- 快捷搜索
- 全站搜索
These approaches are adequate, but they don’t go nearly far enough. Even sophisticated organizations still suffer from breaches, and companies are failing to reach the cybersecurity goals they set for themselves. A McKinsey survey of 50 global companies recently showed that none have been able to reach their desired capability level, with only 14 percent of those surveyed rating themselves as “mature” across critical cybersecurity practices (mature representing a score of 3 on a scale of 1 to 4 in eight practice areas).
The issue is that current approaches are passive—companies are usually only on the lookout for known threats, waiting for sensors to trigger alarms indicating that an incident may have already occurred. The approaches are often backward-looking, mostly relying on assessments of past attack patterns. And they do not sufficiently involve business leadership, particularly when log reports of Website attacks, malware, or suspicious activity are not translated into something executives of the businesses can understand.
For example, in one bank, executives were routinely briefed on the number of alerts generated by their intrusion-detection system but were not informed if these “intrusions” were having any impact on the business, leaving them unclear about the true nature of the cyberrisk facing them. Most important, these approaches provide too many false positives—alarms that upon second-level analysis turn out not to be malevolent activity—and are too reliant on large numbers of cybersecurity professionals to examine log reports and compare them with known bad IP addresses or signatures before taking specific actions such as blocking IP addresses or closing ports. These approaches are not scalable because the talent required to staff these positions is either unavailable or too costly, or both, given how many financial institutions have the same needs.
Asian banks need a new approach, one that avoids large staff increases and is better able to use existing security assets, such as fraud-detection units, compliance and risk resources, and business-operations managers. The key is combining old and new to automate the security-response process. The approach melds the tried-and-true practice of focusing efforts on the highest-value business assets with application architecture and network-activity monitoring to detect anomalous patterns (particularly systems changes or outbound network traffic). The result is an environment that can largely take care of itself, freeing up valuable IT security resources to focus on more strategic issues, such as reducing the impact of cyberincidents, and to ensure that the resources are available when incidents do get past the system.
Seeking cybersecurity
This next-generation approach is taking shape. Working with more than 150 private- and public-sector security professionals, we have identified seven elements of best-practice cybersecurity, the first three of which are known to most financial institutions (but rarely implemented effectively); the remaining four will be new to most enterprises.
Identification of critical business assets
The first step is also the one least taken of the seven. Security assessments are usually done from a technical point of view, focusing on gaps or applications that don’t follow policy. This leaves open the question of what are the most critical business assets, meaning they may go unprotected. For banks, this suggests that security is not focused on areas like proprietary trading algorithms, sensitivedata related to underwriting, or risk reports, which could result in material losses and cause significant reputational risk if they were made public.
Development of strategies for assets and ‘use-based triggers’
Based on the assets that need protection, an overall strategy can be defined by identifying practices and technologies to use. Then, for each critical asset, an expected access profile can be developed.
The key is keeping the list of critical assets and access entitlements manageable. This might include determining who can access the information or process, and what the range of expected behavior is (for example, how the information might be expected to move within the network). Triggers can also be set for monitoring certain kinds of activity, such as changing operating systems or Domain Name System entries. For each trigger, actions can be predetermined, ranging from simply logging an alert to shutting down a system. Over time, machine learning will allow these triggers to become more effective. Meanwhile, the organization must be clear about which outcomes are unattractive (downtime in a customer-facing application, for example) and which are unacceptable (such as loss of “bet the company” intellectual property); sometimes, unattractive outcomes will be acceptable. In addition, in some countries, the triggers should be defined so they are not interpreted by government authorities as monitoring individual behavior.
Employing existing processes
Banks and other financial institutions have effective processes to reduce fraud and manage financial risk. However, in our experience, they typically underestimate other forms of cybersecurity risks. Leading banks are beginning to move beyond fraud and include other cyberrisks, such as theft of privileged information—M&A data, proprietary algorithms, and customer information—as part of their enterprise-risk-management program. In addition, when cyberfraud risk is assessed, it is often not fed back to the information-security team so that the unit can design specific mitigation actions. When the process is redesigned, more effective reviews are done, and IT security can then effectively use risk estimates already being done by other parts of the bank.
