “Hey, I've seen this user from this device striking these keys” to finally saying, “We cannot only improve our FPFN performance, fewer false positives, fewer false negatives. But we can in fact do things like keep users logged in for 30 days, 60 days and 90 days at a time”.
What we've accomplished with our platform in the US is not only far better results on all of these security-related problems but the ability to reduce the friction that we impose on users. I call MFA, multifactor auth, “more friction authentication”, because it really is more friction for end users. We do it as a necessary evil in many parts of the world. In some places, it's considered a regulatory requirement. But I would challenge you, particularly those of you who are looking into the future (digital millennial users, digital natives and new users) to expect much more friction-free experiences.
Hiding behind regulations is not going to work. We're going to have to find better solutions together. That's really my kind of pitch for why a converged platform, whether it's from Shape, F5 or anybody else. The idea of really breaking down the organisational barriers that exist and getting everybody onto a platform that allows data to flow end to end seamlessly is so important. Even if that converged platform has individual capabilities and features that you think aren't as good as the best of breed, the fact that it's converged might help you experience benefits like these. We've seen a significant reduction in our customers of time spent on data integration. That's about a quarter of the time that I see in a large organisation. You can't run great artificial intelligence (AI) algorithms and true machine learning models unless you have well-organised and properly labeled data. Otherwise, you're just running much more primitive capabilities.
My question to you as security practitioners is, “What are you doing to improve user outcomes around friction and delight? Because that is what modern security practitioners are going to have to do. We have to do one, two and three, because that's our job. That's doing a good job, but in order to do a great job and a phenomenal job, we have to do four (reduction in user friction is really about delighting the user) and five (about delivering better organisational business outcomes by rescuing legitimate users in distress).
FBP: Thank you so much for the presentation. Now, in terms of the user outcomes, reducing friction, how much of that is immediate key performance indicator (KPI) for you? We talked about taking an integrated approach but in terms of the resources dedicated to data integration, reconciliation and so on and so forth, how much of that is taking up your resources today?
Also in terms of open banking with banks moving towards creating an ecosystem where you have to partner with third parties, which also introduces new traffic into your system, how much of a challenge is that in terms of maintaining the security of your environment?
RW: At the end of the day the important thing is your bank or organisation has adequate controls in place behind the scene and has the ability to detect or even predict the sort of attack well before it happens such as unusual activities and unusual patterns from some kind of utilities, bots, unauthorised users or hackers. It is much better for an organisation to get prepared.
I totally agree that we are now moving to a more open world. Similarly, as long as we have interface with others – partners, vendors, other banks or regulatory bodies - fundamentally, we have this control in place. My point is, no matter what method or attack mechanism is happening outside, inside the organisation we have to think about what could go wrong and how can I detect it? A very good example is COVID-19. We have more staff working from home or different locations. So from our point of view, those insider might be outsider now. We never know whether he is he or she is she. Just depending on the password or user ID, can I trust that he is Ricky Woo or is he someone else? At the end of the day, we need to know the behaviour, utility and attack, highlight it and trigger an alert, so that adequate attention can be paid on those unusual activities and we can act on it.
FBP: I also want to hear from Patrick. What can you say about Sumit’s presentation?
PL: In a virtual bank environment, we rely largely on third parties. There are a lot of communication and we share a lot of data with them. So we have to be very careful in onboarding a third party. How we do security authentication is one of the key things we are working on. The other thing is, the ecosystem partner has a lot of use cases. Like our mother company, they have a lot of use case scenarios on daily life. The key thing is, when they have all these customer data, how they do the aggregations – and they know something more than they should know – is one of the concerns we are working on.
We carefully weigh what kind of data we're going to share with our ecosystem partners. They use a lot of high technologies including machine learning and artificial intelligence. And all these things can be revealed. These kinds of algorithms are very important to us. We use a different technology like facial recognition. How can we bypass a facial recognition? Is it possible to have something that will inject and pollute the data? And then make use of AI to make a decision and interpret data? This is also something we really worry about.
FBP: What are some of the fraud trends that you see in your own environment? I want to ask this to both Ricky and Patrick. Are you both seeing similar things or are there things that are unique to Hong Kong or ASEAN?
