Sunday, July 06, 2008

Finance Industry View of Security 3

Hans Gilde (who works in investment banking) left a comment on my previous post noting some difficulties with the implementation of security tokens, especially by a single bank in isolation, and arguing that the banks aren't just being stubborn.

I don't want to focus the argument on a particular security mechanism, but on the overall approach to security displayed by the banks. And I agree that it isn't just about individual banks being stubborn; it is a collective failure of the retail banking system as a whole to respond properly to a complex and difficult set of requirements.

The NLP principle of Positive Intentions indicates that instead of labelling an organization as "stubborn" or “stupid” or “bureaucratic”, we should look for a way of framing the situation in which its behaviour makes sense. There are lots of reasons why an individual bank might be reluctant to take an innovative stance on the security of its customers. The customers might be suspicious, and reluctant to adopt an unfamiliar security mechanism. (And of course there is a positive intention there as well behind this kind of suspicion and reluctance.) If the bank tempted providence (or hackers) by boasting of its improved security, any subsequent breach would be doubly embarrassing for the bank. And, perhaps most important of all, security is not one of the areas in which innovation is thought likely to produce a quick increase in new business and profitability.

My disappointment is therefore directed, not at individual banks, but at the finance industry as a whole. The finance industry is one of the most enthusiastic adopters of SOA and related technologies, but these technologies are not being used to improve the quality of service (including security) experienced by retail banking customers.

So what's the answer? Hans agrees with Dan Glass (quoted in my previous post) that regulation is needed. But banking regulators have other things on their minds right now, and there is little appetite for so-called self-regulation. So until banking customers have a reasonable alternative, nothing's going to change.

I'm not rash enough to make any predictions here. But the Internet has shown itself capable of throwing up radical surprises for established industries. If I was running a bank, I'd be looking at a medium term strategy for converting the business into a flexible and secure platform. Before someone else does it.

No comments: