Restrict risk not innovation.  A new mindset for the Financial Services boardroom James Tucker (Head of CISO, International)

I met with a CISO last week who could see clear gaps in his internal and external security posture because users were free to disable security controls. He knew it was creating risk but didn’t want to change it because of a ‘user-first’ mentality. This is not a user-centric behaviour, it is creating risk that your organization (and, incidentally, your users) doesn’t need.When caution is risky Big banks can’t out-innovate digital challengers if all their energy is spent ticking compliance boxes. And, if we look at where AI accountability is headed, it’s clear innovation will keep drawing the short straw. That ‘stay in your lane’ understanding between business versus IT is old-school at best, counter-productive at worst. The days of leadership seeing security issues as “something that IT handles” are gone. Singapore is already considering holding top banking execs personally accountable for AI-related risks. If this becomes a global benchmark, leaders will shoot down more bold bets. They will cling to compliance because it feels safe, even if it costs them the win. Customers won’t wait around. If you stall, or seem irrelevant, they’ll jump to the next shiny thing.C-Suite must greenlight innovation to stay competitive. But each new system, AI-driven service or merger comes with risk. Regulators don’t ease up. Every move you make needs evidence, signatures, and someone to blame if it goes wrong. In the financial sector, none of this is new, and it doesn’t go away. Question is, can we protect innovation in this security-first space? Yes. Can we do it without AI? No. If innovation needs confidence and speed, AI gives you the speed. The confidence? That’s where people freeze.Make it safe to go fastIndecision is expensive. While the board takes six months to debate pros and cons of a new capability, a hundred fintechs have beat them to it. It isn’t caution, it’s self-sabotage. They recognize the opportunity but, still, they hesitate. The problem is how we view security. Security isn’t the brakes. It’s the helmet, the seatbelt, and the training the driver gets. You need a roll cage in place. Something that allows you to take the corners at speed, that lets you push hard without worrying that the whole thing will flip over. This is where zero trust comes in. Talk of it is everywhere. Most of it is noise. Here’s what matters: zero trust IS that roll cage. It lets you move fast because it’s built to expect failure and limit the blast radius. It assumes nothing and checks everything; it contains damage, not creative ideas. If the board had the comfort to commit to fast change, they could stop asking “Is this safe?” and start asking “How far can we push this idea?” That’s leadership freedom. It’s not about slowing innovation but about making it safe to maintain speed. Zero trust transforms security from ‘the office of No’ into the foundation that lets the business say “Yes” faster. It gives leaders the confidence to make bold calls.What’s the alternative, really? Keep playing defense? Keep letting legacy liabilities dictate your pace of innovation? Do that and watch competitors lap you. Zero Trust isn’t procurement. It’s postureJust remember not to treat zero trust deployment like a checkbox exercise. It’s a mindset. It’s not just buying a tool; it’s rethinking access, identity, and trust across your entire environment. Beware of vendors who pitch zero trust like it’s a product you can buy on a Tuesday and deploy by Thursday. If someone promises you zero trust in a box, they’re selling you a box.It takes effort to build a great zero trust foundation because ‘verify everything’ isn’t one-size-fits-all. You must define exactly what that means for your business: which users can touch which applications, under what conditions, and which data is truly business‑critical versus routine. It relies on identity‑led policies, granular application access, and data classification that reflects real risk, not blanket permissions or inherited trust.Getting all of this right takes planning and discipline. But done properly, it’s the difference between leading and lagging. This is why zero trust is a leadership issue, not just a technical one.So, here’s my question: What’s the project you’ve been sitting on because you couldn’t justify the risk… to your budget, time, people? What would it take to greenlight it tomorrow?Restrict risk, not innovation: Before you greenlight that project you’ve been sitting on, read The Ripple Effect: A Hallmark of Resilient Cybersecurity for a clear blueprint on extending resilience beyond your walls.  

​[#item_full_content] I met with a CISO last week who could see clear gaps in his internal and external security posture because users were free to disable security controls. He knew it was creating risk but didn’t want to change it because of a ‘user-first’ mentality. This is not a user-centric behaviour, it is creating risk that your organization (and, incidentally, your users) doesn’t need.When caution is risky Big banks can’t out-innovate digital challengers if all their energy is spent ticking compliance boxes. And, if we look at where AI accountability is headed, it’s clear innovation will keep drawing the short straw. That ‘stay in your lane’ understanding between business versus IT is old-school at best, counter-productive at worst. The days of leadership seeing security issues as “something that IT handles” are gone. Singapore is already considering holding top banking execs personally accountable for AI-related risks. If this becomes a global benchmark, leaders will shoot down more bold bets. They will cling to compliance because it feels safe, even if it costs them the win. Customers won’t wait around. If you stall, or seem irrelevant, they’ll jump to the next shiny thing.C-Suite must greenlight innovation to stay competitive. But each new system, AI-driven service or merger comes with risk. Regulators don’t ease up. Every move you make needs evidence, signatures, and someone to blame if it goes wrong. In the financial sector, none of this is new, and it doesn’t go away. Question is, can we protect innovation in this security-first space? Yes. Can we do it without AI? No. If innovation needs confidence and speed, AI gives you the speed. The confidence? That’s where people freeze.Make it safe to go fastIndecision is expensive. While the board takes six months to debate pros and cons of a new capability, a hundred fintechs have beat them to it. It isn’t caution, it’s self-sabotage. They recognize the opportunity but, still, they hesitate. The problem is how we view security. Security isn’t the brakes. It’s the helmet, the seatbelt, and the training the driver gets. You need a roll cage in place. Something that allows you to take the corners at speed, that lets you push hard without worrying that the whole thing will flip over. This is where zero trust comes in. Talk of it is everywhere. Most of it is noise. Here’s what matters: zero trust IS that roll cage. It lets you move fast because it’s built to expect failure and limit the blast radius. It assumes nothing and checks everything; it contains damage, not creative ideas. If the board had the comfort to commit to fast change, they could stop asking “Is this safe?” and start asking “How far can we push this idea?” That’s leadership freedom. It’s not about slowing innovation but about making it safe to maintain speed. Zero trust transforms security from ‘the office of No’ into the foundation that lets the business say “Yes” faster. It gives leaders the confidence to make bold calls.What’s the alternative, really? Keep playing defense? Keep letting legacy liabilities dictate your pace of innovation? Do that and watch competitors lap you. Zero Trust isn’t procurement. It’s postureJust remember not to treat zero trust deployment like a checkbox exercise. It’s a mindset. It’s not just buying a tool; it’s rethinking access, identity, and trust across your entire environment. Beware of vendors who pitch zero trust like it’s a product you can buy on a Tuesday and deploy by Thursday. If someone promises you zero trust in a box, they’re selling you a box.It takes effort to build a great zero trust foundation because ‘verify everything’ isn’t one-size-fits-all. You must define exactly what that means for your business: which users can touch which applications, under what conditions, and which data is truly business‑critical versus routine. It relies on identity‑led policies, granular application access, and data classification that reflects real risk, not blanket permissions or inherited trust.Getting all of this right takes planning and discipline. But done properly, it’s the difference between leading and lagging. This is why zero trust is a leadership issue, not just a technical one.So, here’s my question: What’s the project you’ve been sitting on because you couldn’t justify the risk… to your budget, time, people? What would it take to greenlight it tomorrow?Restrict risk, not innovation: Before you greenlight that project you’ve been sitting on, read The Ripple Effect: A Hallmark of Resilient Cybersecurity for a clear blueprint on extending resilience beyond your walls.