*by Roberto de Carvalho
Globally, few industries can say they have been as impacted by the current Digital Transformation as the financial institutions market. Driven by points such as the rise of new resources in this hyper-connected era, the consequent change in customer demands and intense market competition, banks, insurance companies, brokers and other organizations linked to this segment had to reinvent themselves to keep up with technological evolution — in challenges that hover both in the mission to create more reliable operations and in the unequivocal need to strengthen innovation in search of complete solutions that offer unique and efficient experiences to each consumer.
Faced with these challenges, financial services companies are adopting environments multicloud dynamic environments, as well as infrastructures with cloud-native architectures and open-source applications. The objective is clear: to accelerate actions to maximize high performance and digital agility in delivering resources to customers. The other side of the coin, however, is that this dynamic imposed by modern digitalization has also made managing technology environments more complex. Which, ultimately, means that these companies are more susceptible to risks in their digital security stages.
There are a few reasons for this, including the high volume of applications to be managed, the speed of interactions, and the difficulty of integrating different approaches and frameworks. The point is that the rise of modern cloud environments has indeed created a paradoxical conundrum for IT, development, and security teams — including, but not limited to, the financial services industry. The increasing use of microservices, Kubernetes, and serverless computing, while providing greater business agility, also creates complexity that many security solutions are not designed for (and human capacity cannot manage).
There is also the fact that the networks are arranged in numerous layers, with environments running independently at each of these levels, which creates a favorable scenario for the emergence of vulnerabilities in the middle of the operation cycles. The acceleration of this multi-layered proposal, with new technologies being combined at different levels, could be the door to a serious gap in analysis and protection in companies.
This was one of the messages that our recent survey of Chief Information Security Officers (CISOs) from companies around the world. The analysis highlighted, among other findings, that the high complexity of networks is directly impacting the cybersecurity capacity of organizations. Altogether, more than 75% of the financial industry's chief information security officers said that despite having a multilayer, still admit that there is the possibility of gaps that allow vulnerabilities in production.
In this sense, it seems clear that Observability and Information Security are requirements that need to be seen as converging factors, since, together, these two works can allow a more effective management of activities, which will bring gains to speed up the identification of vulnerabilities, detecting and blocking attacks across the financial services industry.
It must be made clear that Observability must be a priority, because even with the most robust and layered approaches to cybersecurity, many organizations are still unable to monitor in real time and with intelligence the dynamic indicators of current networks. More than tools, therefore, the CISOs need to be able to visualize and understand the context their teams face. In other words, they need real observability to identify a potential risk as well as find a critical vulnerability that can be exploited.
It is worth noting that, according to our study, 42% organizations have runtime vulnerability management capabilities, but only 6% financial services companies have run-level visibility into containerized production environments. You need to bring this comprehensive and intelligent visibility into account to facilitate the routine of the teams.
This does not preclude the pursuit and adoption of agile practices, such as DevSecOps, to remove traditional bottlenecks that can overwhelm understaffed security teams. DevSecOps truly empowers developers of financial services organizations to secure their own code so companies can launch new digital banking, investment and insurance faster.
However, this practice is still maturing and many developers do not have the resources to take greater responsibility for security. It is also not enough just to change people's visibility and working model; it is also necessary to ensure that they have access to the necessary intelligence for route corrections to take place with assertiveness and efficiency, ensuring that applications run with maximum security and high performance.
To drive effective vulnerability management in the cloud age, financial institutions must treat security as a shared responsibility across the enterprise and observability as a key capability for development, operations and security teams to have the necessary context with the purpose of understanding how your applications are operating and where the vulnerabilities or hotspots are.
Only with this balance between implementing new technologies and observability will security teams in financial services organizations have runtime vulnerability management capabilities. And that's what will allow CISOs to understand what's running in production and identify vulnerabilities that can be exploited to extort money from customers or compromise data that could put them at risk of fraud. With observability, organizations will be able to have accurate and reliable answers to evolve in this transformation journey with more quality, performance and security.
*Roberto de Carvalho, President of Dynatrace in Brazil
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
EN 
PT 
