How your firm manages data will shift dramatically due to the impact of machine learning, ISO 20022, and new privacy regulations. These issues will be additive to the current complex and underappreciated security problems that already exist in most organizations, as demonstrated by what seems to be daily notifications of customer data released into the wild.
The advice in this Forbes article is not telling you how to prepare for these new challenges specifically, but does provide operational recommendations that are broadly applicable:
Build security in from the beginning and automate whenever possible.
Typically, information security is an afterthought in building a new software application or implementing a new system. Once the implementation is finished, the security team starts testing it, resulting in a long list of things to fix before the system can go live. Suddenly, the launch date is in jeopardy, and there is resentment and recrimination on both sides — and the security that results is not as tightly integrated as it should be.
When I worked for a major financial services provider, we had similar problems with security testing coming so late in the development process. Instead, we asked the security team to become part of the early planning and development sprints for any new application. We got early feedback on what would make for a more secure approach, and the relationship between the developers and the information security team became more collegial and cordial.
One lesson I also learned from this experience is to perform automatic log scans for oversights and vulnerabilities. The best way to do this is to incorporate it in the early stages of your continuous integration, continuous delivery (CI-CD) pipelines. With the volume of work and the speed that business requires, it’s just not possible to do such things manually. Automation is imperative.
Security as a business enabler.
Of course, some of the unauthorized data access we might catch will be people at our own company who have a legitimate business need for the data. Inadequate access can stifle ideas and innovation. The logs can serve as a starting point for a larger discussion on how the company can make better use of its data.
Yes, data can be a liability, but so can overly stringent data security. Security should be a business enabler, providing a secure foundation for trusted relationships between the organization, its employees, its customers and its partners. That way, we can move beyond the fear that our data is a potential liability and know that it has become a true asset for the organization.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
