Podcast transcript: Cybersecurity and the digital trust imperative (Agents of Change series)

21 min approx | 21 June 2018

Roger Park

Welcome back to the Agents of Change podcast series. I’m Roger Park, EY Americas Advisory and Financial Services Innovation Leader, and the series host. 

Our guests today are Sundeep Nehra, EY Americas Financial Services Cybersecurity Leader, and William Beer, EY Financial Services Cybersecurity Advisory Principal. Thanks for being here today. Why don’t you tell us a little bit about yourselves.

Sundeep Nehra

Thanks, Roger. So, this is Sundeep Nehra. Happy for this conversation on digital trust. This is something which is becoming a pretty important issue for our clients as we are looking at the whole digital transformation journey, which most organizations are moving towards by using the emerging technologies. So, this is something which I’m very passionate about and looking forward to our conversation. 

From a brief introduction perspective, I’ve been 27 years helping clients on cyber and various technology risk topics, so this will be a pretty good conversation with yourself and my colleague, William.

William Beer

Good day. Very pleased to be here as well. I’m a principal here in New York focused on financial services. 

One of the things that I do a lot in my day-to-day work with clients is to try and help them think about the bigger picture and not just cyber-only related matters. And so I, again, I’m also very passionate about the interlock and the connection with digital enterprise transformation. I’m happy to explore that a little bit today with you.

Park

Great to hear the passion. It’s definitely a hot topic. So let’s get right into the questions. Sundeep, let me start with you. With the growing number of high profile cyber events affecting firms from all industries, all sectors, it’s apparent that cyber is no longer an IT issue, but a business topic with significant impacts to growth and profitability. 

How should financial firms adapt and respond with the rapidly changing threat landscape? It seems really hard for even the biggest firms to keep up. 

Nehra

I couldn’t agree with you more. I think cyber is an issue which, from a boardroom to a back office, everybody has a role to play and everybody is impacted by this. And the vast nature of cyber, which earlier was very technology centric, is changing to a business issue for our clients where they are looking at from multiple perspectives of not only addressing the issue which is there as a technology solution, but also looking at what do we need to do from a capital planning perspective? What do we need to do from a risk management perspective? What do we need to do from a residency perspective? 

And when you start putting these factors together and also looking at the ecosystem which they are operating in and the investors and the shareholders and the regulators and the others who are concerned about this, this has become a pretty strategic issue for our clients and it’s getting very, very complicated when the emerging technologies are coming in, and that’s where the topic of digital trust is very impactful.

Park

I think that’s absolutely right. To build off of that, William, technology-driven innovation, transforming financial services and enabling firms to create new products and services, enhanced access experiences for customer and strengthen controls and drive down costs, but cybersecurity, rightly or wrongly, has at times been seen as a drag on digital innovation, especially with financial services firms. Why do you think that is?

Beer

What we tend to see at our clients is oftentimes there is a disconnect between the decisions that are being made from a digital perspective and from what’s being done in the cybersecurity teams. 

In a recent EY survey, we actually saw that about 69% of executives who we polled actually expressed reluctance towards digital product and service innovation due to the perceived cybersecurity risks. So, what we’re seeing at the more advanced organizations is a coming together of the two groups, organization embedding cybersecurity teams and digital teams to provide them with the support they need from the very beginning of the project. 

Park

That sounds like a prudent approach. So, to continue on that theme, how would you describe digital trust and why it is so important to financial institutions today?

Beer

Sure. The key to generating and building digital trust is an approach that we at EY are calling digital trust by design. 

Digital trust by design combines different areas and different areas of expertise which are cybersecurity, resilience, fraud protection and privacy, all coupled with an exceptional and laser focus on user experience. This can help to enhance customers’ trust in their financial provider.

Park

Sundeep, do you have anything to add to that?

Nehra

I’d also like to point out the evolution of digital trust as to why we are at this point, which is as banks and financial institutions are transforming the business models, looking at how they can adapt to the digital world and undertaking these massive digital transformation initiatives, what we are finding is our clients are still approaching cyber as a bolt-on security approach. 

