Heightened security risks can hold companies back from investing in emerging technologies, but staying on outdated systems may further jeopardize businesses, Mandy Norton, Wells Fargo's senior executive vice president and chief risk officer, said Wednesday at the Lesbians Who Tech & Allies Debug 2020 Summit.
Managing this balance relies on a holistic view of risk management that includes IT leadership in the conversation, Norton said.
To create the integrated view necessary to protect the business, IT leadership must translate tech language and risk to the larger leadership audience, Norton said.
"It's really, really important to think about our risk management holistically because you can't think about managing credit risk or fraud risk or market risk without incorporating technology," Norton said. "We're essentially a large technology company offering financial services."
When Apple Pay launched, the financial services sector suffered from a lack of holistic management, Norton said. Despite Apple Pay's security benefits, users could expose credit card information to malicious actors when they transferred credit card information to the Apple Wallet, according to Norton. Lack of end-to-end management and communication of the processes created risk.
That's part of the reason managing cybersecurity still keeps Norton up at night. Comprehensive management of risk at Wells Fargo doesn't mean the bank can ensure the security of every partner. Actors may target financial management apps to which Wells Fargo customers surrendered their log-in information, ultimately providing a route to attack.
"There may be gaps and it's why you've absolutely got to think about your end-to-end process," Norton said. "Back to that holistic risk management: Think about every single step along the way."
However, the benefits of innovation outweigh the risks, Norton said.
"We've got great firewalls, but the 'bad guys' are continuing to develop their technologies, too, and so you're always trying to keep up with all of the ways in which the fraudsters can get a hold of us," she said.
Innovating to reduce risk
A spark to innovate ignited during the COVID-19 pandemic. Customers flocked to digital services when they could no longer bank in person, and Wells Fargo relied on innovative tech investments to continue providing assistance, Norton said.
Cloud computing underlies how companies do business today, but there are few regulatory guidelines on how to protect businesses and customers from threats in the cloud, Norton said. However, not taking that risk would put Wells Fargo behind the curve.
A companywide system outage last year showed Wells Fargo the importance of modernization and innovation. The bank had to rely on data center backups for business continuity when smoke detection led to an automatic power shutdown in February 2019. Customers couldn't access online bank accounts, and it heightened the urgency to invest in modernized business solutions.
Beyond those services, Wells Fargo sees innovation as a necessary way to protect company and customer data.
"If we don't innovate, we won't be able to protect ourselves and fight against the threats and the risks that are out there," Norton said.
Emerging technologies also have the power to improve cyber posture by monitoring the threat landscape. Artificial intelligence and machine learning algorithms can look for fraudulent activities for early detection and mitigation, Norton said.
If Wells Fargo didn't update to the latest technologies and every other business in the space did, Wells would become the weakest link in the chain and a target for attack, Norton said. "It really is about who's got the strongest strategy, and if you don't innovate and continually improve ... you will be the one that will be hit the hardest," she said.