Enhancing the IT environment
In the short term, technology such as sensors and network appliances is useful for detecting anomalous activity, tightening access control, and appropriately encrypting critical data. Over time, security reviews could be used to increase standardization, making it easier to detect anomalies as well as reduce cost. IT architecture can also be dynamically switched to dramatically reduce the ability of hackers to take or tamper with information—for example, through cloudinfrastructure that moves everything from network switches, servers, and data-management strategies to a virtual, software-based infrastructure. In addition, architectures increasingly need to be adapted to secure the mobile environment. As more banking transactions are conducted through mobile devices, the secure delivery of this channel is emerging as a differentiator.
Employment of active defense
There are a variety of techniques under development to stop attacks from occurring. These include defusing distributed denial-of-service attempts, throttling bandwidth from known attackers, creating “honey pots” of seemingly valuable information in order to gather information about attackers while diverting them from their intended targets, and developing multisource threat-intelligence capabilities that draw from external and internal information sources to provide warnings of malevolent activity before an incident actually occurs.
Sophisticated testing and war gaming to ensure a strong response
Most organizations put 90 percent of their cybersecurity effort into prevention, but developing a cross-functional approach to respond to and mitigate the damage from an attack and regularly practicing it is as important. A poor response can damage a company’s reputation and potentially destroy additional business value. War-gaming a response can help minimize problems such as slow decision making in the “fog of war” during an attack, ad hoc release of messages to internal constituents, poor communication with regulators, and an unsophisticated or uncoordinated media response. Best-practice organizations train and test business, corporate management, and IT and security professionals on how they will respond to attacks. They define their general communication plan as well as what their approach to critical clients would be during an outage, and train their staff to manage a crisis using scenarios based on actual cybervulnerabilities.
Tailoring business and employee engagement to build the right culture and mitigate insider threats
Of course, employees are vulnerable to phishing or other attacks, and up to two-thirds of all advanced external attacks leverage unwitting insiders. Similarly, the risk of malicious insiders remains of significant concern. While putting in place the elements described above, financial institutions should take the internal risk seriously and offer targeted, role-based training as well as continuing education to the broad base of employees about how to manage data safely. In addition, organizations should increase their ability to detect and defend against the threat of malicious insiders stealing or corrupting data or code. For example, several financial institutions are applying advanced-analytics approaches toidentify anomalous behavior by employees (such as accessing databases outside normal hours or using portable media). They are also regularly reviewing the retention risk of important employees: research by Verizon has shown that 70 percent of all insider theft is committed by employees who are within 30 days of leaving the organization.
The threat from cybercrime is real and pernicious. Asian banks and other financial institutions must move from an alert- and reaction-based approach to one where they anticipate and hunt for malicious activity affecting their most critical assets. While no approach will deliver 100 percent security, adopting the principles described above will help banks to detect and thwart adversarial activity, improve the efficiency and effectiveness of their security organizations, and ensure a more robust response to a breach.
Chapter 8:Organizing your bank to capture digital opportunities
(Tucker Bailey, Josh Brandley, Allen Weinberg)
Executive summary:
● Banks need to incorporate digital more fully into their offerings to better serve their customers, who value convenience and simplicity.
● Setting up the organization to deliver on digital is essential to making this shift.
● There are three broad options for doing so (a digital “SWAT team,” a center of excellence, or an independent innovation center), but banks should weigh their strategic aims before deciding which to use.
● When putting the model in place, players need to ensure sufficient funding, create a digital culture, find the right talent, promote entrepreneurship, and above all act quickly.
The digital revolution has changed what consumers want, including what they want from their banks. While most Asian banks have at least some digital component, they are not yet truly meeting the needs of their customers, who want convenience, simplicity, and a superior banking experience. Banks need to offer more to their customers—and they need an organization that is prepared to deliver it.
The types of value propositions that digital customers find compelling are, for some banks, a radical departure from their traditional brick-and-mortar offerings (see sidebar, “Ten value propositions for the digital consumer”). For example, integrating multichannel access is a fairly bold proposition fortraditional megabanks that already have a strong branch-centric sales culture. But for a company that is affiliated with, say, an e-commerce organization—Rakuten Bank, a fast-growing retail bank in Japan, is one example—it might be fairly easy to go beyond even multichannel offerings and present consumers with one-stop, multicategory, integrated banking and commerce solutions.