PL: Technology can be used by fraudsters. Just like a traditional bank, we face all kinds of fraudsters that try to get money from our bank, try to open up an account and compromise our customers’ device (log into their account, make some fraudulent transactions and become a fraudulent vendor to get some business from us). We use a lot of monitoring system. The most important part is, we have a lot of control over our customer login. The other layer is we check what kind of transaction our customers do. For example, whether they usually do transactions in the midnight or have high amount of transactions in the daytime, so it will alert us whether to contact the customer or increase the authentication modules to ensure this guy is a legitimate user.
FBP: Ricky, how big of an issue is data theft for non-legitimate customers trying to access the system as legitimate?
RW: That one right now is not the biggest issue, at least at DBS. The biggest threats we are facing right now are phishing attack, distributed denial of service (DDoS), ransomware and how to secure ourselves from the new norm, where we work from anywhere. In terms of data theft, this topic is in the industry for a while already and we have implemented quite a number of solutions or controls to mitigate those kinds of risk because of course, we never have a risk-free environment. But we are trying to do as much as possible to mitigate the risk. To answer your question, it is not only in Hong Kong, but all the banks are facing a similar problem. The question is whether we can merge them into integrated solutions or not. I totally agree with Sumit. The thinking process to design those kinds of infrastructure, mindset, process, governance and model have to cope with that. Otherwise, simply implementing the two might not help.
FBP: Sumit, would you like to add something to this point?
SA: The internal culture of the organisation is often a much bigger question or challenge. It can be a force multiplier and an enabler of success. It can also get in the way of success. I can't tell you how many times we have had to get into debates about what payment card industry data security standard (PCI DSS) 6.6 means. What does it mean? When card portal holder data is or is not present, does it translate a system thusly? Does it get written to non-volatile memory? It's great to have those conversations but you have to be willing to actually go read the source regulations, interpret them for yourself, and then have a debate.
What you don't want is people saying that they were told by someone else that it has to be done a certain way. That is the amazing thing. How many customers that I've met who say, “Well, the regulation says I have to do X”. That is not what the regulation says. The regulation often offers a complex set of choices. You can do A. You can do B. You can do C. You can self-certify. You can create a plan. You can have your plan audited or you can do something very simple. Many people default to that or because they're not willing to do the work. I'm telling you that doing the work is what's going to allow you to deliver differentiated experiences and delightful experiences. I would strongly encourage you to be willing to go to first principles.
And as Ricky was saying, from a cultural and internal organisational point of view, reopen the conversation and really get down to what is required and mandated. You'll be surprised. I have personally had customers say, “I cannot believe it. I thought it was absolutely forbidden to do XYZ but you've showed me the regulations”. I mean, we could have seen the regulations. It's just that no one ever challenges these things. Everyone is afraid of these regulations. And so, I find that one of the bigger impediments is a fear of reading regulations. And they're really not as scary. I have personally read at least a few pages of each of the major regulations in the countries where we do business.
Evolving regulatory requirements and its impact on security solutions
PL: We are a neobank in Hong Kong so we face a lot of regulatory requirements. We have to negotiate with external auditors and regulators on a daily basis to sort out something we are working on and comply with all the requirements. One interesting thing is we put these requirements on the table with everyone in the team joining the discussion. I have an operation team who tries to understand what technology is. When we implement something on our systems, they want to know the impact to their operations. All these discussions are very variable. They will understand what we're trying to do and sometimes give us feedback on how we do the control in different ways. Enhance them to work smoothly and we're not compromised to security levels. The discussion has to be clear to everyone. Sometimes you have a very deep technology element on the discussion and that’s my job to explain all these controls in a business user mindset. Let them understand the reason we do this. What are the regulatory requirements and combine that to find the solution we want to implement in our environment. This has to be a corporate level discussion and everybody has to update their technology background to understand that.
FBP: Integrated approach is definitely the way to go. Do you think the convergence of application and security also leads to the convergence of attack point, possibly leading to bigger impact on the compromised system? If yes, what additional security measures should be taken over and above the traditional methods?
SA: If you think about an iPhone as an integrated device and you think about other devices that are much more open where users are able to download much more content or software more freely, most people might agree that the iPhone is a little bit more secure. I don't think it's the case that a converged platform is fundamentally less secure. It's a trade-off. It's possible that it may be a little bit less secure, but you're picking up so many benefits, particularly in efficiency of the internal teams. The net balance is more favourable.
The other converged attack surface that you have is modern mobile devices that use application programming interfaces (APIs) to communicate with the back-end. Those API endpoints represent a very consistent, well-organised and well-structured way of interacting with a back-end application. I don't think that looking at the convergence of the security stack is the right place to be concerned. It is your application stack which is where the real value is stored. That is already fully converged. Nobody can afford to move away from that. The costs are horrific and horrendous. It's actually vital to catch up on the security side. Get those efficiencies so that you can better defend what is already a fully converged attack surface.
