The need to balance increasing security and compliance demands while driving innovation is one of the greatest IT challenges facing financial services firms.
With latest research from the Enterprise Cloud Index showing that more than 70% of FS firms are moving away from Public Cloud, the FS Cloud Transformation Hub caught up with FS security expert, Indu Keri to get his advice.
Question: Recent research shows that FS firms think that Hybrid Cloud will account for the majority of their IT deployment within the next three to five years, while more than 70% of FS firms have either moved applications away from Public Cloud, or are looking to. What’s the reason behind this?
Answer: In the world of Financial Services we’re moving very much from a one-size-fits-all offering to services that are much more personalised and tailored to any given individual or small business’ needs. Therefore, to create a truly personalised service you need a tremendous amount of data that is specific to the consumer or business.
Having that level of data allows you to do machine learning and deep learning, along with applying artificial intelligence. These are all factors in delivering highly personalised services. In this context Public Clouds provide both an opportunity and a challenge.
The opportunity is that you get to move with speed and have a huge range of services available. For example, if you go to the Google GCP, they’re betting heavily on out of the box A.I. and machine learning services. If you go to Amazon Web Services, they have MapReduce and a whole plethora of other services.
This in itself provides a big challenge for FS providers. The public clouds are brand new platforms. This means if you have an existing application and really want to make the best use of the Public Cloud capabilities you have to invest in engineers and developers who then rewrite your application for the new Public Cloud platform. That’s not easy.
Most people who really understand how to build a cloud native application are probably working in start-ups or cloud data companies like Uber and Lyft. So, if you’re a technology leader you have a real struggle finding the right engineers who can take your traditional legacy application and move to Public Cloud.
As a result, where I think Hybrid has enormous promise is that you don’t have to worry about re-writing your application. Instead, much as virtualization enabled server consolidation fifteen years ago, Hybrid Cloud providers offer the opportunity that you can lift and shift the application without rewriting.
Hence you get all the benefits of the Public Cloud in terms of speed, development, innovation, and in terms of security and data protection but without the challenge of rewriting your applications.
Question: Results from The Enterprise Cloud Index showed that compliance and security were the biggest factor for IT professionals when choosing a cloud deployment. What advice would you have for how to approach compliance and security within your cloud strategy?
Answer:You have to think about compliance as code. So instead of thinking of compliance as a process where you hire an auditor once a year and then you’re back to business as usual, you really have to think of compliance as being implemented by a set of automated activities and tools. The result is that you’re in compliance all the time.
There are two other significant changes that need to happen. The boundary between compliance and security is starting to blur. In many cases, what you need to do from a security perspective also delivers compliance for you. While many organizations really struggle with compliance as being the primary driver for change.
So, by combining compliance and security you’re really able to build a culture where security and compliance requirements are thought of on day one instead of being after thoughts. This really improves the compliance and security posture of the overall organization.
Finally, there is never a better time for a compliance or security professional to reach out to their peers. Even though you might compete with your financial services peers on a day to day basis, on the business side, in the world of compliance and security, you actually go further together.
We are so interlinked in the world of financial services that quite often you might be vulnerable or be non-compliant, not because of something that you did, but something that your partner did, without even being aware of that. Hence, working together to build an ecosystem where you raise the compliance and security bar across the entire ecosystem becomes really, really crucial.
Question: What three pieces of advice would you give for how FS companies can enable innovation while meeting regulation and compliance?
Answer: You know, I wouldn’t even have three, I would just have one.
There is so much for us to learn from so I think we need to step back for a second. Most of my professional career has been in the Valley and one of the things the Valley does really, really well is rapid iteration, experimentation, willingness to break something and then fix it within reason.
I would say that having that sort of a mindset where you rapidly innovate and use your innovation and your experience to get better and better is probably the single most useful piece of advice I would give anyone. It’s very much a mindset and therefore it’s easy to change. You don’t have to wait for tomorrow or six years for you to put this sort of a mindset into practice.
Be willing to take risks. Be willing to explore new ways of doing things. Be willing to put something out there even if it’s not fully baked. Be willing to be wrong and be willing to learn so that you don’t make the same mistake twice.
Following roles at McKinsey, BEA Systems and Oracle, Indu Keri is Chief Product Security Officer at Cloud Transformation specialists, Nutanix.