Aaron Bailey - Security manager and director, The Missing Link
Sometimes it’s okay to just say ‘no’.
Just ask The Missing Link security manager and director, Aaron Bailey, who often finds himself in the unenviable position of telling some of Australia’s largest financial institutions that, actually, no, they can’t have exactly what they want.
But for Bailey, it’s all part of building a deeper level of trust between provider and end-user.
Whether it be one of the country’s ‘Big Four’ banks - The Commonwealth Bank of Australia (CBA), Westpac, National Australia Bank (NAB) or ANZ - there’s value in the channel standing firm when advising on technology infrastructure deals.
“If we want their trust, we can’t just be yes men agreeing with them all the time,” Bailey said.
“Has there ever been conflict? Yes but you’ve got to say, ‘I don’t believe in that direction you’re going in, I think your money’s better spent over here’, or, ‘I don’t believe in that technology choice, and here are the reasons why’.”
Bailey said such conversations arise from “time to time” in the boardrooms of large banking institutions, due to the large internal technology teams and internally-driven projects impacting discussions.
Technology investments
Specifically, banks such as CBA employ top field experts to work with internal staff to drive technology decision making from the inside.
But on the outside, so does The Missing Link, with this clash of experts causing the potential to give rise to dissenting voices between partner and customer.
“It’s just an opinion at the end of the day,” he said. “We’ve gained our opinion having people who have worked in security for their whole lives, in a number of different places for different clients as technology has evolved over 15 years in the space - we have a professional opinion, as do others.”
On occasions, Bailey said such internally-driven visions has prompted some end-users to walk away from deals, and instead seek other implementation partners that are open to aligning with internal strategies.
But more often than not, they return equipped with the knowledge that Bailey and his team act on what is best for the company and its stockholders.
“Yes, we may lose a project, but not a client,” Bailey said. “I don’t think we’ve ever lost a client doing that.
“You’ve got to have integrity in what you do, and you’ve got to believe in what you do. Otherwise, why are you doing it?.”
For the Big Four banks propping up Australia’s financial market, enterprise technology represents a major investment, with security infrastructure viewed as a serious business.
CBA alone spent just under $1.5 billion in information and technology services for the year ending June 2016, with application maintenance and development gobbling up $511 million of that, and data processing taking $197 million for the year.
While CBA doesn’t habitually break down its technology investment into application type in its public financial documents, a large proportion of its tech investment for 2016 would have been pumped into security, according to Bailey.
Combined, the country’s Big Four invest over $3.5 billion on technology infrastructure and services annually, with CBA spending the most out of the gang.
“Banks are fairly paranoid about security,” Bailey observed. “They will spend a lot of time, money, and people making sure that something is secure.”
This is where The Missing Link enter the discussion, with Bailey consulting for, and selling products and services to, some of Australia’s largest financial services institutions, including the Reserve bank of Australia, Westpac, Allianz and CBA.
Next big thing
Specific to security infrastructure, the financial services sector has one of the highest rates of investment than any other sector, with banks generally sitting at the top of the sector in terms of security investment as a percentage of total IT spend.
The stakes are high, and the sector’s investment in security technology reflects that.
For Bailey, this means that banks usually have extensive and sophisticated internal security teams that are always on the lookout for the next big thing in security, and they generally err on the side of early adoption. But this can sometimes lead to tricky conversations.
Bailey had recently been in a meeting with a bank, when he was asked whether The Missing Link could provide it with any “quantum cryptography architects”.
“I read New Scientist, and I thought that was still in the laboratory,” Bailey recalled. “But it turns out that there’s a vendor that does point-to-point quantum-encrypted laser-based communications.”
Bailey believes this highlights yet another quirk of selling technology into the financial services sector: not only is it okay to say ‘no’ to the big banks, it’s also entirely acceptable to profess ignorance.
“I don’t feel ashamed at all to tell them, ‘no, we don’t have any quantum cryptography architects’,” he added.
Instead, Bailey makes a case for the talents and abilities of his team, offering up smart people who are good architects, good at cryptography, and who are also keen to learn.
With this in mind, a bank might pay The Missing Link staff members to learn with them about how to develop and use emerging security technology.
But once again, this approach all comes down one overriding quality.
“You’ve got to be honest,” he added. “Banks are built on trust and selling security is about trust.”
Always on the front foot
Once trust is built however, then the real work begins.
“Banks are quite often early adopters of things,” Bailey added. “CBA is known as being the first bank [in Australia] to put some of its service in Amazon - in public cloud.
“Somebody’s got to do it. And banks - along with federal government - have got the biggest budgets to do it for security, so why shouldn’t they?”
Consequently, working in security technology requires a blend of constant research and getting the most out of technology available today.
In searching for the cutting edge security technologies of the future, The Missing Link continually invests in new and emerging solutions such as cloud access security broker (CASB) and security incident event management (SIEM), alongside keeping pace with best industry practices.
“Otherwise we have no strategic value to our existing vendors,” he said. “And, remember, the vendors aren’t sitting still either.”
Bailey said The Missing Link recently completed its Council for Registered Ethical Security Testers (CREST) certification, with the federal government-mandated certification essentially freeing up the company to hack their clients - ethically.
Unsurprisingly, at least one of the Big Four banks requires partners to have this certification in order to conduct ethical attacks, highlighting how partners must always aim to stay on the front foot in the rapidly evolving world of finance.
Given the sector’s reputation for exceptionally swift evolution cycles, it’s a trait that is no longer desirable for partners, rather necessary in 2016 and beyond.
This article originally appeared in the October issue of ARN magazine - to subscribe, please click here
