Interview

Major cyberattacks are fast multiplying globally, impacting businesses, cities, and national governments. CISOs need insights to take a more effective, analytically driven approach to cybersecurity. In this increasingly dangerous digital-first world, they also need to collaborate with their peers and partners to bolster cyber protection across all levels of the company. Cybersecurity can no longer remain restricted to the IT department. CISOs need to be prepared for when, not if, they experience a breach.  

To offer CISOs fresh thinking on how to weather the brewing cyber-storm, ThoughtLab is conducting a multi-client research program titled Cybersecurity Solutions for a Riskier Digital World. We asked experts and sponsors of the study to provide us with valuable decision support and best practices. 

 

As security and resilience become top of mind for corporate boards, what do you see as the biggest change in the role of the CISO?   

Larry Clinton, President/CEO Internet Security Alliance: CISOs need to vastly expand their skill set beyond technical expertise (which, of course, they must maintain). They need to lead a full integration of enterprise-wide security structures and help to develop a full culture of security and work far more collaboratively with other elements of the enterprise, such as audit, legal, human resources, public relations, and others. These all need to be integrated into an enterprise-wide risk management team, and the CISO needs to help lead that collaborative structure.   

Steve Durbin, CEO, Information Security Forum: The role of the CISO varies significantly across industries, regions, and even individual organizations in terms of seniority, authority, budget, team size, and influence. Engagement with CISOs from ISF member organizations has revealed that CISO job descriptions do not accurately reflect the extent of the role being fulfilled. Roles often expand without additional funding, resources, or support. CISOs are increasingly being held responsible, and sometimes accountable, for circumstances beyond their control. The biggest change in the role of the CISO is the need for the individual to balance opportunity with risk and find their own voice within the organization.  

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: A broadening of the role to think more strategically about the business as a whole and the impact of cyber on the broader business and planning for resiliency outside of just the cybersecurity space.  

Simon Chassar, Chief Revenue Officer, Claroty Inc: The biggest change in the role of the CISO is the need to be a business partner at the board level, protecting the organization’s corporate strategy, along with continued production of food or motor vehicles, acquisition or new market entry, the continuous delivery of safe healthcare with protected patient data, etc. and the need to be the secure digital transformation advisor while keeping the corporate strategy functioning securely.  

Ravi Srinivasan, CEO, Votiro: Security leaders are business leaders first and IT leaders second. Successful security leaders are collaborating with the lines of business leaders in the company to secure new digital processes and enable secure user productivity.  

Mandy Andress, Chief Information Security Officer, Elastic: The role of the CISO has become much more complex over the last 20 years. Responsibilities have grown from leading the team handling real-time threats and mitigation of attacks, to overseeing the security architecture and the protection of the corporate infrastructure, implementing security policies and management designed to foresee and address risk, and maintaining compliance with a growing population of regulations and industry requirements.  

And, so-called “soft skills” have become just as important as technical skills. Creating resilience for a company is also about being a trusted communicator, understanding how cyber risks fit into the business overall, and building partnerships across the C-suite. 

The pandemic has expanded enterprises’ attack surface area, posing greater threat and risk for possible opportunistic or malicious attacks. Ensuring a strong security program in a remote environment will be a top priority for CISOs in the next few years as they work closely with their peers across the leadership team to build employee awareness of security protocols, and invest in appropriate technology to meet the intricate needs of globally distributed organizations. 

Gidi Cohen, CEO and Founder, Skybox Security: CISOs have a starring role in the new normal. Cybersecurity has become a central part of how businesses grow and operate. Their influence with the CEO and board has greatly increased. Radical change brings an opportunity for a dramatic shift in how organizations approach their security programs. The CISO role will no longer be primarily technical. CISOs will broaden their purview to include the ‘business’ of cybersecurity. The modern CISO will make the business case for cybersecurity initiatives and address overall business risk. They will also need to quantify the return on investment of those initiatives. CISOs will be highly knowledgeable about the state of cyber security and the threat landscape. They will share this knowledge with the board in business terms and build proactive security posture management programs that take this global picture into account. 

 

Which cybersecurity best practices should CISOs follow to succeed in today’s riskier world?  

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: I am a big fan of the Center for Internet Security’s (CIS) Critical Security Controls. Those controls map well to other standards and frameworks but for a strategic view of what a strong security program should accomplish, the CIS Critical Controls are a great starting point.  

Larry Clinton, President/CEO Internet Security Alliance: The most important point is not to confuse regulatory compliance with actual security. The technical best practices probably ought to be a mixture of the various frameworks (NIST/ISO/FISMA, etc.) but need to be adjusted based on the uniqueness of the organization’s technology, culture, and business plan. However, the organizational best practices that are the most clearly documented as enhancing security are the ones outlined by the National Association of Corporate Directors in their cyber risk handbook (available free of charge at www.nacdonline.org).  

Steve Durbin, CEO, Information Security Forum: Applying an approach which is business-centric, risk-based and value-driven. The ISF Standard of Good Practice (SOGP) provides an effective framework for information security policies, standards, and procedures, and is mapped to industry-recognised standards such as NIST CSF, ISO 27002, CIS Top 20, and PCI DSS.  