Three organizational options
We have identified three organizational models banks can use to set up and manage their digital teams. Before deciding which model to use, banks should think about their larger strategic goals in the context of the digital opportunity. Some banks might be focused on penetrating new customer segments, for instance, while others are keen to expand into new geographies. Banks should also think about where they are in the digital journey—specifically, their existing digital capabilities and products.
Create a dedicated digital “SWAT teams” within a single business unit
While many banks already have some staff working on ad hoc or incremental digital innovations—usually driven by IT—a single, dedicated digital team can help banks accelerate and achieve true breakthroughs. But banks in the early stages of the digital journey don’t have to make radical organizational changes to make breakthroughs a reality; they can simply establish a dedicated digital group within an existing unit of the organization. Most banks choose retail, which is where the bulk of the public demand for digital resides. By concentrating digital capabilities in this consumer-led business segment, banks can sharpen and accelerate their digital value proposition. Under this organizational model, the digital team can capitalize on its proximity to other groups within retail that also tend to be close to the consumer: customer-relationship management, customer insights, customer service, and physical branches and other retail channels.
Akin to a SWAT team, dedicated digital groups have a clear mandate and are more agile, so they can respond quickly to digital consumers’ evolving needs, drive disruptive ideas, and execute those ideas more efficiently and effectively. And because the SWAT team is embedded in the larger retail unit, promising pilot programs are more likely to garner support from business-unit leaders. One leading Asian bank had great success with this model. The company created a three-person “new business division” within its retail unit to spearhead the bank’s digital efforts. Despite its modest size, the group was able to develop small yet visible digital initiatives, such as an advanced online-banking site, mobile applications, and a new payment system created in partnership with several
Links:TEN VALUE PROPOSITIONS FOR THE DIGITAL CONSUMER
Loosely defined, there are ten value propositions that banks around the world are using to cater to the new digital consumer. They fall into three categories: beyond pricing, beyond digital, and beyond boundaries.
Beyond pricing
1. Simplified core offering. Enter the market with a handful of simple products and one or two “hook” products, such as a competitively priced deposit offering or strong trading platform.
2. Apple-like experience. Design an intuitive digital interface and experience that is free of defects and “leakage.”
3. Personalization. Create a personalized Web experience and recommend products based on, for example, browsing behavior.
4. Social- and mobile-centric. Use the latest digital technologies and platforms to enhance reach and offerings and stimulate engagement beyond customers’ immediate need for financial products.
5. Instantaneous satisfaction. Offer paperless, personalized, real-time transactions.
Beyond digital
6. Ubiquitous and integrated multichannel access. Create easy access via multiple digital and physical channels, so that any transaction can start in any channel and be seamlessly completed in any other channel.
7. Relevance. Use cross-source customer data to predict customers’ needs and provide relevant offerings.
Beyond boundaries
8. Compelling cross-category offerings. Take advantage of opportunities to combine retailing and retail banking.
9. Fun way to engage. Generate customer engagement and affinity building, through “gamification,” for instance.
10. Open ecosystem. Design open platforms for cocreation, communication, and distribution of products and services among the bank’s internal and external
major convenience-store chains. Such initiatives generated buzz within the bank and among the general public as well.
The SWAT model can help banks amass a greater volume of digital capabilities in a short time. But confining the digital organization to a specific business unit is not without drawbacks. The bank might develop isolated pockets of deep digital capabilities but fail to spread those skills across different business units. This model also does little to set the stage for broader or more integrated digital offerings to customers whose interactions with the bank span multiple business units. This means some opportunities are likely missed: for example, the chance to develop a holistic digital offering that caters to small- and midsize-enterprise (SME) customers who want streamlined digital access to both personal wealth and business-banking services.
Create a shared digital center of excellence across multiple business units
Banks that are slightly farther along in the digital journey can consider creating a shared digital center of excellence (COE). Unlike the SWAT model, the shared COE is not confined to one business unit. Instead, it oversees digital activities in multiple units, for example, certain geographies, specific segments like SMEs, and consumer channels such as mobile.
