Last year I was fortunate to attend several all-day Chief Security Officer (CISO) roundtables on data protection with some of the top CISOs from Fortune 500 and beyond. Imagine being the CISO of a huge company like Honeywell with over 100,000 employees made up of hundreds of loosely coupled acquisitions worldwide, or Thales, a $17B organization and itself an industry leader in security. Imagine being the CISO of one of the major international banks like JP Morgan. As the CISO, what would be most on your mind? What would be keeping you up at night? Here are the 5 recurring themes I heard.
Companies that have no connection to the financial world - Mindbody (fitness), ServiceTitan (HVAC, plumbing), WonderSchool (daycare), Jobber (lawncare, painting) - are suddenly making more revenue from online payments and other financial services than they do from their core software subscription revenue.
These is because new Fintech infrastructure companies have made it possible for SaaS businesses to add financial services alongside their core software product. By adding Fintech, SaaS businesses can increase revenue per customer by 2-5x, a significant new market opportunity and inspiration for what might be to come in the future.
When you think data protection and data privacy, you might think of hackers trying to get past your company's firewall and into your computer to steal your data. But by far the main reason why data breaches are so rampant today has little to do with external hackers. The main cause of data breaches is insider threats. Insider threats are trusted employees, contractors, suppliers and partners, who leak private data into the wrong hands. Sometimes insider threats leak intentionally, but the vast majority of the time, it's just people innocently leaking your data without even knowing it.
Because insiders - your employees, contractors, suppliers, vendors - have access to data to do their jobs, it is really hard to prevent them from leaking it! Few good solutions exist today, but the race is on to solve the insider threat problem. The key is to first deeply understand the roots of the insider threat problem.
There’s a lot of excitement in the security world today around artificial intelligence (AI) and, more specifically, machine learning (ML). CSO Online lists their top 5 use cases for machine learning in security which include detecting malicious activity in the network, automating repetitive tasks, and analyzing large volumes of data for threat intelligence. But another immediate application of machine learning will be in data protection and the prevention of data leaks.
The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) introduced a higher bar than ever before for data protection, in all industries. It applies to any company that comes in contact with any form of European personal data. Article 32 of the GDPR, covering the security of processing recommends the use of encryption for personal data. In fact, encryption is increasingly recognized as the “get out of jail free card”, because GDPR does not require you to report a data breach if it involves data that was encrypted, giving companies a powerful incentive to re-think their company-wide encryption strategy.
Remember 2017? You couldn't get on LinkedIn without seeing tons of articles about all the different industries that blockchain was going to disrupt. Blockchain was at the top of Gartner's "hype cycle" and, if you read a little further into their report, was expected to transition into the trough of disillusionment. So where is Blockchain now?
Here in Canada we had a small online payment processor, Koho Financial, get breached. They are a startup, only 107 employees, but process billions of dollars of payments a year. The breach cost them millions. FinTech has not had a lot of major public data breaches in recent years compared to most other industries. Perhaps they are more diligent in their security practices, or maybe they're just better at keeping it under wraps?
When an incident does occur though, even to small companies, so much money flows through them that the impact can be spectacular.
SupTech (short for “supervisory technology”) is a subset of RegTech. Whereas RegTech enables companies to be more effective at meeting their regulatory and compliance obligations, SupTech is technology for the regulators to use themselves, to support their supervisory activities, lower costs and increase their regulatory efficiency and effectiveness. The idea is that it’s not just regulated entities that can benefit from RegTech, but also the regulators themselves.
Since the 2008 financial crisis, financial regulations have increased, and other regulations have followed suit (e.g. in manufacturing, data privacy). The result is that companies, especially enterprises, have a myriad of compliance obligations that are very time consuming and for which they are at risk of being penalized. RegTech addresses this problem, helping those companies to automate their internal data collection, analysis, reporting, attestation, etc. SupTech helps regulators (aka supervisors) such as central banks and other regulators of financial institutions, insurance, manufacturing, transport, healthcare and other industries be more efficient, automated, and reduce errors and costs.