Banking is continuing to experience rapid change. An array of forces—evolving customer demands, digital disruption, cloud, Open Banking, regulatory shifts, fintech and now the global COVID-19 pandemic—mean banks must innovate or risk becoming obsolete. But while innovation is instrumental to business growth, banks are exposing themselves to an expanding and increasingly diverse cyber risk landscape. This is evidenced by the average annual cost of cybercrime for UK firms reaching $11.5m—a year-on-year increase of 31 percent.1
So, is innovation a friend or enemy to cyber resilience? Can growth and greater cyber resilience go hand-in-hand? And could COVID-19 and the aftermath accelerate the pace of innovation?
Accenture recently conducted two surveys which grabbed my attention—one exploring the topic of innovation and the other examining cybersecurity. Both can help us explore this dichotomy.
In Governing Innovation, we surveyed 1,090 companies across industries to investigate the vital role of governance in innovation. For me, a key takeaway was that executives worldwide are looking to increase their innovation expenditure an average of 1.8 times in the next five years, from a total of $3.2 trillion to $5.7 trillion.
Yet only a minority of firms are confidently addressing cyberthreats. Our Third Annual State of Cyber Resilience report draws a distinction between “non-leaders” (74 percent) and “leaders” (17 percent)—of the latter being those organisations which have ‘mastered cybersecurity execution to drive innovation and grow with confidence’.
So combining innovation with cyber resilience is possible. But achieving the right balance requires careful consideration.
Mapping out the banking security landscape of 2020
As our UK & Ireland head of cybersecurity for Banking, I’ve seen banks on the innovation and digitisation journey face a unique set of security challenges.
Let me explore three recent banking security topics that highlight how innovation-led business growth and cyber resilience can work well together.
- Hybrid & multi-cloud security: Cloud conversations have progressed from “should we move to the cloud?” to “how do we deploy the cloud in a way that’s compliant with regulations and secure?” Accenture has developed multi-cloud security for its own applications, and we now operate 94 percent of our business applications in the cloud.
- Third- & fourth-party risk management: Only 38 percent of respondents of “State of Cyber Resilience” held their alliances to the same cybersecurity standards as themselves—and the sheer number of vendors can make monitoring very difficult. It’s important to take a data-driven and tiered-risk approach to securing the enterprise ecosystem, ideally involving integrating fintechs, APIs and external service providers to enable innovative solutions to be taken up with confidence.
- Security automation: 43 percent of “State of Cyber Resilience” respondents use machine learning and AI to manage cybersecurity. And leading organisations spend over 20 percent of their cybersecurity budget on advanced technologies, while also innovating within the cybersecurity space.
Cybersecurity is a corporate strategy issue
In my view, the way forward is for cybersecurity and innovation to be discussed together. Cybersecurity is not just an IT issue, but a corporate strategy problem. Our research shows that governance which promotes innovation correlates positively with leadership in cybersecurity. Here are some key recommendations:
- Inspiration: Put innovation and cybersecurity at the heart of corporate strategy, communicate the synergy and build a culture of mutual awareness. Incorporating a security mindset from the start is critical.
- Ideation: Generate innovation ideas using diverse global expertise, including from industry, intelligence, academia and the start-up ecosystem; and identify disruptive ideas with tech partners that include cyber practitioners.
- Experimentation: Experimentation investments should be part of the budgeting lifecycle, funded gradually and making use of an innovation lab or factory. Agile DevSecOps and SecOps frameworks cut through organisational inertia by breaking projects into chunks and including security at every step.
- Scaling: Scale with technology partners, talent partners and through an innovation lab/factory. Site reliability engineering (SRE) combines development with reliability, balancing speed, quality and safety to blend innovation and operational resilience.
Innovation, cybersecurity and COVID-19
The COVID-19 pandemic has demanded a sharp focus on innovation overnight to ensure business continuity. While it’s too early to conduct any detailed analysis, Our early experiences with clients mediating overnight change and cybersecurity have been promising. “We have a client who asked us literally to go from zero people using Teams to their entire 61,000 workforce in five days,” our CEO Julie Sweet remarked earlier this year. Separately, we partnered with a banking client to use technology to move a key process to a 100 percent working-from-home model, while ensuring data security was adhered to. (Accenture, 2020)
The message? Innovation and cybersecurity can—and must—work hand-in-hand to promote business growth and protect the organisation from a catastrophic breach.
To learn more about our perspective on innovation, check out Governing Innovation. And for our research on cyber security, please explore our Third Annual State of Cyber Resilience report. You’ll be glad you did!