Rick Howard: Hey, everybody. Rick here. On this lovely Saturday morning, I made a trip to my local supermarket, the Huntsman Giant in Springfield, Va.
(SOUNDBITE OF PA ANNOUNCEMENT)
Unidentified Person: (Inaudible), can you come to desk 8, please?
Rick Howard: My cousin Jimmy is coming in from Florida today, and I'm going to cook dinner for him, my Howard-patented chicken taco salad. So let's see - I need some chicken thighs, some green peppers and red peppers, some Mexican shredded cheese, some sour cream, some taco shells. Oh, yeah, and my favorite, some Pace picante sauce - mmm, mmm - that's going to be good. OK. So I finished my shopping, and I'm at the self-checkout register, where I've scanned all my items. But instead of me pulling out a plastic credit card from my wallet, I take out my iPhone, bring up my Apple Wallet app, select my digital credit card, place my phone on the digital reader, enter my pin, and voila, complete my transaction.
Rick Howard: And you may be saying to yourself, geez, Rick, what's the big deal? We've been able to do this kind of thing for a couple of years now. Why are you dragging me through this really boring example? Well, I'm glad that you asked. This, ladies and gentlemen, is the beginning of the end to plastic credit cards - a disruption, as you might say. And to what do we owe this little bit of innovation? It's called fintech or financial tech, technology that deals primarily with how we conduct our financial transactions. And the financial sector has been working on things like this for years, trying to find new and better ways to transact business. But just recently, say in the last couple of years, 2020 to now, venture capitalists have been investing huge wads of cash into fintech startups. And I really wasn't paying attention. So I figured it was time to do a deep dive into what's going on and see if there's anything new here for the security executive to consider in terms of making this fintech secure. Let's find out.
Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater somewhere along the Patapsco River near Baltimore Harbor, Md., in the good old US of A. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. Joining me at the CyberWire Hash Table today are two subject-matter experts on fintech from Akamai - my old friend, Steve Winterfeld...
Steve Winterfeld: Minor deity of cyber at Akamai. I've been here for a couple years.
Rick Howard: ...And his colleague, Josh Greenfield.
Josh Greenfield: Been at Akamai for about five years. And prior to that, was at a large telecommunications company for 18 years. You can just call me a client manager - fintech partnerships - either one.
Rick Howard: Steve, let's start with you. As I said at the top of the show, I really hadn't been paying that much attention to this general-purpose category of vertical technology called XTech and specifically, the financial sector's version of it, called fintech. What is this thing?
Steve Winterfeld: There are a lot of XTechs out there - fintech, insurance tech, regtech, and all of these are looking at a couple synergies. One - big data, AI, ML - access to do things in a way, because of that data, we haven't done. And then the second half of this is a distributed way to interact.
Rick Howard: For those of you that don't know, before Steve went to work for Akamai, he was the CSO for the fashion retailer Nordstrom. And one of the project he worked on was a software integration with Pinterest, the social networking site where users collect and share images of anything they find interesting. The idea was that Pinterest users found an article of clothing on the site, they could easily buy it from Nordstrom.
Steve Winterfeld: I'll take a classic example. When I was back at Nordstrom, we did a deal where we were going to be able to interact, and you were going to be able to buy off Pinterest. Well, that was six months and a lot of effort. And, you know, if either CHAI changed something, things would break. And I'm not sure it was a great return on investment. But now with this, you know, open APIs, the ability to do something similar for Nordstrom would be almost zero effort on their part, and just that ability to quickly connect in the dynamic way. So a lot of this has just been an explosion in innovation on both sides.
Rick Howard: So "XTech," quote, unquote, is kind of new technology that seeks to improve and automate services in various sectors, like the ones you mentioned, but also agritech for agriculture, edtech for education and adtech for marketing. Fintech is for financial services. All of this innovation is really about trying to streamline services in those verticals and making it easier to do business between customers and vendors.
Steve Winterfeld: And then, you know, when you get into fintech, we've got a subset of group. There's alternative banking. There's robo advisors, there's people that focus on the payments side, that focus on maybe more the supply side. Josh, what are some of the ones you're seeing?
