Balancing Security Policy with Business Objectives in Banking
Bankers face an exquisite dilemma over the balance between security and business strategy. On one side, there’s the sensible requirement to be secure. After all, banks are some of the most attractive hacking targets around. A security focus tends to lead to rigidity and walling off banking systems from the outside world. Compliance regulations compound the rigidity and protectiveness.
Pushing against these generally wise countermeasures is a changing set of business norms and banking customer expectations. To stay competitive, banks today are pursuing “omnichannel” customer engagement. In this mode of banking, the customer can access bank services in person, over the phone, at ATMs, on mobile apps and so forth.
Simultaneously, banks are opening themselves up to new third-party relationships with investment houses, insurance companies and more. Each relationship requires a host of system-to-system integrations and exposure to new endpoints.
How can banks resolve this tension? To Ryan Zlockie, Global Vice President of Authentication for Entrust Datacard, it’s not that complicated. Well, it’s a little complicated, he will admit, but helping banks balance security policy and business strategy is what Entrust does. “Authentication is the fundamental control you need to do secure banking within a strategy of openness,” he observed. “If you can be sure you know, or what, is interesting in doing a transaction with your bank, you can feel a lot more secure about letting them into your systems.”
Easier said than done, most of the time. Entrust has devised a number of solutions, however. They combine Single-Sign-On (SSO) with multi-factor authentication (MFA) and apply them to any affected system. These include legacy systems, which are still core to most banking operations. “We put authentication and transaction validation into the banking business process, no matter what digital assets it touches,” Zlockie added.
According to Zlockie, banks can put the same tools and practices to work in GDPR and other regulations that affect personally identifiable information (PII). Effective authentication facilitates role-based access controls. “Who has access to PII? Who has the right to collect PII?” Zlockie mused. “Strong authentication and transaction validate helps keep things more under control, especially at a large organization.”
Robust authentication and transaction validation takes some effort and organizational flexibility. “Line of business people may complain about security, about the hassle of accommodating security measure and compliance in their plans,” Zlockie said. “We have two replies. For one thing, we’re trying to make it easier and faster. Also, though, and this is critical, the business side of the bank needs to be reminded of how vital security is to the value of their brand. Customer trust is one of the most valuable assets the bank has. It’s also hard to replace if it gets violated. With the right tools, we help them achieve a profitable balance between business and security.”