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Start with the basics: patching, patching, patching! Limit/restrict access and require strong authentication mechanisms. Limit your blast radius—if something bad gets in, limit where it can go and what damage it can do.  

Simon Chassar, Chief Revenue Officer, Claroty Inc: Answering this from the perspective of OT and IoT—understand the connected assets across their environment and supply chain to assess the inherent risks. Drive programs of increasing cyber posture across their estate; patches and updates to the latest firmware and versions; and secure connectivity. Apply the three lines of defense across their business and connected industrial environments with the first line of defense as the OT environment, second the SOC, and third the GRC with re-enforcement and governance of the audit committee.  

Ravi Srinivasan, CEO, Votiro: Follow the data. CISOs need to shift their focus from infrastructure-centric security to Zero Trust Data Security. Understanding how business-critical data and IP are used in all the new digital processes will help security leaders focus on what matters: enabling secure user productivity and mitigating exposure to data breaches.  

Mandy Andress, Chief Information Security Officer, Elastic: Every security program is unique to the company’s needs. When faced with new challenges, people often turn to new technology, but it’s security practitioners who develop new ideas, threat intelligence, and approaches to prevent bad actors from impacting the systems that are so important to keeping organizations functioning. At a high level, CISOs should consider the following best practices: 

• Train your staff. Make it meaningful for your environment. There should be ready access to training materials as part of your onboarding process and at regular intervals throughout an employee’s tenure to help ensure your employees are up-to-date on the latest and greatest. After all, humans are the most vulnerable points in any security system.  

• Test your system. Send test messages to help train your employees. Hire consultants or have an internal red team to find your weak spots and commit resources to fix those weak spots. 

• Understand your data flows. Security teams first need to understand the data flows in their environments so they can ensure that their data only goes where it’s supposed to go. The tools and processes you use should also provide security metrics and, equally importantly, review the data you collect to identify any patterns that may indicate a security vulnerability or team that needs additional education.  

 The best security programs are simple but effective. It is the responsibility of security leaders to balance the people, processes, and technology to defend their organization. While it is important to choose the right cybersecurity technology, that investment should be proportional to the people running the products and the processes that define their work. 

Gidi Cohen, CEO and Founder, Skybox Security: Avoid the avoidable. There is no excuse not to fix a known vulnerability that is exploitable. Many of the attacks over the past few years were caused by bad actors who exploited known vulnerabilities that organizations had enough time to deal with prior to the breach. By proactively conducting exposure analysis, organizations can identify exploitable vulnerabilities and correlate them with their unique infrastructure configuration and security controls to determine where cyber-attacks pose the highest risk. 

 

What single piece of advice would you offer CISOs as they aim to secure their organizations against future cybersecurity threats?  

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: Ensure your security journey has commitment from the highest level of your organization’s leadership chain. Developing and implementing a strong security model that enables the business requires commitment from all parts of the organization. Ensure you have the necessary support from above and across your organization.  

Larry Clinton, President/CEO Internet Security Alliance: CISOs need to embrace some of the modern cyber risk management tools such as FAIR or X-Analytics that move beyond the traditional check-the-box models favored by regulators. While these compliance regimes may be necessary, the effective CISO will be using these more progressive risk assessment tools that include analysis of the economics of cybersecurity and ties security procedures more closely to the organization’s risk appetite.  

Steve Durbin, CEO, Information Security Forum: Engage proactively with stakeholders at all levels inside the organisation—e.g., be forthcoming with the business, drive the conversation with the board, fight for time beyond quarterly meetings where cyber is only a small part of the agenda, help address and answer difficult questions regarding cyber, and demystify misconceptions.  

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Focus on the basics of good cyber hygiene. Once the foundations are in place, you can build on top of that to address specific types of threats or tools needed to address unique requirements your business may have.  

Simon Chassar, Chief Revenue Officer, Claroty Inc: Implement best of breed control technology. Prioritize risk management and identify critical assets that drive business continuity and minimize business operational risks. Address both your baseline cyber posture, GRC, and monitor the environment for threats. Increase your cyber skills capability and increase cyber awareness training for non-cyber personnel. Leverage the latest threat intelligence and do tabletop exercises on breaches or attacks, including negotiation training with mal actors.  

Ravi Srinivasan, CEO, Votiro: Outsource security operations and response so that you can free up resources to focus internal efforts on securing data and the usability of new digital business services. Evaluate any new security technologies based on usability for new digital businesses, open APIs for ease of IT integrations, and simplifying operational support. 

Mandy Andress, Chief Information Security Officer, Elastic: Focus on the basics. The fundamentals of security hygiene for any environment are still the best protection to today’s threats. Change defaults, disable unnecessary services, default deny inbound network traffic, and patch! 

Gidi Cohen, CEO and Founder, Skybox Security: Don’t focus on threats; focus on vulnerabilities. Threats are changing all of the time, are out of your control, and most are irrelevant to your organization considering your security posture. However, all of your vulnerabilities are yours to address. Focus on what you can control, such as eliminating exposure to cyber risk. This includes assessing, prioritizing, and remediating vulnerabilities on time to avoid a breach. It also includes tightening processes and implementing automation to ensure you don’t open your organization to new risk through misconfigurations or making policy changes without validation. 

