Ask any CEO or leader of an organisation what their top worries are and they'll probably tell you that they're related to technological disruption or cyber security. In a recent PWC report, cyber security ranked in the top five concerns of surveyed CEOs. Yet despite the perceived importance of the issue, time and again it is the simplest vulnerabilities that catch companies out. Whether it's falling for an email impersonation or not patching systems, it's clear that talking about these issues is a lot easier than doing anything about them.
Costas Markides from the London Business School has talked about the problem of senior leaders saying "we need to do something about innovation". If you were at home and your partner said "we need to do the washing up" who exactly do they mean? The phrase is non-descript and non-directional, meaning that the dishes would inevitably languish in the sink. In these cases the rhetoric itself becomes dangerous. Rather than prescribing a course of action like hiring a Chief Information Security Officer or growing an innovation department, most companies default to continuing with business as usual.
Cyber security and innovation are hugely important but rarely acted upon
There are a number of reasons that I've seen which result in this behaviour. By recognising the common traps it becomes easier to align your areas of high perceived importance with your high priorities.
1. It won't happen to me
There is often an underlying feeling that instances of tech disruption or cyber security won't happen to you or your company. "My people are too smart to fall for a phishing attack" or "It's a hard market to break into really, what damage can a start up do?" Like global warming, it's only after the damage has been done that it becomes clear that these sorts of things can happen to anyone.
By creating scenarios about the future - as the packaging manufacturer DS Smith has done with their 2025 scenarios - you can bring some level of reality to these hypotheticals. Assessing what actual damage might be done, and documenting who would face the repercussions you can reframe the debate.
2. Where's the ROI?
The other problem about hypotheticals is that it's hard to build a business case around them. The recent WannaCry ransomware outbreak could have been prevented by a simple patch to NHS computers; yet justifying a significant spend on a security update is difficult when there are pressing funding needs in other areas of the organisation. Making a business case for an unknown is only possible when you accept that occurrences like a hack or disruption are not just likely but inevitable. To help stakeholders understand just how likely this is, things like company wide phishing tests can be used to demonstrate vulnerabilities.
3. Innovation Stigma
"I'm just going to spend the next two hours doing some innovation." Imagine if one of your colleagues said this to you? You'd probably picture them sitting on a beanbag doodling on a pad of paper. Though innovation is critical to business today, finding the time and space to do it is difficult - especially when it's often not criteria in someone's performance review. It's only by promoting innovation as a tangible activity within a company - through a lab or investments for example - that "innovation activity" can happen without it looking like people are wasting their time.
4. Fear of failure
Underlying all of these issues is the problem that admitting to failure is incredibly difficult it today's business environment. Both innovation and cyber security have a high probability of failure - even if you invest significantly in both areas it's still possible that you will be disrupted and hacked. It's a game of probability, though, and therefore it's important to be transparent and communicative about the risks involved.
Recently Google has made a large push towards their photo sharing app, Google Photos. Offering unlimited high-resolution storage for anyone who buys a Pixel phone, and standard resolution for anyone who signs up, it seems like a deal too good to be true. Whilst signing up is easy, removing yourself from the service (as I tried to do a few months ago) is much harder. Photos can only be deleted in batches of 500, and the process will fail four out of five times. It’s the sort of dark user experience that you can see in other products, but it is a reminder of an important point: Google is a data collection company, and its value is dependent upon the quantity and quality of data that it can collect.
The problem with taxing technology
Historically tax has been used to collect revenue for the state by extracting a proportion of the value that businesses or individuals create. Taxation from Biblical times is described as
"When the crop comes in, give a fifth of it to Pharaoh.
Genesis, Chapter 47, verse 24
In this case, the taxation system is quite simple: whatever value you create (i.e crops), give 20% of it to the Pharaoh. Since biblical times this principle of extracting value from producers has been extended to value added tax (VAT), where every transaction that creates some element of value is taxed at a percentage. The bottom line of a capitalist taxation system is that where value is created it is only fair to take a proportion of that transaction as tax.
When it comes to technology companies, the value almost always sits in the data that they own. Citymapper, a UK based transport company is valued at over £250 million, despite the fact that it doesn’t make a profit. What it does have, though, is huge amounts of data about transport patterns in cities all over the world - often much more accurate data that municipal transport companies themselves have access too. It’s a similar story with Uber, which recently launched Uber Movement, a service demonstrating just how valuable their data collection of journey times has been.
Citymapper recently launched a pop-up bus service to demonstrate the power of the data they have access to
The issue with taxing these companies is that though an organisation like Citymapper is generating substantial value with the data that it’s collecting, there is no concrete monetary figure associated with it. Therefore, for most fast-growing startups the core of their value goes completely untaxed.
Where value goes, tax should follow
Over the past few years, the regulation on the collection and processing of data has become stricter. In order to collect data of any kind in the UK, you need to register with the ICO, and soon companies will have to comply with strict security legislation brought about by GDPR. Despite this regulation of data, though, there has been absolutely no attempt to tax the collection or processing of data.