By capitalizing on digital skills from throughout the organization, banks can generate higher levels of synergies, for instance through shared technology and pooling of customer and business insights; this model can also make the bank’s digital-marketing campaigns more consistent and make more efficient use of scarce digital talent and IT development resources. Additionally, a COE could help generate a more coherent system for tracking success in digital innovation across participating business units, through measurements such as return on investment, incremental growth, and cost savings; as is the case with any new initiative, digital innovation must be linked to a quantifiable business objective and must be measured if it is to generate sustained investment and company-wide support.
In most cases, the COE’s leadership reports directly to the bank’s CEO or chief operating officer (COO). This sends a clear message to the broader organization that the digital proposition is a high priority for the bank. (In some cases, banks will designate a chief information officer for the express purpose of overseeing the COE. This person usually reports to the CEO.) The COE model worked particularly well for one global bank, which has long viewed innovation as part of its competitive advantage and core DNA. An early adopter of digital as a strategic priority, the bank established a COE in the late 1990s—driven largely by thevision of the COO and CEO. Because the COE’s leadership reported directly to the two senior executives who had championed the project, the COE was able to quickly get approval to launch new, often industry-leading ideas such as voice-activated Internet banking, animated banking kiosks, “digital wallets,” and live remote access to bankers via the Internet.
Set up an independent innovation center outside of the bank
In some cases, it is appropriate to establish a COE that is separate from the rest of the bank. While a COE inside the bank is closer to the existing customer base and can therefore more effectively serve that group’s needs, a COE that is independent of the parent organization does two important things: it encourages a more entrepreneurial environment because the group has the flexibility to pursue disruptive ideas, and it makes it easier to attract high-quality candidates from both inside and outside the bank. This is especially important in an era of scarce digital talent.
A leading Asian financial conglomerate recently created this type of external COE. Separate from the rest of the banking and insurance business units but reporting to the bank’s holding company, the COE had two goals: first, to act as a thought leader in an effort to support other business units in the bank (for example, by building data-analytics capabilities that can be used by many business units), and second, to pursue the types of adjacent and even disruptive innovations that other teams would not have the capabilities or resources to pursue because of challenges such as the P&L pressures associated with their daily work. The COE’s results are impressive—it has integrated sports and gaming content into the bank’s online portal and built a networked loyalty program that now sustains itself as an independent e-commerce business.
Like each of the organizational models, the external COE has downsides. First, external COEs are costly to set up and maintain. There is also a risk that the group might launch projects that are inconsistent with the bank’s overall goals or strategies. Additionally, the COE runs the risk of being perceived by members of the business units as operating in an “ivory tower”; they might feel removed or excluded from the center. To overcome this, an independent COE should make efforts to build strong relationships with the business units and codevelop small but effective projects that add value to those business units, thereby sustaining the relationships.
How to do it
Regardless of the chosen model, banks should keep five things in mind if they want to create an organization that can meet the needs of digital consumers.
Ensure sufficient funding and investment
Banks should have structured funding in place before launching their digital organization. Dedicated venture funding can help combat the focus on short-term performance that is common in the banking industry; stable, reliable funding is critical to helping the bank capture, in the long term, the kinds of opportunities that can offer significant returns.
Banks should also implement a process that allows for quick decision making about which digital projects to fund. Such decisions should be made by the executives who govern the new organization—not by any individual business units that might be involved.
Create a digital culture
Banks are notoriously slow to change. Creating a shift in mind-sets and behaviors is critical to embracing the new organizational structure and its mission. One way to do this is by generating entirely new key performance indicators (KPIs); instead of measuring top-line sales, for example, digital organizations can look at cross-sales figures or customer wallet share. Banks should also be sure the new digital strategy is highly visible throughout the organization.
Find the right talent
Banks need a well-defined talent-sourcing strategy. They also need to strike a balance between bankers and digital experts. Banks should aim for diversity by recruiting people with backgrounds in customer service, product development, and traditional banking, as well as representatives from Internet companies. All recruits should be customer and action oriented, and they should have a proven track record of challenging the status quo. These demands can put an additional burden on the human-resources department; the enterprise might therefore consider relying more heavily on employee referrals and other informal channels to supplement traditional hiring processes. Banks can also host internal innovation competitions to identify promising candidates or borrow ideas from viral marketing to create “viral hiring” campaigns.