 

What is the largest mistake that CISOs should avoid making in the future? 

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: While the concept of a “Zero Trust” security model sounds good and everyone agrees, it is a complex journey that is not easy or cheap. The biggest mistake a CISO should avoid is thinking that Zero Trust can be achieved with just a new technology solution. Reworking the existing security architecture to incorporate more micro-segmentation, continuous monitoring and analysis, and attribute-based adaptive authentication will be a significant investment.  

Steve Durbin, CEO, Information Security Forum: Overestimating or making assumptions regarding the organization’s cyber resilience capabilities and, thus, not testing them (i.e., not conducting regular assurance activities such as cyber simulation exercises).  

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Avoid thinking that all your employees need to come from a traditional IT, computer science, or data management background and that they need a four-year degree. We need creative problem solvers—hackers  do not restrict who can hack! We need to be as “open minded” about the resources we employ to fight the good fight, as the threat actors are about fighting to bring us down.  

Simon Chassar, Chief Revenue Officer, Claroty Inc: Assuming that they will not be breached, attacked, or be a victim of a supply chain impact. 

Ravi Srinivasan, CEO, Votiro: CISOs maintain their responsibilities to govern security policies and compliance, while the lines of business continue to rapidly innovate, migrate, and adopt new technologies and multi-cloud services. CISOs should partner with the business leaders to balance modernizing mid-/long-term initiatives (often infrastructure-centric) with near-term initiatives (data-centric) to secure digital business enablement.  

Mandy Andress, Chief Information Security Officer, Elastic: Learning from my own mistakes, focus on people first. I have always looked at security as the equal combination of people, process, and technology. While I talked about them in that order, I usually focused on technology first, then process, and people last. No technology can fully protect an organization in today’s environment. Having the right people in the right roles that can creatively apply technology to your environment, adapt defenses to new threats, and communicate to your users with a high degree of empathy will further the success of your program more than any technology or process. 

Gidi Cohen, CEO and Founder, Skybox Security: Don’t underestimate what is required to transform cybersecurity programs. Buying more point products won’t solve your problems. This creates a false sense of security. Instead, you should focus on maturing your security programs to a place where it is at least properly managed and monitored, if not continuously optimized and improved. Tighten your processes to manage the products you do have, ensure you are getting the full value from those products and put the right talent in place to manage your entire security estate. 

Digital innovation is a double-edged sword: while necessary for driving performance, it exposes companies to much greater cyber threats. The COVID-19 pandemic opened even more opportunities for cybercriminals, who adapted their attacks to exploit vaccination mandates, elections, and the shift to hybrid work, while also targeting organizations’ supply chains and networks. With such criminals becoming smarter and more resourceful, cybersecurity is no longer just an IT issue: it is a strategic imperative for the C-suite and government officials. 

To understand how companies are addressing these issues and beefing up their cybersecurity defenses, ThoughtLab is conducting a multi-client research program titled Cybersecurity Solutions for a Riskier Digital World. We asked experts and sponsors of the study to offer their perspectives on how the pandemic has affected cybersecurity and the implications for their businesses.  

  

How has the pandemic permanently changed the cybersecurity landscape and agenda for companies? 

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: The pandemic has driven organizations to a more dispersed and distributed employee model as well as exposing supply chain dependencies. For many companies, the risk equation has changed for the worst, driven by a dynamic threat environment that has increased in frequency, intensity, and sophistication. 

Larry Clinton, President/CEO Internet Security Alliance: The pandemic has altered cybersecurity, although it is far from the most important change. If confined to the pandemic, I would say the most notable change is the evolution of a substantial work-from-home community without adequate consideration of security procedures, which has spurred a tremendous increase in vulnerability for the entire system and a resulting significant increase in cybercrime. 

Steve Durbin, CEO, Information Security Forum: The pandemic has resulted in masses of employees working from home long term, personal devices being employed for corporate uses, and spikes in social media usage rates, among other changes, which have broadened the attack surface.  

This shift in landscape has required organizations to reprioritize strategic objectives and key risks—e.g., accelerating digital transformation programs and migration to the cloud.  

The Internet Organized Crime Threat Assessment (IOCTA) 2021 report highlights that COVID-19 has resulted in a sharp increase in cybercrime. Cybercriminals have been identified to be employing the following attack vectors: malware (e.g., ransomware and mobile malware), payment fraud (e.g., sim-swapping, mobile banking trojans and ATM attacks), social engineering, and phishing. 

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Ransomware and malicious cyberattacks rose significantly during the pandemic and impacted many industries. Demand for cyber talent has increased and the shortage of skilled resources has driven the cost of that talent much higher. As a result of the types of attacks seen, many industries are seeking talent that perhaps before, they thought they could get away without hiring or with hiring one or two resources. Now they realize teams of cyber experts may be needed because these threats are here to stay. 