What I mean by that is when we were in the prior world, cyber was always an afterthought and security used to be put at the very end of the program, or when you’re building your products. However, for us to look at what the asymmetric threats which cyber poses to our organization and what happens in our world, cyber needs to be integrated right up front in the product development life cycle and be an integrated activity. And that’s the evolution which needs to happen because, otherwise, what’s happening is we are looking at the aspects from a confidentiality perspective, we are looking at it from an availability perspective. 

But I think what we are missing, the point is from an integrated perspective, which is where the issue happens for most of our clients. I think that’s what we’ve seen, and I think that’s what I would like to add for what William was mentioning about how and where we can bring cyber and digital trust together.

Beer

And just one final thought, Roger, that I think is important. I think this really does require change in mindset and, again, the more successful organizations that we’ve been working with have begun to see and begun to understand that if it’s played properly, cybersecurity can actually be part of the digital value proposition as opposed to being a drag. It takes a little bit of work, but by doing that, it can really help enhance their businesses.

Park

I totally agree. I think one of the promises of innovation and digital transformation is that we can provide more access to customers and to financial services and products, but that’s not going to happen if the customers don’t trust the businesses with their data.

Nehra

And, Roger, I think that trust part is important. And I think what we are seeing in our clients is when they’re looking at how to build the digital trust and how do we bake this into the journey which they are taking, I think there is still some certain fundamentals of core cybersecurity which needs to be there, which is clients still need to look at the cybersecurity strategy and the operating model as to how were they managing cybersecurity risk across the enterprise and the broader ecosystem.

They still need to address the cybersecurity risk which are posed, not only for the digital transformation, but the legacy business models which are there because they have to deal with both elements that run the bank and change the bank, like we call it sometimes. 

And then, also, we have to look at the aspects related to, like we call it, it’s not a matter of if, but it’s a matter when, that these issues are going to happen, these breaches are going to happen. How are you resilient? What are you doing about it? How can you bring the operations back to normal? So, address some of those points which are there about the resiliency side. And then, also, be forward looking, which is clients have to be proactive, looking out for what threats are there, what the landscape is there, how are these vectors changing, and then be more proactive in the intelligence side of it. 

So some of these basic fundamentals of cyber are still applicable. I think it’s how do we rightsize and fit them into the digital transformation journey is critical and those clients who can do that will be successful.

Park

Right. Cyber has always been important, but I think even more so with digital transformation with the increased exposure and increased opportunity. I couldn’t agree with you more. So, one of the critical things about digital trust is really going to be establishing identity. What are the opportunities and challenges for financial institutions as they seek to implement digital identity?

Beer

I think it’s become evident that the traditional approach to authenticating users and establishing digital ID is no longer scaling. All of us have hundreds of passwords for different sites that are very hard to manage, very hard to remember, and are not necessarily providing the best level of protection when we authenticate or do business online. 

A lot of our clients are looking at how digital ID needs to evolve, what different technologies can be used to put in place more robust, frictionless solutions, and also take into account how new digital IDs will need to be established and used by things such as robotics. So, it’s clearly an area that’s undergoing an incredible amount of evolution and more work needs to be done.

Nehra

And I think, Roger, to add to what William was saying, besides the complexities which are there, I think digital identity is the first point where the user experience starts, right, when we’re looking at the transformation how our clients and customers of our clients are accessing their financial information, digital identify is the first point where they get access to it, right? So, we need to get it right. 

And the trust which has to be built to maintain the fundamental principle of financial services to maintain customer trust starts with this and that’s what’s critical, that when we are looking at it we build the programs and we build the whole process so that it brings a seamless experience and you’ll maintain the integrity, confidentiality and will include the information which is what is paramount for all our clients and the customers of our clients. 

Park

Just to clarify, when you guys talk about authenticating and establishing digital identity, are you also talking about things like biometrics?

Beer

Biometrics can be a solution. Biometrics are used today by a lot of our clients. Not necessarily the silver bullet, but definitely one technology that could be combined with things such as blockchain, which would be combined with things such as passwords. 

So, there’s different solutions that could be put in place for different users, for different organizations, depending on their requirements.

Park

That seems like a tricky balance between convenience and security to establish that trust and identity.

Beer

That’s a really interesting point you bring up, Roger, because what we’re seeing is that different users have different requirements. So, it may be for a certain demographic, certain users will prefer one way of authenticating or establishing their ID. 

