[Dave Birch]In talking about innovation over the last months we have also from time to time mentioned barriers to innovation. In places, I have mad a mental note to look again at some areas where the barriers are being erected by the very same organisations that want to increase innovation. A perfect example of this came my way when James Gardner wrote on the topic of security. This is a great case study, because of the tension between the security department (if one exists) and the innovation department (if one exists). James Gardner sets out a banker's perception of the security guys
I shut my mouth at this point, knowing I was speaking with that most invidious of creatures, the professional security specialist. You know the type: they spend all their days dreaming up the reasons you can't do something, rather than helping you find out how you can. Theirs is the right to kill any change for any reason, so long as it is related to a "potential security issue".
[From BankerVision: Does the business case for IT Security stack up?]
Surely the security department must have function other than blocking innovation? Like, for example, improving security. But actually, this is not so clear cut. In some organisations, the function of the security department is more about ensuring compliance, making sure that the right boxes have been ticked, because that is what they are paid and bonused on. They don't get a bonus if no security breaches are detected, or new customers are signed up, or if new products are delivered.
So the recent assertion from IT security chiefs at certain high-profile UK organisations that their primary concern was actually ensuring compliance with regulations such as the Sarbanes-Oxley Act and Payment Card Industry (PCI) standards may come as a surprise.
[From Security is built on compliance - WhatPC?]
I don't want to talk about whether compliance improves security or not, that's a different issue, but whether security is a genuine block on innovation, whether is isn't but is perceived to be, or whether it doesn't make any difference to the organisation.
Clearly, we need security and it would be ridiculous to argue otherwise. But, as we all understand, there's a balance to be struck. Security is part of a bank's proposition to its customers .
If you think about security in the context of banks, the opportunity for safety and security becomes clear. Back in the Wild West, it was all about the bank vault. If one bank’s vault was superior to another, guess which bank got more deposits. Why do you think vaults became such a prominent part of a bank’s physical structure?
[From Historic insights for online security | The Vidoop Blog]
Although one thing that we oguht to bear in mind is that in consumer propositions it is the perception of security, as much as the actual risks, that is key to the success of a service.
A recent survey by consulting firm KPMG LLP showed that 91% of respondents had never tried mobile banking, and that nearly half cited concerns about security and privacy as the primary reason.
[From On the Road - WSJ.com]
Right now, we have little actual security (because it's all based on passwords) and all of the inconvenience. Here's an example: PayPal doesn't use any modern system such as OpenID, it uses passwords. When I went to load my PayPal Visa prepaid card last week, I discovered that I'd forgotten the password. So I couldn't load any money, and therefore couldn't generate any income for either PayPal or Visa. Even worse, when I clicked on the "help I forgot my password" link, it asked me for the answer to my secret question: I had absolutely no idea what this was.
Now, I think it is fair to observe that (3D Secure notwithstanding) nothing much has happened in the world of online security. We have SSLv3 but don't use it, S/MIME but don't use it, and so on. Despite the firm predictions of people (eg, me) that password-based security was so insecure that it wouldn't last five years on the web, the only place where I use anything other than passwords is for my Barclays home banking log on.
the web experience has not improved usability-wise or security-wise since Netscape Navigator 1.0, circa 1995.
[From Devolution of Usability and Security on the Web | RiskBloggers.com]
Too much security, on the other hand, backfires. Instead of annoying customers but increasing their faith in the bank, it annoys them and flags up that the bank is vulnerable. if you had to jump through hoops to use Paypal, you wouldn't think "Wow, this must be really secure" but "Wow, people must be getting ripped off a lot". At least, I think this is psychology alluded to.
A study by researchers at New Zealand's Massey University has found that customers lose faith in the security of online banking systems as the number of authentication checks they have to go through increases. Researchers Hokyoung Ryu and Kansi Zhang found that although enhanced security measures for Web banking may make the process "technically safer", the more identity-checking steps that are required by a customer, the less "trusting" they feel.
[From Extra security reduces trust in Web banking, study shows]
As I said, It's hardly original to say that we need to find a balance. If payment providers were to find a way to deliver simple, effective security (which, to my mind, almost certainly means some form of mass-market 2FA) then it would transform the "security guys" from being about back office, compliance and mistrust into being about extending and enhancing
Can a bank or payment network charge for security? E.g., charge for an RSA token? PayPal issued them for free and no one used them. But when they started charging for them, everyone activated. All of a sudden, when security had a price, it had value.
[From Reflections on BarCampBankSF2 - A Day of Financial Innovation — Payments Views from Glenbrook Partners]
I'm not sure whether people will pay extra for security around payments, because they regard security as an implicit characteristic of payments, a basic minimum and not some value added service. But people will use a service with better security, and this ought to provide an opportunity for the development of value-added services that will generate income. To take a simple example: suppose I could use my Barclays "dongle" to log in to eBay. This makes me happy, because no fraudsters can use my eBay account and it reduces eBay's costs dealing with fraud. If eBay had to pay Barclays a penny everytime someone logged in, that could well turn out to the the win-win that we need to move security on. If we want innovation, we need to change security from being a back office cost to being a front office service.
Perhaps the most important use of money - It saves time.
Author W. Somerset Maugham (1943).
Comments