PL: When you converge applications together, you have to think carefully on the design of the security. For example, in the old days the application designers use local applications. Now, we use Active Directory where every application is hooked up with Active Directory to do authentications. This use case has changed. How we do security is that we have to secure the linkage between application and Active Directory. This is something new to us and we have to do it fundamentally on the design. Make sure it is secure. The other thing is, what we have with one single source of authentications. We use a different technology to safeguard administrator accounts.
RW: Converging applications together doesn't mean that we are creating a single point of failure or we are increasing the risk. If we converge everything together, and if that converged version is being hacked or compromised, we don’t destroy everything. In fact, converging the applications together means communicating among different units and sharing data, so that when one system is being compromised or there is something unusual, we update the data from another system and take advantage of the indicators. On top of that, the monitoring controls can analyse those kind of behaviour, output or feedback from those units so that they can trigger an alert for management attention.
FBP: What are the concerns in terms of your evolving digital footprints? Maybe for Ricky and Patrick, as you work a lot with third parties to create a wider ecosystem. And how is that convergent platform taking shape in your organisation?
RW: Process always comes first. That means before we start anything, we need to have a very well defined process. Let's say for example, if we want to introduce a new ecosystem partner, we need to know what sort of process we need to control and what sort of area we need to keep an eye on. We have to assess the risks from a security angle and we have to talk to the vendor and ecosystem partner to see whether they comply with what we need them to do. Whether they comply with our standards, whether adequate security controls are in place and those kind of things. First, we should have a very robust, comprehensive governance model and risk control framework. And second, we have to make sure that the data being transmitted or exchanged are well protected.
How we use data should not only be from an authorised or unauthorised perspective. We also need to respect the source of data. We have the responsibility to make sure that we use data on a need basis other than some other purpose. This is one of the challenges that most organisations are facing because they focus mainly on the functionality. But from a risk control perspective, we do need these framework, mindset and process in place to make sure everything goes fine.
PL: We understand what kind of surface we're going to exchange with our ecosystem partners. The onboarding process is very important. We understand what kind of controls they have, compliance levels they have and regulations they are facing. Perhaps some background, such as their hacking history. They should match with our internal policy and standards and are aligned with what we commit to our customers and management.
The other thing is, what kind of service they're doing with us? We need to really understand whatthey do in terms of processing data and information. We cannot allow our ecosystem partner to do something that we don't expect. That is the bottom line. The technology they're using is also one of the key elements that we need to understand. We need to carefully select our ecosystem partner and the process should be in place.
Contrarian metric is core of innovative approach in redesigning products and systems
FBP: You’re looking at the number of attacks and multifactor authentications, but what about the user experience? This whole idea of contrarian metrics, I want Sumit to talk about it as well. Because as good as security measures are in place, sometimes legitimate customer experience and usage are also affected.
SA: I'd like to share two contrarian metrics that I don't hear people talk about very often. The first one is, what is your total number of logins per daily active user? If you have a million daily active users and you had two million logins yesterday, that's two logins per daily active user. What we're finding is that the act of logging in, entering in the username and password is friction, literally undesirable. It's not what the user who comes to your website wants to do. I understand that we all need it. We all think that it's the core, beginning of the experience, and in some ways it is. But that doesn't mean that we can't view that for what it is, which is unnecessary from the user's point of view and impediment to getting business done. It's not withdrawing money, not paying a bill, and not helping me accomplish something in my life. It's something that's imposed on me in order to go do those other things.
The point of a contrarian metric is to get us to think differently about something that we all take for granted. I'm not saying that the login goes away or that the username and password go away. But they can be refactored and refashioned. I'm saying that if you view it for what it is which is effectively friction, then you can begin thinking differently about it which is the core of an innovative approach to redesigning the product. We talk with our customers about how we measure that particular contrarian metric, number of logins per daily active user and what steps we can take to reduce that number.
