The following story illustrates what can occur when efforts at digital transformation go wrong. Kelly Zheng may not be real, but the challenges she’s confronted with are far from fictitious. Many organizations and industries struggle with concerns about retaining customers in a disruptive and competitive landscape. Facing a “transform or else” paradigm isn’t easy, but it’s increasingly common. Read on to discover the challenges and choices Kelly faces. Did she choose the correct path?

Insurance company CEO Kelly Zheng knew she wasn’t alone in thinking her industry was one of the most disrupted by technology and innovation. However, she always brought her positive (and practical) attitude to the office.

Like many of her fellow CEOs, she juggled a plethora of changing priorities. Her number one concern lately? The goal of practically every industry: Customer retention. Fortunately, Kelly worked alongside a talented team of C-level executives.

After hearing the chief financial officer (CFO) report on the company’s declining revenue and a suspected spike in fraudulent claims, Kelly was worried about the firm’s digital transformation strategy — or lack thereof.

Kelly stared hard at the net promoter score (NPS) chart the chief marketing officer (CMO) had presented, searching for answers in the negative trend line. The dismal data wasn’t the only bad news she’d received that day. After hearing the chief financial officer (CFO) report on the company’s declining revenue and a suspected spike in fraudulent claims, Kelly was worried about the firm’s digital transformation strategy — or lack thereof.

She masked her concern during the CMO’s presentation but revealed her true feelings when the CFO knocked on the door to her office later that day. Kelly knew she needed to act fast and get her leadership team together to find a solution.

“Every company is a technology company in today’s world,” Kelly stressed. “We need to get with the times and offer an omnichannel customer experience. A mobile app is a perfect opportunity to embrace disruption and bring our company to the next level.”

Later, Kelly sounded confident while she outlined her plan to the leadership team: The organization would invest immediately in developing a mobile app. Internally, however, she couldn’t help but wonder if the team could handle a significant digital overhaul against a ticking clock.

Designing a Secure, Frictionless Customer Experience

Kelly knew a mobile app would help the organization stay in touch with its customers, which would ultimately improve customer satisfaction and loyalty. By the time the leadership meeting was over, she had outlined a tentative plan of action to get the mobile app off the ground.

Although the organization’s chief information officer (CIO), Ned Lui, was part of the leadership meeting, Kelly wasn’t able to connect with him until a few days later due to his hectic schedule. She wanted to discuss the app’s possible impact on the company’s current IT infrastructure and operations, but the conversation quickly turned to security risks.

“You should meet with Adela, the chief information security officer,” Ned said. “She will make sure we address app security properly.”

While Kelly was concerned about the mobile app’s security, she needed to get the business requirements for the application and the third-party development team agreement solidified first. She had already asked her design team to take an active role in designing an industry-leading user interface (UI).

Between the world-class user experience (UX), experts at the development agency and her in-house talent, Kelly felt certain her organization was taking the right approach to developing a mobile, omnichannel customer experience — a people-first approach.

Balancing Security and Ease of Use

Kelly recognized that security would be an important concern during the development process, so she kept it top of mind. She highlighted the importance of security in her weekly meetings with the third-party agency she hired to develop the app. She understood there were significant functionality and cost-saving reasons to build the new app with security from the start. However, she wasn’t entirely confident the app agency had the right mindset when it came to balancing security with UX.

Kelly armed herself with app security research and addressed security at every meeting with the development agency.

Kelly armed herself with app security research and addressed security at every meeting with the development agency. While ease of use was critically important, she grilled the agency project manager to make sure the development team wasn’t sacrificing security for convenience.

Kelly was satisfied with the agency’s practice of secure DevOps, and she kept the rest of the leadership team updated on the progress.

Tackling Fraud Head-On

With development efforts in full swing, Kelly shifted her focus to addressing the costly problem of rising fraudulent claims. She was hopeful that the app would create a flood of new customer accounts, but she was also aware that it could make it easier than ever for customers to file fraudulent claims.

Kelly tasked Ned and Adela with developing a plan to authenticate new user accounts. However, when the task force reconvened, Kelly felt overwhelmed by Adela’s recommendation to explore new solutions.

“Legacy approaches to user authentication and identity verification are clunky and, quite frankly, high-risk,” Adela argued. “We can’t rely on passwords. Instead, we need a dynamic approach to verifying users, devices, environments, behavior and activity.”

They weren’t sure how to integrate multifactor authentication (MFA) when development was in full swing.

Everyone knew Adela was almost certainly right. However, they weren’t sure how to integrate multifactor authentication (MFA) when development was in full swing.

After much discussion, Kelly convinced her colleagues they’d have to stick with a framework-based approach to fraud prevention. Context-based authentication tools would have to wait for the next release.

Unleashing a Mobile-Enabled Workforce

As the go-live date approached, Kelly focused on a final puzzle piece: the insurance organization’s newly mobile-powered remote workforce of insurance agents. Mobile app access for agents was necessary to deliver on the promise of real-time updates.

There was, however, an issue of risk. Could the health of the agent’s personal mobile devices compromise the IT infrastructure or (worse) customer data? What if a device was lost or stolen? While the organization provided laptops to their agents, Kelly worried what was next because there simply wasn’t enough budget available to equip the agents with company-owned mobile devices.

Kelly and Ned opted for the best option they felt they had: an updated bring your own device (BYOD) policy. With the help of the human resources team, they decided to invest in a new, written policy that clearly outlined the agent’s responsibility to protect customer and company data on mobile devices. The new BYOD policy was clear about secure behaviors — such as avoiding sketchy Wi-Fi connections and the importance of putting a lock on each mobile device — but didn’t outline what would happen to people who failed to comply.

Achieving Digital Transformation Without Sacrificing Security

Kelly is far from alone when it comes to balancing the pressures of digital transformation and security. Faced with a fast-ticking clock, she didn’t feel that she had the option to focus on security and still release a great product on time. However, there’s an alternate ending to this story that doesn’t involve a vulnerability-riddled app, fraud or mobile data breaches.

Disaster recovery-as-a-service (DRaaS) and backup-as-a-service (BaaS) could have helped her team meet resiliency challenges.

To avoid these modernization missteps, Kelly could have invested in security services to help her task force develop security-focused business requirements and create a comprehensive DevOps framework. For example, disaster recovery-as-a-service (DRaaS) and backup-as-a-service (BaaS) could have helped her team meet resiliency challenges.

Kelly’s developers also could have automated ongoing risk testing in production with a vulnerability scanning tool to avoid the high cost of discovering security risks after the app went live. In addition, an identity and access management (IAM) solution could have helped the development agency protect authentication between mobile and web apps.

Had the app passed a penetration test, Kelly could have approached the go-live date with confidence instead of apprehension. She also could’ve nipped the threat of new account fraud in the bud by investing in a fraud protection solution that examines users, device health and sessions.

Finally, Kelly could have reconciled risk with mobile agents by leveraging a cognitive-enabled unified endpoint management (UEM) soluion. That way, everyone would have won: The agents would’ve been able to keep their phones and game apps, and Kelly’s organization wouldn’t have had to purchase mobile devices for its employees.

Organizations can achieve security by design instead of taking an after-the-fact approach to data protection.

Digital transformation may be increasingly inevitable in many sectors, but you’re not doomed to face disruption or mounting security risks when delivering new mobile experiences or turning around a digital overhaul before your competitors go live with their apps. With expert assistance and augmented intelligence, organizations can achieve security by design instead of taking an after-the-fact approach to data protection.

Read more articles about Application Security​

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today