Top five emerging technology priorities for financial organisations

Emerging technologies drive investment priorities for cybersecurity

For the past three years, cloud was consistently the No. 1 emerging technology in which respondents from large financial institutions said they wanted to invest (figure 7). Many of these companies already have a significant portion of their IT infrastructure in the cloud, with the next round of adoption being driven by the migration of core business applications. Many are also developing and deploying new apps for the digital world directly on the cloud.

At the same time, cloud service providers are augmenting their offerings through analytics-as-a-service and automation-as-a-service. Survey responses were in line with this trend: Most large firms expected to increase adoption of software-as-aservice

and platform-as-a-service capabilities. However, with more data and applications moving outside the traditional security perimeter, the risk of cyberattacks increases.

Data and analytics was the second emerging technology priority identified by large respondents. Since financial institutions have access to sensitive personal information, data breaches could have significant reputational implications. At the same

time, many rely on insights from proprietary data and integration with third-party data vendors. Protecting data can be paramount to satisfying client data security and privacy expectations as well as meeting regulatory requirements.

Meanwhile, regulators have taken note of the large amounts of personal data captured and stored by companies, as well as their resiliency and data integrity. They have formed data protection standards, such as Europe’s General Data Protection Regulation (GDPR),5 and in the United States the Federal Financial Institutions Examination Council’s Cybersecurity Profile as

well as the California Consumer Privacy Act. These developments have made data protection an important focus area for cybersecurity.

With artificial intelligence/cognitive coming in third place and robotic process automation in fourth, it’s clear that advanced automation and machine learning technologies present a new set of solutions that can help financial institutions transform operations and achieve cost reductions. While companies are likely taking precautions during development and training, these

technologies are still evolving, with users slowly getting accustomed to working with robotic solutions (better known as bots). These bots have user privileges and can access sensitive company data and automated processing systems. This means hackers have a whole new attack surface that can be leveraged to penetrate an organization’s systems. Automation technology, despite its enormous potential, thus can add to a company’s vulnerabilities during both development and

training, as well as usage. Financial firms should address all of these potential issues.

Indeed, the increased focus of cybersecurity teams in protecting against vulnerabilities tied to emerging technology could be seen in the investment priorities of large financial institutions (figure 8).

People working in security have talked about identity and access management since the introduction of shared computing and mainframes. These remain a priority, albeit typically for different reasons. In an increasingly cloud-native and API-connected world, access control is once again a priority since these technologies expand identity and device proliferation, which creates additional identity types and new authentication requirements. In an increasingly automated environment, this capability is also critical, and more complicated, in securing an organization.

Similarly, data security and protective technology can play a vital role in preventing data corruption and denial of service attacks.

The pace of digitization will likely only increase as the industry moves forward, and therefore should continue to be a key driver in influencing and prioritizing cybersecurity investments and capabilities. It is a leading practice to fully integrate cybersecurity functions into a company’s digitization journey and to embed cybersecurity as a core consideration in transformation projects.

Financial companies manage and operate cybersecurity programs in different ways, from how they are structured, to reporting

lines, to establishing focus areas for cybersecurity spending. Many have adopted a mix-and-match approach based on their company’s objectives.

In this dynamic environment, many financial firms are now closely linking cybersecurity programs to

technology initiatives to effectively mitigate emerging cyber risks. This was reflected in the way cyber risk management was organized at large financial institutions participating in the survey. Indeed, a majority of respondents cited cybersecurity as a part of their IT organization (figure 9).

The close alignment between cybersecurity and IT goals was also reflected in the reporting structure for survey respondents. Among CISOs surveyed from large financial firms, 62% report either to the chief information officer (CIO) or the chief technology officer (CTO), a substantial jump from 38% the year before and only 20% the year before that (figure 10).

By closely aligning cybersecurity with the IT function, financial institutions can be better positioned to deal with emerging cyber risks in a faster and more effective manner, helping their IT partners become more agile.

While the first line of defense in cybersecurity is often aligned closely to technology functions through common lines of reporting, security personnel usually have clearly segregated roles and responsibilities. In second lines of defense, however, cybersecurity is often a part of the technology or risk functions without clearly delineated requirements, roles, or responsibilities.

Companies should therefore clearly delineate cybersecurity from technology or risk functions across both the first and second lines of defense by providing clear separation of roles and responsibilities.