Create a sense of entrepreneurship
Leaders should take care to establish an environment that encourages risk taking and allows failure. Often, bank employees are more conservative than their peers in other industries and are hesitant to behave entrepreneurially; banks that want to launch digital organizations should make it clear that independent thinking will be rewarded, not punished. Metrics are an important part of any new program, but to be sure they encourage innovation, banks should avoid overly constrictive KPIs that might make new ideas seem too risky.
Act quickly
When the digital organization brings new businesses to market, they should do so quickly. Otherwise the idea might stall within the organization and the bank will lose the opportunity to capture early adopters—a critical group in this market. As such, digital organizations need agile processes for implementing new ideas.
Like their peers around the world, digital consumers in Asia want more from their banks. But for banks to create a value proposition that customers will find compelling, they must set up an organization that can deliver it.
Chapter 9:Creating a seamless customer experience: An interview with Westpac New Zealand’s digital-banking head, Simon Pomeroy
(Interviewed by Kenny Lam)
Executive summary:
● Westpac New Zealand has moved aggressively into digital banking.
● The bank has put customers at the heart of its strategy and is aiming for a unified online-banking customer experience.
● Early results are promising: product sales and revenues generated through the digital channel are increasing.
● Banking is still a “people business,” and Westpac is clear that it wants customers to be able to go seamlessly from the digital channel to a human being.
Digital banking is changing the nature of bank-customer relationships, a development that only a few banks in the Asia-Pacific region have grasped. One of them is Westpac New Zealand, which has put its customers at the center of its strategy. Westpac New Zealand has moved aggressively in the last year to create an integrated, multichannel communications program and a unified online-banking customer experience. This enables Westpac to use digital channels to extend the services that can be performed in a branch today and promote both deeper customer relationships and a seamless customer experience.
The transformation accelerated under the leadership of Peter Clare, the bank’s CEO, who has a strong interest in digitization, both at an economic and a business level. Clare came to Westpac New Zealand in April 2012 and moved quickly to divert investments from other areas into the digital realm and improved customer experience. Clare also worked with his leadership team to spread the necessary cultural changes throughout the business and gave accountability for the development and delivery of strategy to Simon Pomeroy, head of digital banking and customer experience.
In a recent interview with McKinsey’s Kenny Lam, Pomeroy discussed Westpac New Zealand’s commitment to digital banking and how it has carried out its digital transformation.
McKinsey: What prompted Westpac to start thinking actively about digital banking, especially in New Zealand?
Simon Pomeroy: Digital banking is customer-driven, particularly regarding the uptake of technology, in New Zealand and around the world. Peter Clare really understood that, challenged the existing thinking, and started asking, “If we know it’s what our customers want, how do we then drive that change for the bank?”
McKinsey: So you’re saying this was actually quite top-down change?
Simon Pomeroy: I think it does come down to the vision of the CEO. One of the things Peter put on the table is, “Can you imagine this bank by 2020 not having a digital mandate and not having an online platform that allows customers to be able to do all of their banking?”
There’s no doubt there were people in the bank that wanted it but hadn’t necessarily been visible and vocal at that executive level, and Peter brought the focus in. I think all of us recognize, whether it’s in our job title or not, that digital is a key part of customer experience. Digital is where more than 50 percent of our customers are interacting, not just weekly or monthly but daily. And when you think about change, you don’t see customers walking into a branch every day. In fact, you don’t see customers walking into a branch every week or every month. We get more traffic now online in any given day than we get calls to our call center in a month or visits to our busiest branch in a year.
McKinsey: How do you justify the business case for the aggressive move into digital banking?
Simon Pomeroy: I think the upside for us is obvious. I’ll give you a really good example. We were the first bank in New Zealand to put home lending online, where customers could go at their own convenience and apply for a home loan and get a decision straight away. We put that in place last year, and in the space of 12 months, it’s now driving about 15 percent of our total applications for home lending. That, in itself, is a significant result. But out of all those applications, 40 percent or more are not customers of Westpac; in other words, they are new to the bank. We’re the only bank in New Zealand that allows customers to go through their mobile phone and get a quick decision for their home loan—24/7. And the conversion rates we’re seeing are on par with what we’re seeing through our other channels.
作为中国银行业的“第三梯队”,140余家城市商业银行已经走过了近20年的发展
有专家预言:展望未来,银行将不再是一个地方,而是一种行为。IBM作为一家对