Navigate 3 trends in financial services with DevSecOps
The financial services sector faces both technology opportunities and challenges. The modernization of financial business infrastructures isn’t a new conversation, although it remains a continued priority and challenge for our largest banking, investment, and insurance institutions. Cloud adoption trends in financial services have dominated this conversation in recent years, across infrastructure, data, and the applications that interface critical resources. This blog post won’t dive into these well discussed and accepted initiatives in the financial services industry—we are aware of the momentum of workloads moving to the cloud. Instead, let’s discuss an interesting intersection of dynamics in financial services that impacts security.
Here are 3 trends in financial services that align with DevSecOps:
1. Accelerated need for digital business experience
The financial industry was already undergoing a shift to a digital client experience. More banking, insurance, and investment startups are emerging, offering more flexible experience and services, and better returns with reduced operational costs. Savvy users are filling the online service development roadmaps with feature requests that continue to drive innovation.
These FinTech startups, along with the more traditional financial services institutions, have agile, innovative teams that are all about rapid deployment of new capabilities and services that respond to competitive markets. This motion is increasing the open source share of their code base, which introduces more risk and necessitates more security measures to ensure safe financial services experiences.
And while this market shift was already in motion, a global pandemic accelerates the pace of building and deploying more digital services, leading to higher pressure to leverage pre-existing code libraries. Somewhere in that cycle security needs to be integrated in the workstream without derailing the deployment of the new capabilities.
2. Cloud transformation continues
Whether its a wrapper on a legacy infrastructure or cloud native application development, rapid deployment of new services is the goal that has driven the shift in the IT stack. Traditionally, the infrastructure has maintained a greater focus in the delivery of services, with a final application layer as the interface to customers.
Now, containerization of applications has shifted the IT stack to a predominantly development operations framework. This has driven the need for more application development, at a greater pace, and especially so with customer push to more evolved digital financial services experience.
So, we are witnessing a shift in focus, with the responsibility of the IT stack increasingly sitting with the dev organization. More apps, more infrastructure, as code drives a greater reliance on open source to support the required pace. What doesn’t change is the continued need to protect customer and corporate assets, and comply with data and security regulations. Yet open source libraries do not have inherent security protocols. Financial institutions are left with increased risk in their businesses.
3. Cybercrime and financial services
Cyber attacks continue. It’s an ongoing reality for the financial industry – malicious actors continue to invest in methods to digitally exploit financial resources for illegal gains. While this notion is commonly accepted in conversation, it is interesting how often the cost of these attacks and breaches are discounted.
Banking institutions have been modeling loss due to fraud for years, and invest heavily in programs to mitigate these losses. The return on investment from cyber breaches needs similar acceptance. Ponemon’s Cost of A Data Breach found that the Financial Services sector had the second-highest total average cost of a breach at $5.86 million. The business risk continues to grow in this area—web applications were a top cyber attack pattern used against financial and insurance institutions with 1509 incidents in 2019 alone, per Verizon 2020 Data Breach Investigations Report.
But even with an unlimited budget, the skills gap is a big concern—organizations are unable to fill open roles with skill cybersecurity professionals. It’s expected that 3.5 million positions will be unfilled by 2021, a 350% increase since 2013. Financial institutions have more of a need to invest in cybersecurity and aren’t able to address the skills gap.
The intersection point is DevSecOps
Looking at these key trends in financial services together suggests the following:
- Financial institutions are embracing cloud transformation to better engage clients through increased development of apps and infrastructure-as-code.
- This pace is increasingly shifting code bases to third-party open source libraries which introduce more risk.
- Financial institutions continue to be a primary target for cyber attacks.
- Even with available budget, there is a shortage of skilled security professionals.
- Security shouldn’t interfere with the pace of digital business growth.
What emerges from these takeaways is a need to scale security beyond the AppSec team, especially when using open source. The volume of open source vulnerabilities will always be greater than the bandwidth available in AppSec to address them. However, an intelligent shift-left strategy that employs easily integrated dev tooling that enables developers to have their open source code checked and fixed without disrupting the app dev pipeline, is a viable solution.
Adopting DevSecOps contributes to mitigating breach costs up to $360,000 per breach, according to Ponemon’s 2019 Cost of a Data Breach Report. The marriage of DevOps and application security into DevSecOps addresses the need to scale security beyond smaller AppSec teams, and without burdening developers with security decision making.
To explore DevSecOps further, have a listen to this MyDevSecOps podcast with Guy Podjarny and Alyssa Miller.
Ready to get started with Snyk?