It’s an exciting time to be in payments—new technologies and business models are opening up more opportunities and markets. But that excitement is often tempered by concerns that efforts to capture compelling business opportunities may expose the new venture—and the firm—to unnecessary cybersecurity risk. But what if both the business and cyber teams were fully aligned and committed to delivering secure innovation?
Let’s examine the context in which each team assesses new payments technologies and tools. Both sides are under pressure, and that can cause them to focus narrowly on their respective priorities, rather than search for a win-win solution.
The payments environment
- A wide variety of technology innovators are taking the industry forward with novel, customer-focused payments solutions. To maintain or grow their market share, all payments players are under pressure to offer the latest options to their customers.
- The pace of change has increased, and incumbents feel they need to keep up or lose their competitive edge. Ambitious timelines are often imposed on the teams working on these solutions, which can create a strained environment.
The cybersecurity environment
- Geopolitical tensions have ramped up. One aspect of this is an increase in online attacks and data breaches. Trying to keep up with the latest scams, frauds and viruses from very well-resourced and constantly innovating hackers is a global challenge.
- Cyber criminals are getting more sophisticated and more daring, attacking everything from government departments to hospitals. In an environment where nothing is off limits, cybersecurity has become integral to the functioning of our society, including our financial systems.
- The Great Resignation is constraining cybersecurity resources at all types of businesses. Competition for experienced cyber professionals is intense. With attacks possible at any time, responding quickly and decisively is a big challenge for understaffed teams.
- New products launched by businesses often introduce new risks, some of which may not yet have been identified. A cybersecurity team that is not fully aware of and involved in the launch of new technologies could be caught off guard by an unexpected attack, or a new type of attack.
- The move to cloud-based solutions is making some of the traditional ways of defending and responding to incidents less effective. As the rate of innovation increases, it becomes even more important to develop new responses at speed.
The dilemma
Business leaders must weigh the cybersecurity risks of pushing out new products in the payments space against the business risks of falling behind their competitors and losing customers as their offerings become outdated.
While the importance of managing cyber risk is generally acknowledged, these risks are seldom quantified in a way that allows these leaders to compare them with the expected benefits of taking those risks. And if the cyber risk is quantified, it usually happens at a moment in time (perhaps ahead of a product launch) rather than on an ongoing basis as the risk develops.
This has created a dynamic where business leaders and cybersecurity leaders are at odds a lot of the time. Business leaders may feel like cyber is holding them back and not recognizing the importance of evolving their payments products. Cyber leaders may believe the business unit doesn’t understand what’s at stake when it rushes to embrace the latest trends.
The solution? Cybersecurity as a business enabler
What if the cybersecurity team became a key ally on the path to modernization, an innovation partner with a unique perspective on what is needed for success? Leveraging the best of “agile thinking,” the cyber team and the product team could partner closely throughout the development and launch of new payments products. Both teams should be working with a “how might we do this” mentality, rather than a “tug of war” mentality.
This approach prevents the business team from becoming too invested in a product or technology that is ultimately very risky, and not understanding this risk until they have spent a lot of time and money on development. It also gives the cyber team more time to closely examine the plans and the risk they entail, and to determine how these risks could be mitigated. That avoids a knee-jerk negative reaction to any new product.
The cyber team can use continuous cyber risk quantification assessments to put a price on risk. Security can also be positioned as a competitive advantage rather than an impediment. Many customers are concerned about fraud and cyber attacks and wary of new technologies whose security is unproven. Some will therefore choose a more secure product or service over others. To leverage this advantage, companies can highlight the security benefits of their products.
The business and cyber teams should work together to assess the cost of slowing time to market or scaling back potentially risky products, and weigh that against the benefits of developing products that are secure by design. Incorporating risk mitigation and security into every new product as it is developed can increase customer confidence and loyalty, without causing the business to be stuck in the past.
To learn more about how our payments and security teams can support your business success, contact me here. For more on how innovative payments methods can drive payments growth, read the full report, Growing payments to new heights:
I would like to thank William Beer from Accenture’s Financial Services Security team for his contributions to this article. To learn more about security for payments players, contact William on LinkedIn.