Josh Greenfield: I think a big part of fintech, in general, is anywhere where inefficiencies exist today in the marketplace that can be solved through the use of technology and the movement of money. And I think even the term money has multiple meanings for different people now. So it could be everything from cryptocurrency to digital assets to just regular dollars that people are used to using. So we see a lot of companies coming out, trying to isolate and find those inefficiencies and insert themselves to make a better experience for the people that are moving money.
Steve Winterfeld: And I would add to that. There's a couple drivers. You know, if you look to Europe, open banking is a regulation that is driving this. So they're saying traditional banks need to be open to let customers have access to their wealth in different ways that they have in the past. And then there's customer-driven, which - people are just going to these new technologies because it gives them the capability they haven't had in traditional banking.
Rick Howard: Josh, when we were prepping for this interview, you guys passed me a report from a company called CB Insights that they published in 2021. We'll link to it in the show notes. But it said that venture capitalists started investing big money in fintech startups in 2021, like, over a $30 billion alone in Q2 of 2021. That's a lot of money to be throwing around for this kind of thing. What's going on here?
Josh Greenfield: Yeah, it's a good question. So I think as we head into the new economy - and I talk about 2022 and 2023 - is a little bit different than historically, with the free flow of money and investment and assets. I think the idea behind those investments are, where can we find exponential growth? And the - I say the word exponential growth with purpose. A lot of these fintech companies, for every one person who comes onto their new platform, they will enact eight to nine different transactions a month. So for every user that comes on board, they're growing exponentially. And I think, from a venture capital perspective, it's, where can I put my money to work for firms that are going to grow exponentially, the fastest growth, the highest rate of return? And where do I believe those inefficiencies in the market exist? And how can I fix them? And what partners are going to be out there to help address that? So we see a lot of fintech and venture firms focusing on this area in particular, I think, due to the payback, in a time for the payback, with those exponential growth curves.
Rick Howard: One of the reasons for all this investment is that many fintech startups are trying to leverage the ideas associated with Web 3.0. On my other podcast called "Word Notes," we explain the significance of Web 3.0 compared to 1.0 and 2.0. And by the way, if you're not listening to "Word Notes," you're missing out. We just recently published our 100th episode of that show, and I have to say I've learned more about cybersecurity working on that show than I have in my entire 30-year career. But let me summarize that episode here, though. Web 1.0, which lasted from about 1991 to 2004, refers to the time when websites were mostly static content. Web creators establish a domain name, set up a web server on that corner and built webpages for specific topics that included hot links to other sources of information on the site or to other web creators. Web 2.0 refers to the internet in its current form, the stuff we are dealing with today, marked by interactive websites owned by several massive companies. This is most clearly seen in social media.
Rick Howard: Web 3.0 refers to the relatively new idea of a decentralized internet built upon blockchain, or peer-to-peer nodes, perhaps through the metaverse that Facebook and others are working on, giving users more sovereignty over their own data. Web 3.0 is another manifestation of tech researchers and investors realizing that internet customers may not especially like the current situation and would pay for other models. They think that the typical internet user doesn't like the idea that all of their traffic must traverse a small handful of internet tech giants whose business model is to monetize the user's personal information. So, Josh, am I right here? Are we seeing this exponential investment because of Web 3.0?
Josh Greenfield: Yeah, that's a good question, as well. Fintech's not new. It's been around for a very long time. If you go back to the early 1950s, the idea of credit cards and debit cards and the movement of digital assets - it's been around for over 60-plus years. The Web 3.0 is a really good question. And I think it's to be determined. As we look at kind of the original Web 1.0, it was really a static relationship. As one person on the side of the web, I need information. I request that information, and it comes back to me.
Rick Howard: Hey, don't be dissing those early days of Web 1.0. I made those pages, complete with static images, flashing highlight lines and bold text in a rainbow of colors. We thought we were so cool.
Josh Greenfield: Netscape was a fantastic tool. Congratulations.
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Tim Allen: (As Tim Taylor) Oh, yeah.