Google’s search algorithm is improved with every search that is made. Though there is a monetary cost of providing the service, the benefit of having the most predictive algorithm is clear to be seen. Terms of service across any tech company that you care to mention includes clauses about using consumer data to improve the service for others. This may seem like an altruistic motivation, but in reality, it is anything but. Taking the insights from Google search and integrating it into Google Home, for example, allows Google to create a much more valuable product. Again, this value is completely untaxed.
Government & regulators are unprepared
The shape of the global economy has been dramatically transformed by technology, and yet the regulatory and taxation system has remained relatively static. As technology companies experiment with new ways to create value it’s the responsibility of government to experiment with new ways of taxing them. Sadly the exact opposite has happened. HMRC recently removed the flat rate VAT scheme benefit for what they call “limited cost business.” Typically these businesses are tech companies whose only capital expenditure are laptops at the beginning of the year. From then on they operate with limited costs - but this doesn’t mean that they’re not creating value.
Simply closing the option for companies to claim back flat rate VAT doesn’t solve the problem, it only seeks to demonstrate the difficulties of creating a fair taxation system where most of the value is invisible when measured with traditional metrics. We need a radical rethink of the way that value is measured and tax is administered, and this has to start with a technology first approach.
The Burning Platform.
There's normally no better way to convince senior stakeholders to invest in innovation initiatives. The idea that at some point soon a new entrant could come into the market and destroy your current business model is enough to terrify many into action. In most industries it’s quite easy to make this argument: Google, Apple and others have entered most markets and made themselves felt. From the outside, it seems like the world of finance is no exception. Companies like Paypal & Transferwise have changed commerce as we know it and a new wave of challenger banks like Monzo have just begun to enter the market.
When talking to established banks and payment providers, though, it’s quite difficult to make the burning platform argument. Whilst innovation in finance has happened, it has only been seen in certain areas. Since the financial crisis, most funds and banks have seen their profits and operations steadily rise. The disruptive revolution, as it was prophesied a few years ago, has yet to be seen. So what’s happening? And what can we learn about how big financial players are defending themselves?
The benefits of legacy
Blockchain, the technology that powers Bitcoin, has been cited as one of the disruptive forces that is sure to completely change the way that financial services operate. If no central authorities are required to authenticate transactions then what need do we have for banks or payment providers? In theory, this makes complete sense. The problem, though, is scale. Bitcoin can handle, in theory, a maximum of 7 transactions per second. Visa can handle 56,000 a second. Whereas Bitcoin is a technology that has evolved and developed essentially as a proof of concept of a stateless currency, Visa and MasterCard have evolved as stable and scalable providers.
This isn’t to say that a cryptocurrency won’t come along to rival Visa or Mastercard’s transaction scale. What’s unlikely is that a completely new force will enter the market with a stable and scalable financial transaction system overnight. Innovation is inherently risky, meaning that early versions of innovative systems carry that same level of risk.
It might be tempting to think that if you’re a business operating in an environment where scale protects your core value proposition you can sit back and profit. The problem with this is that complacency kills you. Though it probably won’t be an overnight sensation that disrupts your business model, it will be a twist on what you currently offer.
Legacy can’t get the front end right
Nimble and fast paced responses to changing requirements aren't necessarily what you want when you’re processing money - which is why companies like Visa and MasterCard have done really well. I know exactly what I want from an infrastructure point of view when I make a transaction. I want my transaction to get to the merchant quickly, securely, and reliably. The requirements are known, and therefore large-scale providers can work away diligently on providing large-scale solutions to 100,000 people buying a hot dog at the same time when they're at a football stadium.
When it comes to the front end - what I see, feel and experience when making a transaction, I don’t have a clue about what I want. Maybe I want to buy my hot dog with a contactless card; maybe I want to put on a VR headset and beam the payment to the vendor. There is a keen need for experimentation where front end experiences are concerned. If a fintech company develops a novel front-end solution which makes, say, sending payments to friends easier, the innovation won’t be on the backend as the money still has to move through the usual channels. Instead, it will be through an advancement in user experience or tie-ins with other services.
Waiting and watching
Forward thinking financial organisations have realised that the best argument for investing in innovation isn’t that their business model will be destroyed if they fail to fund a lab. The most persuasive argument is one about growth.
Large organisations will never rival small and agile fintechs when it comes to designing novel user experiences and front ends. By waiting and watching as smaller and riskier companies try to develop revolutionary new ways of interfacing with the world around us, the innovation process for large companies is de-risked. But their involvement has to come in somewhere so that they can profit eventually - and where better than their area of expertise: the back end.
MasterCard was one of the first companies to realise that this approach could be particularly fruitful, and they’ve had a large focus on developers and APIs for a long time. By engaging with startups and smaller companies; encouraging them to build their front-end technology on top of the back end of their well-established system, MasterCard has been the payment provider behind almost all the fintech card providers you care to mention.
To think of innovation as building up defences against the disrupter that may come tomorrow is to miss the core point: you can’t fight a battle on both fronts. Collaboration with others is essential - not only to the future of your business surviving but to it thriving too.