Simon Chassar, Chief Revenue Officer, Claroty Inc: The pandemic affected the cybersecurity industry because of the implications of remote working and isolation from traditional hands-on configurations and installations. The remote office created a need to re-architect or accelerate to secure access service edge (SASE) within Software Defined Wide Area Networking (SD-WAN), with cloud and full corporate security policies for email, data, and access beyond the officer perimeter. This permanently changed the approach and accelerated the need to design in cybersecurity for all solutions; and cybersecurity with COVID became the enabler of digital transformation acceleration—Secure-by-Design. The further need to build in resiliency into business operations has increased the drive to public cloud, multi-cloud, and hybrid cloud, with remote access and software-defined security controls. 

Ravi Srinivasan, CEO, Votiro: Cybersecurity is no longer enterprise IT’s jobs. The accelerated digital transformation of back-office processes, rapid application migration to multiple clouds, and modernization of the data platforms have brought the business and security leaders to collaborate on new cyber strategies and execution. The pandemic has changed the landscape, shifting the focus away from infrastructure to data-centric security approaches. As enterprise users have experienced the risks of cyber, there’s heightened awareness of the need to be vigilant. CISOs will prioritize investments in more cloud-native, usable security services—not large security platforms—to enable secure digital business.    

Mandy Andress, Chief Information Security Officer, Elastic: The pandemic transformed the role of the CISO virtually overnight – from forcing a shift to remote operations to rethinking how to best support employee productivity. Now that companies have weathered the initial changes, CISOs are reassessing their IT security practices, tools, operations, and employee processes for long-term stability and growth within a distributed environment.  

The pandemic has expanded enterprises’ attack surface area, posing greater threat and risk for possible opportunistic or malicious attacks. Ensuring a strong security program in a remote environment will continue to be a top priority in the next few years as we work closely with our peers across the leadership team to build employee awareness of security protocols and invest in appropriate technology to meet the intricate needs of globally distributed organizations. 

Gidi Cohen, CEO and Founder, Skybox Security: The reality is that current security practices are not keeping up with the changing security landscape. Attack surfaces grew significantly during the pandemic. Accelerated digital transformation, cloud migration, and increased remote working all contributed to this growth. Further, the pandemic put to test many of the systemic failures of the cybersecurity industry. Organizations are plagued with massive, fragmented networks, decentralized, inconsistent configurations and change management processes, unsafe cloud and network configurations, and the continual increase in vulnerabilities.   

As the economy recovered, the great resignation had significant implications for cybersecurity programs.  Already resource-constrained, organizations are losing the institutional knowledge and talent needed to run cybersecurity programs effectively.  As a result, security organizations suffer from loss productively, inefficiencies, and risk of human error.   

Cyber security organizations are making significant changes to address the expanded attack surface, fragmented and complex environments, and loss of talent. They are increasingly focused on moving from reactive approaches to proactive security posture management.  Gaining visibility across hybrid, multi-cloud, and OT networks has become a top priority. And they are embracing automation at record levels to optimize workflows, implement changes, and validate network security policies.   

 

What do you see as the biggest cybersecurity challenge that companies will face over the next two years?   

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: As cyberattacks continue to increase in scope and scale, the government is taking a more active role in defining and prescribing new security regulations. In addition, data privacy laws are becoming more rigid and complex. In already regulated sectors, the requirements are increasing even more. Balancing compliance with the day-to-day reality of operational cybersecurity challenges will be a huge challenge.  

Larry Clinton, President/CEO Internet Security Alliance: The biggest challenge for companies is that they are being vastly over-matched by the growing sophistication of the attack community. Not only nation-states and state-affiliated attackers but also criminal syndicates are accessing increasingly sophisticated attack methods and technologies that will be very difficult for private firms to compete with. 

Steve Durbin, CEO, Information Security Forum: There are three challenges organizations will increasingly face over the next two years: 

1. 1. Being confident in the level of cyber capability currently protecting the organization, in terms of people, processes, and technology, and whether they ensure risks fall within the organisation’s acceptable risk tolerance.
2. Dealing with significant levels of technical debt from legacy systems and proprietary systems. This is a burden to the organization as it can often be more expensive to update an outdated IT estate compared with replacing it completely. 
3. Meeting the ever-changing and more complex compliance obligations. Upcoming regulations, such as requirements aiming to improve the reporting of cyber incidents to authorities, can distract CISOs, and have implications for incident management teams, resourcing (workforce), and budget allocation. 

Simon Chassar, Chief Revenue Officer, Claroty Inc: The biggest cybersecurity challenge will be the continued increase in the sophistication of threats for financial gain across a broad increased and connected threat surface. This means that lateral movement of malware is a real concern. We have seen a huge increase in the volume of malware impacts on industrial environments, from oil and gas and water to healthcare and manufacturing. These environments have been increasing in connectivity in OT and IoT due to automation and optimization of production for efficiency with real-time demands. This has led to an increased and unprotected environment because of legacy systems and unfamiliar protocols. Therefore, I believe that industrial environment protection or cyber-physical systems will be the biggest challenge over the next two years.  

Ravi Srinivasan, CEO, Votiro: Remote/hybrid work is here to stay. Security leaders need to focus on protecting digital data and files wherever they are used. This will drive the growing adoption of Security Services Edge, but SSE adoption will hit some operational headwinds as leaders need to address more data risks from the realities of multi-cloud, hybrid IT infrastructures, and usage of more cloud applications.  

Ransomware fatigue will increase. Ransomware attacks are here to stay. Crypto is a force to reckon with and, as business leaders debate to pay or not to pay for ransomware incidents, security leaders will shift focus to prevention approaches and outsource the detection and response efforts to managed services providers.    

Hyper-digital connections will create more data risks. Digitizing old business processes leads to the use of more supply chain connections, exposing more homegrown applications in the cloud and increasing users’ access to new services from outside the traditional enterprise network.  This leads to bad actors exploiting these new digital services, such as weaponizing files used by employees, applications, and data platforms; misconfigurations of application and data platforms in the cloud; more high-profile supply chain exploits; and increased personalized phishing attacks.  

Too many security frameworks lead to too many tools in use. Enterprise and security architects will need to rationalize and adopt frameworks based on a business-led security strategy: securing what matters most for the businesses (data and intellectual property) and adopting security as a service. 

Mandy Andress, Chief Information Security Officer, Elastic: While the threat of malware, ransomware, and data breaches will only continue to rise, the biggest challenge in front of many security executives is finding the next generation of cybersecurity professionals. While cybersecurity is a technology issue, it’s also a human one and an organization’s employees are the first line of defense.  

In its Cybersecurity Workforce Study 2021, industry body (ISC) finds that 2.7 million information security jobs remain unfilled worldwide. While this number is down from 3.1 million in 2020, we’re a long way off where we need to be. In the face of increased digitization and a rising tide of attacks, the current cybersecurity workforce of 4.2 million people globally needs to grow 65% to keep up with the demand for its skills. 

In other words, we’re going to need to draw from a wider talent pool to plug the gaps. 

Our industry’s over-reliance on specialists with the ‘right’ qualifications and educational backgrounds might actually be a weakness — a point of view reinforced for me by David Epstein’s 2019 book, Range: Why Generalists Triumph in a Specialized World. In the book, Epstein argues that generalists with wide-ranging interests are more creative, more agile, and able to make connections that their more specialized peers can’t see, especially in complex and unpredictable fields – a description that is a good fit for cybersecurity.  

Many of the hiring challenges in cybersecurity can be alleviated by taking important steps to diversify the talent pipeline, which not only expands the talent pool but also contributes to a healthier overall cybersecurity culture. 

Gidi Cohen, CEO and Founder, Skybox Security: As the economy continues to recover and cybersecurity budgets increase, there will be increasing pressure to develop strategic approaches that increase cybersecurity efficacy and not just tactically react to pressures during the earlier days of the pandemic.  Organizations will focus on strengthening their cybersecurity controls, processes, and compliance programs to reduce risk and exposure to cyberattacks.  This requires a fundamental shift in mindset from reactive to proactive cybersecurity.  Security by design will become the focus and the challenge.  Organizations will rethink security architectures to unify and better optimize security across hybrid, multi-cloud, and OT environments. In tandem, security leaders will need to decide how to approach zero trust and address the architectural implications. Secure cloud adoption and migration will continue to be a challenge. Organizations will also need to manage and consolidate fragmented infrastructures that include disparate security products with sub-optimal use. And processes will need to be optimized and automated to avoid catastrophic errors and address resource constraints.  

New trends are pushing wealth and asset management firms into becoming digital-first businesses offering clients immersive digital experiences and real-time support, together with more personalized products and services. The industry will also rethink their environmental, social and corporate governance investments, pushing sustainability to the forefront of their priorities. 

To shed light on how these shifts will transform the industry, ThoughtLab is conducting a multi-client research program titled Wealth and Asset Management 4.0. We asked experts and sponsors of the study to offer their perspectives on how the pandemic has affected investor behaviors and preferences, trends in the industry, and the implications for their businesses.
 

How is your firm rethinking its strategies, processes, communication, and business models to succeed in a digital-first world? How are you leveraging AI, cloud, blockchain, and other latest technologies?  

Joe Norburn, CEO, Recordsure: Wealth and asset management firms should be focused on utilizing the latest advances in Machine Learning and AI to support their operations. Strategically thought-out implementation of AI analytics and RegTech tools deliver significant business benefits – address key pressure points, manage risks, and offer business efficiencies at scale. 

Manish Moorjani, Senior Director Product Management, PublicisSapient: Shortening time to market for new tools and features and early validation through A/B testing enables firms to stay competitive and provide value to end clients. Sentiment analysis of media and news for investment decision making is also valuable, by leveraging AI and Cloud capabilities. Another best practice is adopting best in breed products and platforms for order execution and accounting and focusing on the firm’s strength. 

 

How is the nature and location of work likely to change in the years ahead? How will employee experiences and process change, particularly for financial advisors? 

Mike Park, CEO, TCC Group: Healthy organizational culture plays a prominent role in delivering commercial success. Being forced to move away from traditional office working opened fresh opportunities to utilize digital communication channels, reduce business travel and offer greater flexibility to the way we work. With many employees enjoying the advantages of increased flexibility, a hybrid way of working is expected to be the future – yet it is poised to bring new challenges. Less direct contact between employees on a daily basis could potentially increase conduct risk due to the decreased opportunity to directly observe behaviors. Processes that worked in the office or in a short-term wholly virtual environment may not be sustainable for a hybrid future. Focusing on culture and the desired behaviors of employees will help firms successfully manage the operational shift ahead. 

 

Which regulatory and tax trends are having the biggest impact on your business? How will your firm adapt its strategies, systems, and services to meet client needs, while staying compliant?  

Chiara Gelmini, Solutions Marketing Lead, Appway: We learn from our customers that Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) are going to be major focus areas in the regulatory compliance domain, specifically thinking of the due diligence impacts on CLM practices. It’s the ‘Era of the KYX’, aka Know Your ‘Everything’.  

KYC (Know Your Customer) it’s going to require more and more attention and dedicated resources as well tools, with WM’s SMEs proximity to client facing functions being a crucial aspect to fix.  

A growing focus around KYT (Know Your Transaction), with more stringent requirements arising across jurisdictions and demanding dynamic, collaborative and informed approvals and RFI and EDD orchestration.  

KYI (Know Your Investment), with increasingly blurry lines between KYC and suitability profiling, it is now time for more conscious and thorough understanding of client’s investment goals and decisions. All tying into ESG and rising social responsibility. 

Overall, compliance officers are seeing further pressure and cost coming into their operations to mitigate new challenges – continuing the trend of being asked to do more with less. The ‘holy grail’ is improving efficiency and agility, while reducing TCO – and this is possible with the right combination of tools, but the effort should not be underestimated.
 

Joe Norburn, CEO, Recordsure: To help organizations drive operational resilience and stronger compliance, the implementation of AI-driven RegTech tools should feature as the key priority on the technology strategy roadmap. Compliance monitoring across recorded conversations and case file documentation truly sets firms apart as it provides the ability to cover every interaction, spoken and written, between firms and their clients. Introducing the right RegTech solution also means cost savings as less time is spent on administrative tasks and files reviews, improved risk management, more insights and better client outcomes. 

 

How far will organizations need to go to incorporate ESG into their business strategies? Will that involve new investment products? Better analytical tools? Greater public-private partnerships? Other? 

Sabrina Bailey, Global Head of Wealth Management, Refinitiv: In the past, the prevailing mindset was that ESG investing was no more than corporate altruism.  This perception has steadily changed, with investors increasingly viewing ESG investing as central to their investing strategies and wealth firms differentiating their services using ESG criteria. This trend is set to continue, and we expect ESG-related considerations to have ongoing and ever-greater implications for the wealth industry. We see tremendous opportunity in offering access to complete data that is transparent, granular and standardized.  There is also an urgent need for detailed analytics to deliver actionable insights with intuitive visualization that helps market participants make sense of data.  Furthermore, ongoing education will remain crucial as investors continue to define what good governance looks like. 

Olivia Fahy, Head of Culture, TCC Group: Firms need to fully embed ESG considerations into their strategies rather than treating ESG as an add-on. Purpose can be an excellent driver for ESG considerations as it helps organizations determine how they provide social value and embed practices that support this throughout the business. Focusing on driving a healthy and purposeful organizational culture will incorporate many considerations that fall under the ESG acronym. With organizations coming under more pressure from clients, employees and investors to demonstrate robust ESG strategies, future-oriented firms are already incorporating ESG into their organizational culture to their advantage. 

 

What lies ahead: Wealth 4.0 

What are the biggest opportunities and challenges that lie ahead for your organization?  What will be the impact of demographic, regulatory, digital, competitive, and economic shifts? 

Olivia Fahy, Head of Culture, TCC Group: Firms are facing social and environmental challenges, such as the need to break barriers around diversity and inclusion and make progress in relation to climate change and sustainability. Such challenges can generate new opportunities, providing firms with the chance to positively impact the world, drive change, and make a real difference for the future. Implementing these kinds of changes requires culture change, an ambitious yet gratifying task. Culture transformation leads to strategic advantages, better treatment of employees and clients, and a more sustainable business.    

Joe Norburn, CEO, Recordsure: One of the biggest challenges for firms is to ensure continuity and to be prepared for the unexpected. Wealth and asset management firms have the unique opportunity to better their operational excellence by implementing new technologies such as RegTech. Technologies and AI do not replace people but make them more efficient at what they do by focusing on priorities. RegTech offers unique monitoring and reviews that help address key pressure points and compliance, mitigate risks, and deliver cost-efficiencies. 

 

What will the wealth and asset management industry look like in five years? What advice would you give to wealth management firms to ensure their place in tomorrow’s new marketplace? 

Mike Park, CEO, TCC Group: Employees, clients and investors are increasingly expecting wealth and asset management firms to be more purposeful and responsible. Firms need to listen and act on these expectations, or risk people voting with their feet. By focusing on culture with the same level of importance as business strategy, firms can drive the right behaviors, do the right thing, add social value, and ensure their place in the future. 

Sabrina Bailey, Global Head of Wealth Management, Refinitiv: Obviously digital transformation is crucial. However, it’s important to remember that the investor should always come first. The future of the investment and wealth management industry being about digital and human elements coming together. Trust will continue to be the cornerstone of strong relationships and will continue to be supported by robust, and evolving, digital tools that drive rich human connection.

Joe Norburn, CEO, Recordsure: The wealth and asset management industry is facing new exciting times of transformation. The incredible advances in the wealth technology solutions available are already paving the way for operational resilience and stronger compliance. Firms that deliver high-quality advice to their clients, coupled with rich and engaging well-monitored technology, will be incredibly successful over the coming years.

The coronavirus pandemic has accelerated digital, social, economic, and demographic shifts across the world and across industries. Within the wealth and asset management industry, investor attitudes, needs, and expectations are undergoing lasting changes, and the playing field for investment providers is shifting. Investment providers will need to act quickly to compete in the next era of wealth management.

To investigate these developments and how digital, social, and economic shifts will transform the industry, ESI ThoughtLab is conducting a multi-client research program titled Wealth and Asset Management 4.0. We asked industry experts and sponsors of the study to offer their perspectives on how the pandemic has affected investor behaviors and preferences, trends in the industry, and the implications for their businesses.

The Impact of Disruption: The megatrends transforming the industry

 

What are the biggest disruptions affecting the wealth and asset management industry today? To what extent will these megatrends transform the industry? Do you see the rise of a new normal?

 

Mike Park, CEO, TCC Group: The shift towards organizations being purpose-led with a focus on creating social value and benefiting society rather than just generating profit has the potential to transform the wealth and asset management industry and signals a major culture change. The significance of organizational culture to business success has been well documented over the years, yet the global pandemic highlighted its critical importance. Where traditional objective-driven operations struggled to adjust during challenging times, firms with a focus on their culture—promoting collaboration, innovation, and empathetic leadership—showed a better ability to adapt and perform during the crisis. With employees, consumers, and investors increasingly demanding that firms step up regarding social and environmental responsibility and proactive management of diversity and inclusion, firms who do not take their culture seriously will soon get left behind. A healthy culture is a must have, not a ‘nice to have.’

Chiara Gelmini, Solutions Marketing Lead, Appway: In the past years, the financial services industry has been hit by multi-dimensional, dynamic disaggregation with impacts across the value chain, channels, data and systems, and the regulatory landscape. Now, the industry is challenged on a whole new degree of disruption, impacting primarily client engagement, productivity, and business composability. As in every crisis, 2020 was a catalyst for true change, and we’ll see its impacts over the next five years.

Joe Norburn, CEO, Recordsure: The pandemic-driven disruption to traditional face-to-face interactions between clients and agents has led to fundamental changes in the wealth and asset management industry. Faced with business continuity challenges, firms introduced new alternative methods of communication. While such decisions were made of necessity, the new client-agent communication channels are quickly becoming the new norm due to their convenience and flexibility. Similarly, monitoring and analysing customer interactions across all channels to ensure fair treatment and compliance is quickly growing into a significant operational requirement.

 

How has the pandemic accelerated the transformation of the industry? What lasting changes in wealth and asset management should we expect from the pandemic?

 

Sabrina Bailey, Global Head of Wealth Management, Refinitiv: Digitalization has been a megatrend for quite some time; the pandemic exponentially accelerated this as a focus for many firms. The lack of face-to-face interaction encouraged firms who may have previously been reluctant to transform or adopt digital tools to do so, or risk losing out to competitors and falling behind. The way in which the wealth advisors interact with clients, and the way in which clients define “white glove” service, have changed at a fundamental level. The constant challenge with digitalization is the continued increase in hyper-personalization expectations. Communicating with clients and providing investment advice digitally is one thing; the real differentiator is the ability to personalize these interactions in order to build strong, sustainable, and trusted relationships. This is especially true in an environment of fee compression, robo-advisors, and new forward-thinking start-ups. Providing sound investment advice, personalized to the specific needs of investors by truly understanding their situation, needs, wants, values and desires, will be the real differentiator in wealth management.

Mike Park, CEO, TCC Group: The rapid operational adjustments that wealth and asset management organizations endured in response to the pandemic emphasised regulatory compliance issues. As we are entering the post-pandemic world and the emerging hybrid model of home- and office-working, firms continue to be exposed to client mismanagement and compliance issues. Firms will need to carefully consider how to drive a healthy culture in the new working environment to mitigate these potential conduct risks. Healthy company culture plays an integral role in linking compliance and commercial success for wealth and asset management organizations.

Chiara Gelmini, Solutions Marketing Lead, Appway: In the past decade, innovation dominated strategic priorities, though with “arbitrary” and shifting emphasis. Although more hybrid models of interaction were emerging, the high-touch physical interplay was seen as the “Plan A” in wealth management, while digital engagement was the “Plan B”. Today wealth managers are forced to not only innovate but to transform by revising digital strategies—along with the corresponding tools and technology—in order to adapt to the shift in circumstances. Digitally empowered human interaction is now the default “Plan A”. Being innovative via digital means, doesn’t equal less human touch. WM customers are typically complex in their nature, they have large households and center of interests, with many cross-jurisdictional nuances and impacts. Hybrid models are going to be crucial to be able to deliver that high touch service that’s core to the WM industry, across whatever type of channel and journey customers are going to choose.

Joe Norburn, CEO, Recordsure: The global pandemic accelerated the deployment of new technology-led solutions that enabled financial services organizations to ensure business continuity and remote-working management. Despite the swift introduction of these solutions, innovative technology tools, such as client interactions monitoring and regulatory compliance management, are proving to drive operational efficiencies and excellence—thus are here to stay. The next challenge for organizations is to carefully assess their new technology portfolio and ensure true alignment with long-term technology and business strategy.

Manish Moorjani, Senior Director Product Management, Publicis Sapient: The pandemic made digital the only mechanism for advisors and their clients to engage; it accelerated digital tool adoption by advisors who felt their HNW/UHNW clients only wanted an in-person white glove service. As we go back to a new normal world post-vaccination, we expect that the engagement model will continue to be a hybrid of in-person and digital engagement as both clients and advisors saw significant value at limited to no degradation of service. In fact, it provided an opportunity to share much richer insights for them to discuss and led to engaging conversations.

 

The Next Generation Investor: Meeting changing investor needs and expectations

What key shifts are you seeing in investor expectations, behaviors, and priorities? How are these playing out by wealth, age, education, gender, and other investor demographics?

 

Sabrina Bailey, Global Head of Wealth Management, Refinitiv: Investors expect to be known. Companies like Netflix and Amazon are leading the way in terms of personalization and understanding what their customers want by leveraging the data available and providing personalized recommendations through a simple, intuitive digital interface. Expectation for daily, personalized, and tailored interactions are moving into the financial services arena at a faster pace than ever before. Investors expect that the advisors know them and can recommend solutions to meet their needs based on understanding “clients like them”. Breaking these expectations down by wealth, age, education, or gender is a precarious game given that expectations are also driven by stage in life, income, place of residence, engagement preference, risk level, etc. For example, my high school two daughters have been exposed to investing their entire lives because of my career. Our oldest daughter (persona: The Protector) is conservative by nature, would prefer to meet in person, and would invest no more aggressively than a moderate risk portfolio. She cares more about protecting her money than making the most she can. Our younger daughter (persona: The Thrill Seeker) would invest straight off Instagram, never talk to an advisor and invest in the highest risk single stock she could find because she loves the thrill of the chase even if it means losing everything. Given the move to personalization, wealth firms would be well served to understand their investor personas and adapt both sales and customer service techniques to meet their personas.

Olivia Fahy, Head of Culture, TCC Group: Socially responsible investing is an increasing priority for investors. For firms, this means investing with purpose. Younger investors are particularly concerned about investing responsibly, and so this new trend is set to influence wealth and asset management firms’ culture and their approach to investment—especially as wealth begins to transfer from baby boomers to millennials through inheritance. It should be noted that this shift has been growing in importance over the last few years, but it has been brought into sharper focus more recently by topics like climate change, the BLM movement, and the pandemic, highlighting how firms are part of a much broader infrastructure. Progressive and purpose-led organizations have been shown to be best placed to respond to this pivotal shift in the market and steal a march on their competitors.

Manish Moorjani, Senior Director Product Management, Publicis Sapient: For millennials across wealth, education, gender and demographics, omni-channel engagement is an expectation, not just a “nice to have” anymore. Priorities now include doing more sustainable investing (ESG) to ensure that there is a broader picture in mind besides making returns. They also have a shared control behavior in terms of making investment decisions as they are exposed to lot more information and insights and are looking for a partner not just an advisor.

How is your organization adapting its products and services to meet evolving investor needs? How will value propositions, investor experiences, and market approaches need to change?

Sabrina Bailey, Global Head of Wealth Management, Refinitiv: We are focusing on developing and using digital tools and solutions to address changing investor expectations by delivering the data, insights, and capabilities that can be delivered in a personalized way to a broad range of personas to enhance the overall experience.

Joe Norburn, CEO, Recordsure: The new way of interacting with clients via multiple communication channels requires more transparency than ever before. The fast changes to business operational models have emphasised the need to fast-track the deployment of analytics tools to monitor, analyse and review all client-agent interactions at scale. This requirement is critical as firms are faced with the responsibility to ensure fair treatment of clients, be vigilant to vulnerability, and to always maintain supervisory oversight and regulatory compliance across all communication channels.

 

Anna Szterenfeld is Director of Editorial Operations for ESI ThoughtLab. She is a multilingual writer and editor with 30 years of experience assessing and forecasting global political and economic risk, policy trends and business operating conditions, with a particular focus on the Americas. For many years she served as Regional Manager and Latin America Editor with The Economist Group, where she supervised analysts and editorial teams in Mexico, Brazil, London, and Gurgaon (India), as well as a contributor network in more than 20 countries.