Another contrarian metric is how we think about multifactor authentication (MFA). If you ask most organisations, they can readily answer the question, “What is my MFA success rate?” They fire 80 MFAs, 20 of them fail and 80 of them succeed. That's an 80% success rate. But my contrarian perspective is that every single time an MFA succeeds, you the security practitioner, the owner of the risk engine, failed. So you should measure the number of times that MFAs are successfully fulfilled in your organisation as a measure of failure. And then all of a sudden, that 80% doesn't sound so good because it used to be labelled the MFA success rate. It's going to measure the same thing which is the number of times a user successfully fulfils the MFA. But if you label it the risk engine failure rate, it's the number of times the risk engine inadvertently – because it was insecure and unsure – imposed friction on a legitimate user, then you can again begin thinking differently about it.
I find that contrarian metrics, even ones as simple as relabelling an existing metric to really acknowledge what it is, can be very powerful in changing how we instrument and design our systems. This is particularly vital in light of open banking because open banking means you get to hold the liability, cost, KYC and regulatory burdens. But somebody else gets to hold the user interface. And so if you aren't racing to make yours delightful, then you're going to be left with a lot of costs and not a lot of user interface. You'll have the users but the relationship with the user is going to be disintermediated.
FBP: Ricky and Patrick, today in terms of the metrics that you use, measuring MFA for example, how are you managing that as part of the user experience?
Security practitioners should go the way of businesses
RW: There’s always a debate. Security controls and user experience always contradict each other. From a security practitioner’s point of view, they might always have the mindset, “Okay, we have to stand firm on our point because we need our measurement. Whether we are secure or not, customer journey is not our measurement, it's not in our scorecard, so it’s none of my business”. But from the other point of view, on the business side, they just focus on business, customer experience and whether customers are happy or not. They might sacrifice security control because it's not their measurement either. Organisations should have a very comprehensive governance model that includes all the stakeholders together. They have to exchange ideas. So how to strike a balance between user experience, customer experience and security control is a beauty. It’s an art.
At DBS, we do have this sort of committee. Whenever there's a new initiative like introducing an ecosystem partner or a stakeholder in security, business, compliance and risk management, we sit down together and make sure that we are not overdoing it. We cannot exceed our bottom line in terms of security control. Everyone knows, “Okay, we have to do it because we need to do it”. This creates an atmosphere, a mindset and culture of the entire organisation that we need to take care of every aspect of the issue and get the best solution.
PL: For us, we have a lot of experience with customers. We’re very focused on customer journey and engagement. How we make a customer happy is one of the KPIs for us. For security, it’s the same. For example, one very easy to understand measurement is the system uptime. Making sure the customer can use our system is one of the key elements we focus on. It can be converted and become one of our security and technology measures enabling us to measure our uptime and match these key elements to measure the customer journey and happiness.
FBP: From this discussion, there are a few pointers that we can take away from. One is the integration of organisation. Having an integrated technology or security, fraud, identity team and platform strengthens and increases the efficiency and control to fight fraud. Today a lot of the barriers are organisational ones, but integrated approach is the way to go. It doesn't create a single point of attack as some of the audience may think. Also in terms of the evolving digital footprint that might expand the security and fraud risk, having processes to bear the risk and having a mitigation plan is very important. We also discussed about the user experience, how at the same time the mitigation and prevention measures are taken. The measures to balance that with user experience today do not necessarily sit within any one part of the organisation and as a result may be overlooked.
RW: I believe that the topic today is very interesting and useful for the four of us, including myself, because there are always arguments regarding the tools we have to acquire. I want to point out management support and organisation culture because even if you have the most powerful tool implemented, without the organisation governance framework, we cannot take advantage of the tools. We have to encourage the risk culture, management awareness and support on cybersecurity as well as focus on business development and shareholder interest. I believe these are the key things to make cybersecurity a success factor.
PL: We need to make the management do their job and understand the importance of cybersecurity. The likelihood that they can get hacked or what is the key focus in terms of cybersecurity. The management understands the issue and solution we are proposing or the consequence but technology is sometimes difficult for them. So we try to make it legitimate. Let them understand. This is the key message here. We discuss all these things and make business people understand what cybersecurity means to them.
SA: I would just leave you with one thought which is that security is a much harder discipline to learn than the basics of business benefits, bottom line and revenue growth. I would encourage you to not view your partnership with your colleagues as meeting in the middle but rather an exercise in which you go three quarters of the way in their direction because they're not equipped to come in your direction. It's much too arcane, complex and technologically grounded. And it's full of fear and uncertainty. If you just say to your business colleague, “Hey, are you going to be responsible if we have a lot of fraud?” They will, of course, back down. Nobody will ever stand up to that because you're the expert and so it behooves us as security practitioners to go more of the distance in their direction.
FBP: Your insights have been very useful. Thank you.