Heightened security risks can hold companies back from investing in emerging technologies, but staying on outdated systems may further jeopardize businesses.
Managing this balance relies on a holistic view of risk management that includes IT leadership in the conversation.
Historically, risk management was done locally at Wells Fargo, according to Mandy Norton, senior executive vice president and chief risk officer at Wells Fargo. As technology becomes more integrated with business decisions, the company realized only a comprehensive approach will keep the business safe.
"We're essentially a large technology company offering financial services," Norton said, speaking at the Lesbians Who Tech & Allies Debug 2020 Summit on Wednesday. "It's really, really important to think about our risk management holistically because you can't think about managing credit risk or fraud risk or market risk without incorporating technology."
Even with the best operational risk frameworks in place, security relies on technological expertise because of the interconnectivity between tech and business priorities. IT leadership translating tech language and risk to the larger leadership audience creates the integrated view necessary to protect the business, according to Norton.
When Apple Pay launched, Norton said the financial services sector suffered from a lack of holistic management. Despite Apple Pay's security benefits, users could expose credit card information to malicious actors when they transferred credit card information to the Apple Wallet, according to Norton. Lack of end-to-end management and communication of the processes created risk.
That's part of the reason why managing cybersecurity still keeps Norton up at night. Comprehensive management of risk at Wells Fargo doesn't mean they can ensure the security of every partner. Actors may target financial management apps that Wells Fargo customers surrendered their log-in information to, ultimately providing a way in for attack.
"There may be gaps and it's why you've absolutely got to think about your end-to-end process," Norton said. "Back to that holistic risk management: Think about every single step along the way."
But this wariness doesn't stop Wells Fargo from innovating because the team sees the benefits that outweigh many risks, according to Norton.
"We've got great firewalls, but the 'bad guys' are continuing to develop their technologies, too, and so you're always trying to keep up with all of the ways in which the fraudsters can get ahold of us," Norton said.
Innovating to reduce risk
A spark to innovate ignited during the COVID-19 pandemic. Customers flocked to digital services when they could no longer bank in person, and Wells Fargo relied on innovative tech investments to continue providing assistance, according to Norton.
Plus, innovation is becoming inevitable. Cloud computing underlies how companies do business today, but there are few regulatory guidelines on how to protect businesses and customers from threats in the cloud, according to Norton. It would put Wells Fargo behind the curve not to take the risk.
Wells Fargo learned a similar lesson about the importance of modernization and innovation during a companywide system outage last year. In February 2019, smoke detection led to an automatic power shutdown and the company had to rely on data center backups for business continuity. Customers couldn't access online bank accounts, and it heightened the urgency to invest in modernized business solutions.
But even beyond those services, Wells Fargo sees innovation as a necessary way to protect company and customer data.
"If we don't innovate, we won't be able to protect ourselves and fight against the threats and the risks that are out there," said Norton.
Emerging technologies also have the power to improve cyber posture by monitoring the threat landscape. AI and machine learning algorithms can look for fraudulent activities for early detection and mitigation, according to Norton.
If every business in the space updates to the latest technologies, but Wells Fargo didn't, it would become the weakest link in the chain and a target for attack, according to Norton. "It really is about who's got the strongest strategy and if you don't innovate and continually improve ... you will be the one that will be hit the hardest," Norton said.