Other folks, maybe depending on age, may require a different type of technology. And I think the most successful clients moving forward will be ones that give different users different options based on their own individual requirements.

Nehra

And I think the fascinating thing is security is becoming a business enabler. What I mean by that is at some of our clients, they are looking at how can they give differentiated product experiences to our clients based on the level of security which they want to keep? 

So, for example, if I’m into a high level of security, should I get preferential interest rates on my checking account or deposit account, or my mod gauge? So, there are certain things which are being looked at to say how do you now use the security which your customers are asking for in a comfortable way and see if that can be built into the whole product design with the organization they are working with.

Park

That would be interesting because I certainly probably would put up with a lot more inconvenience if I’m signing a mortgage online versus buying a pizza. 

Digital transformation for financial institutions seems to be constantly changing with emerging technologies, new innovations, disruption happening from all directions. How can firms keep up and build in digital trust into their strategies?

Beer

Personally, I think that the most important thing that needs to be done is to make sure that cybersecurity teams have a place at the table when decisions are being made around new technologies or new innovative services that banks are potentially looking at or launching. As Sundeep said earlier, too often, security is bolted on at the end, and that causes a lot of challenges and sometimes a little bit of tension between the different teams. 

I think the other thing that’s important to reflect on, a lot of the traditional ways of thinking and the traditional methodologies that are used in the security world may not necessarily be sufficient for some of these new technologies. As we were saying earlier, things like robotics, artificial intelligence, cloud computing are creating an incredible amount of innovation and excitement at our clients, but now the security industry really needs to step up and make sure that our approaches and methodologies flex and are able to better support those new innovations and those new technologies. 

Nehra

And I think, just to add to what William was saying, Roger, what I would say is I think our cyber colleagues also need to have a mindset change. Which is, they need to adopt the model of agile build, which is also work with the digital teams because they are moving at a very fast pace and they have to, right, if they are to survive in the marketplace? 

They have to move at a very fast pace and that’s why I think I’m encouraging our cyber community to also have a culture change wherein embrace the new technologies, don’t be always saying no, but looking at how fast can we manage the risk and what we can do and be hand in hand with our digital transformation colleagues because that’s the way it is going to be. It is not going to be if only the digital transformation happens and cyber doesn’t go. That’s not a good outcome. 

And if the cyber is still continuing to look at the risk and what else is there at their own pace, that’s not helping the digital colleagues. And I think that’s where there needs to be a change, even within our mindset of our cyber colleagues to help address this issue.

Park

So, what I’m hearing you say is that digital and cyber need to go hand in hand, and they both need to go faster. Is that what you’re saying?

Nehra

Completely agree.

Beer

Yeah, absolutely. I mean, oftentimes, they say the security teams need to get out of the suburbs and back into the downtown offices where a lot of the decisions are made because they need to keep up and need to be on the forefront.

Park

Are you just saying that because you live in the city, William? Easier commute for you.

Beer

Absolutely. I’m very privileged.

Park

So, very complex, high-stakes environment. A lot of decisions to be made. Some advice for our listeners. What would you say are practical or critical steps that they can take today as financial institutions?

Beer

Based on my experience, Roger, I think there are three things that add a lot of value and are relatively straightforward to begin to address.

The first is what we talked about earlier around bringing together the different teams, the cybersecurity teams and the digital teams need to work hand in hand. And what we’ve seen as a very successful way to begin to address that is job rotation. How can we embed or rotate cyber folks into the digital teams and vice versa, so we’re creating better understanding and we’re creating stronger and broader teams? 

The second thing Sundeep also touched on, which is around embedding user-centric, data-centric and design thinking into everything that is done and making sure that the security folks are thinking that way as well, because, oftentimes, security is seen as a drag and it’s by concentrating on design thinking that we can ensure that cyber can be seen as an enabler and a facilitator. 

And the final thing, which is a little more tactical, may surprise some of our listeners, is around simulation exercises. We do a lot of tabletop simulation exercises for our cyber clients. But by running tabletop exercises for design teams when they’re designing a new service or implementing a new technology, we can help our clients: 1) raise their awareness of cybersecurity-related matters, 2) understanding the far-reaching implications of what could happen if things went wrong and 3) raising general awareness. So, simulation exercises are an excellent way to raise awareness and help bring the two teams together.

Park

That’s fascinating. I bet you hear a bunch of interesting scenarios coming out of these tabletop simulations. I’d love to be a fly on the wall in one of those. So, as we start to wrap up a little bit here, what’s the one thing you want our audience to know after listening to this podcast about digital trust? What’s their big takeaway? 

Nehra

I think, Roger, what I think is digital trust should be an enabler and viewed as a critical component of product teams and transformation efforts, and not just a function of risk controls, frauds, infosec and bring the whole perspective together like we talked about because security is important in any industry, but customer trust is the bedrock of financial services and for that digital trust is a must.

Park

And now a bit of personal perspective. So, I’ll ask you first Sundeep, and then William. What is the one thing you do to challenge yourselves every day?

Nehra

For me, the challenge is to learn every day and what fascinates me is being 27 years in the industry, every day I’m learning and, for me, that is what is one which keeps me out is learning from a professional perspective, from a personal perspective, learning from my kids, learning on the golf game. There’s always an element of learning which is there and that, I think, is something which is the challenge for the day.

Beer

For my side, it is about learning because I think in our industry we need to stay on top of all the change, but there’s something about the pace of change as well. How do I, as I get older, how do I make sure that I stay in pace with all the change that’s taking place, making sure that I’m connected to new technologies, new mindsets, that I’m thinking globally, as well, because these are global problems and global challenges that a lot of our clients are facing. 

So, I think it’s learning, but pace and also thinking broadly and differently. Those are the challenges I face on a day-to-day basis.

Park

That’s great. I have a suggestion. I think maybe we can all learn together on the golf course.

Nehra

I’m game for that.

Park

Two birds with one stone. Alright, quick-fire Q&A. Which book on digital trust or innovation do you recommend?

Nehra

I actually recommend an article on the point of view which we have covered because there is no book yet on digital trust, and I think that’s something which is going to happen. 

I think William and I should write a book about it, maybe, but most of the learning which I do is at least learning from articles and other collateral which is in the industry.

Beer

Yeah, I agree. I think there is a book here. I think a lot of this is being, I won’t say learning as we go, but a lot of this still needs to be defined. So, once again, it’s how can we be thinking broadly and providing our clients with the best thinking possible in the sector?

Park

Alright, next question. Which headline might we read on this date in 10 years?

Nehra

I think in 10 years we might see a digital bank being hacked by a drone which is operated by a bot, and I think the issue was because of digital trust. I think that’s what I think is going to happen in the next 10 years.

Beer

That’s a great example, Sundeep. How do I top that? 

I mean, with the risk of being a little morbid, Roger, I’m actually concerned about the concept of cyber death. I think that it is inevitable that people will die because of a cyber attack or a cyber failing. That’s one thing that keeps me up at night.

Park

What skill should our listeners be teaching their kids?

Nehra

That’s an interesting question. I have two daughters and we have this conversation quite a lot. 

I think if there is something which is on their personal growth level which is about listening, that’s a skill. But I think what I look at and how the world is evolving, I think our kids need to be taught about cyber and what to think about and how could they maintain the privacy of their information, how are they secure? 

So, this is something which is ingrained in them, but the kids right now are very tech savvy and they can operate an iPad at six months old, and I think the same way needs to happen from a digital trust perspective because cyber is all our responsibility.

Beer

Just to build on that, I agree. I think the technology piece is fundamentally important, but I think we must ensure that younger folks don’t lose sight of the importance of communication, the importance of empathy. 

I think some of the more exciting conversations I’ve had over the last couple of months with my clients are with people who have completely different backgrounds — behavioral psychologists, communication experts — and I think in the future, skill sets such as those will become even more important as technology begins to do some of the heavy lifting.

Park

And what’s the best way for our listeners to reach out to you?

Nehra

Roger, for me, LinkedIn is the best way to reach out.

Beer

LinkedIn is great. I use it every day. But, also, Twitter is another media that I use on a frequent basis, and my Twitter handle is @wnbeer.

Park

Awesome. And I encourage all the listeners to reach out to Sundeep and William if you have any questions about cybersecurity or digital trust. And listeners can make suggestions on future topics and guests or questions on Twitter using #agentsofchange. Thanks for your time.