The Intersection of Privacy, Security, And Function
Competing imperatives around privacy, convenience and the client experience will be something wealth managers increasingly have to grapple with as technology advances. Read on for a compelling analysis of the key issues at stake.
Dan Gregerson, Executive Chairman at Summitas, LLC, offers guidance to wealth managers struggling to balance privacy, security and functionality as they upgrade their technology stacks.
This piece forms part of this publication's new report "Technology Traps Wealth Managers Must Avoid 2022", published in partnership with EY, which is available for complimentary download now.
Your digital life is like a multicellular organism; it divides and proliferates across an ever-expanding lattice of data repositories, network connections, and software machines. The corporations and organizations, including governments that have access to your data, are growing in number, sophistication, and interconnectedness. Some systems piece together fragments of our activities to create staggeringly detailed maps of our proclivities, relationships, and deeds.
The internet is becoming an extension of us; its function brings much into our lives, but we often concede our privacy and security in exchange for the benefits we enjoy. Privacy is no longer something we can assume is our right, and we need to maintain it actively.
Perhaps you’ve heard of the searcher for truth who went to visit a sage in the Himalayas. Approaching her destination, a young monk met her at the edge of a crevasse, where he pointed to a basket that would carry her to the monastery on the other side. As she situated herself in the tiny transport, she noticed two severely frayed suspension ropes.
When she turned to the monk and asked, “How often do you replace the ropes?” his response was direct.
“Whenever they break!”
Had our protagonist been a technology executive, she would have asked a few more questions before risking life and limb.
Understanding the threat
Security threats should be easy to assess, and the consequences of security breaches predictable. Unfortunately, they are neither.
A data breach or system failure causes damage that experts cannot fully anticipate because the final tally in money and reputation will result from cascading events. For example, a botched public relations effort could damage the corporate brand and lead to public outcry that inspires the government to enact new regulations. In doing so, the regulators might inadvertently dampen growth, stifle competition, and slow innovation.
Believing is seeing. Investing in visibly functional solutions is more straightforward than in security protections against events that are difficult to assess and may never occur.
A shiny new app has obvious value, but it’s harder to get one’s head around investing in security infrastructure that’s hidden from view. Like a potential adverse credit event for the owner of a default swap, uncertainty of risk is a Sword of Damocles hanging over executives. We are often only vaguely aware of the probabilities and consequences of potential system breaches and failures, especially their downstream effects.
Avoiding speed bumps
Security architecture teams categorize the potential types of attacks against internet-accessible systems, like B2B SaaS. Experience tells them it’s wise to design those systems around a robust security model rather than try to bolt one on afterward.
One of the challenges for software developers and user experience designers is to find a balance that protects security and privacy without creating too many speed bumps for users just trying to get their work done. Great collaborations between engineers and designers result in elegant, functional solutions with strong but hidden defenses.
We all know that the best way to protect information is to encrypt it. Still, one of the reasons many corporate and government databases remain in plain text is that encryption makes queries and computation extremely difficult to implement.
For example, to perform a keyword search on an encrypted dataset, there are only a few options:
(1) decrypt the data first, then search, then
re-encrypt – an expensive solution in time and money for large
datasets that pose a risk of leakage while the plain text is
(2) index data before encrypting, then search the index – a more manageable solution that limits search functionality and risks data leakage via the index, or
(3) use “homomorphic” encryption that allows queries and other types of computation on encrypted data – a longtime goal currently hampered by slow performance and questionable real-world cryptographic strength.
Regardless of one’s approach to improving the processing of encrypted data, the solution will demand specialized knowledge and a larger budget than routine database management.
Complexity is increasing.