Josh Greenfield: Yeah. I think that idea of going from static relationships to dynamic relationships - I think fintech has seen a big kind of boom with that. My moving, my money, my assets, my currency to the places that I want to have it moved, whether it's peer-to-peer payments, whether it's credit cards, in the 2.0 environment. Now, 3.0 is where things are going to be really interesting. And I think there's some big challenges in 3.0 - the idea of, kind of distribution on the web. Going back to 2.0, we saw the large behemoths and web-scale companies, really four or five of them, kind of controlling the major market share. But 3.0 is this idea that it's the democratization of movement of assets. So whether it's distributed ledgers or moving money freely without one or two large players crafting and shaping that, I think there's a big opportunity in that. And the challenge that I do see is some of the large marketplaces out there right now are really struggling with, how do they get away from the one thing that they're trying to solve for? So, for example, if you want to buy a cryptocurrency, there's five or six different marketplaces - maybe more now - that you can do so safely and securely. They're becoming those large, web-scale behemoths that they're fighting against with 2.0. So it's going to be interesting to see how that plays out as we continue to watch that evolution.
Steve Winterfeld: Yeah, I would add that, you know, decentralized is a huge part of this, as is individualized. The expectation of customer experience is really changing. Artificial intelligence, 5G, APIs are underlying all of this, and there's really a chance for disruption here. The pace of disruption, the amount of money that's being invested in all these different potential startups that are going a lot of different directions.
Rick Howard: Help me understand that, Steve, because what emerged from almost two decades of Web 2.0 is that, like Josh says, these giant Silicon Valley companies like Facebook, Amazon and Google became the arbiter of all your interactions. You have to go through them in order to exchange information or to do business with somebody else. And the reason Web 3.0 is potentially disrupting is that some people aren't satisfied with that. We're not happy going through those big Silicon Valley companies so they can turn around and make money off our own data. And that gets you to your decentralization thing, right? Fintech could potentially get rid of the middleman altogether.
Steve Winterfeld: Right now, a lot of currency is fiat currencies controlled by a government. So there is some disruption around there. You've seen different countries approach this in different ways, some moving towards it. Some, like China, initially moved towards crypto and then did a hard reversal. You've got big tech that is including the finance inside apps - and you've really seen this in Asia - where the whole ecosystem includes ability to do closed transactions within it. Here in the United States, you have FedNow, which is an effort for our government to move into fintech. You know, you've got traditional institutions, some of them partnering with fintech, some of it buying it and some of it white labeling it. And then, you know, finally, as we look at some of these super apps - talk about Facebook - and Facebook has made some forays into - including a financial aspect into its ecosystem. And so all of that is moving very fast. And then next to that, you have a lot of things pushing back. More and more countries are trying to do data localization, trying to restrict data to their GOs. And that ties into what you're talking about privacy there. And how much of that is driven by the government? How much of that is driven by customers?
Rick Howard: So, Josh, let's talk about Steve's super apps because the promise is that they eliminate the middleman. But if they get successful - let's say there's a giant, super app that everybody uses for banking - don't they become the new Silicon Valley giant that everybody has to go through? Is that what the danger is - after all this disruption, we're going to end up with the same system that we had before?
Josh Greenfield: That is the question, right? So all the items and elements that we're trying to change with decentralization, you're ultimately still going to have an arbiter of truth, right? And the one thing that I think shouldn't be lost in any of this conversation is the idea of trust. Trust is really critical to the movement of money, where assets sit, where those assets live and knowing that they'll be there and they'll be available for you when you need them and when you want to transfer them. And so trust comes down to relationships. And for a long time, banks were that relationship. Enter 2008, 1987 - other crashes along the way. And I think the decentralization that we're seeing now is a response to, are we trusting the right institutions? And only time will tell. But that idea of finding the thing and then becoming it, you know, I would argue since the beginning of time, one thing always replaces another. So whether you're a blockbuster and you're being replaced by Netflix and now Netflix is under fire by insert streaming provider Y, there's always someone new coming. And cars replacing horses, right? There's this transformation that technology enables us to do. And I think we'll see a very different world in about 20 years, with finance and the movement of money. What it is, I can't say.
Steve Winterfeld: So when you built that cutting-edge webpage, I am willing to bet there was not a lot of security around it. It was new. It was cutting edge. We've been doing that a couple years now, and we've built guardrails around those. And so Web 1 and Web 2, we have guardrails around. As we move into APIs and serverless and DevOps. And we don't have as much maturity. And so some of this is the traditional stuff. You know, the rogue server with the rogue webpage is now the rogue API. And so how are you doing API discovery? How are you doing API protection? Have you shifted left and pushed the shield right? You know, there are so many aspects here. It's new, but is anything new under the sun?
Steve Winterfeld: So while we're moving into this new stuff, you know, some of this is different and some of it we think about a little different. So the problem is the institutional maturity of doing it. A lot of people know how to do it, but we haven't built the guardrails we have for a lot of our traditional stuff, not that all of those were working real well. I know one of my examples, personally, is I'm horrible about managing finance. I'm not allowed to do our bills. And so I see this app. It will help me manage my wealth. It'll connect to my 401(k). It'll connect to my bank. It'll connect to my trading. Not that there's a lot of money there, but I can now centrally manage that easily. And so I log in, and I give them access, provide passwords and access to all my wealth. And then I sit down, and I think about what I did. And I gave some startup, who I have no idea what their security is, direct access to all my wealth.
(SOUDBITE OF ARCHIVED RECORDING)
Unidentified Person: Ay, caramba.
Josh Greenfield: I think Steve's being humble. I know there's a lot of money in there, not a little bit of money.
Steve Winterfeld: (Laughter).
Josh Greenfield: The other thing that I would say on top of that that's interesting is regulatory, right? So what security guardrails were created out of necessity, and what were created because someone made them do it? And right now, fintech in particular - there's not a rule - there's a few governing bodies - but understanding what the rules and what the measures need to be is still being figured out, Whereas we see great collaboration around large, financial institutions and banks trying to solve the same problems. Fintech is a little bit different, where everyone's trying to take everyone else's lunch. There's collaboration, but there's also a lot of coopetition. And I think understanding regulatory is going to be interesting to see how this shakes out. Some of those rules are still very applicable in financial services and fintech. I think it's a different mindset. So if you talk to a fintech customer or somebody making decisions about what the future looks like, regulatory isn't - it's the seventh inning of a nine-inning game, versus large banks and institutions, where that's inning one or two. That's the foundation. So that problem will be solved later on by a lot of the fintechs. But right now it's solving the inefficiencies. Once we address that, we know the regulators will come. We'll have to address those later on. So it's really later in the game.
Steve Winterfeld: And some of it is resources. The top 15 banks have regulators embedded. That startup company that I gave all my information to - is a regulator going to get down there and review that, with the number of startups we have? And then it gets into all the cross borders. I mean, in payment, there's so much energy around payment going near real-time, cross borders, to provide wealth vehicles to areas throughout the world that don't have them today. And so that was a democratization of this. And so some of that stuff isn't clearly regulated. So some of this is new ground.
Rick Howard: As Josh said, fintech has been around for years, but it's way too early to see if this new and potentially disruptive Web 3.0 version, with its decentralizations and potential use in the metaverse, will catch on with consumers and businesspeople, and whether or not it will deliver us from having to rely on a handful of Silicon Valley companies to send all of our traffic through. Or will some new Silicon Valley company emerge and become a giant to replace them? One thing is certain, though, how we think about securing these environments isn't new or different. If these Web 3.0 fintech security practitioners follow the same first-principle strategies, they'll be fine. But if things happen here the same way they have happened everywhere before, it's likely they won't get around to it until much further down the road.
Rick Howard: And that's a wrap. I'd like to thank Steve Winterfeld and Josh Greenfield, both from Akamai, for helping me understand this business of fintech a little bit better. And as always, if you agree or disagree with anything I've said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. Or if you prefer email, drop a line to see email@example.com. That's csop@cyberwire - all one word - .com. And if you have any questions you would like us to answer here at "CSO Perspectives," send a note to the same email address, and we will try to address them in the show. Next week, we will be talking about privileged escalation. You don't want to miss that.
Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.