2017: A Common Operating Layer for Capital Markets
Originally published on the TabbFORUM
The ability to ‘fail fast’ and then correct course has been the major driver of innovation on the web and on mobile. This is in a large part due to common operating layers – the browser for websites and iOS and Android for mobile – that drive the costs of deployment and delivery to zero. But when it comes to desktop apps in capital markets, that’s not how we do things. Here’s how we solve the problem and unlock innovation.
Capital markets are powered by thousands of desktop apps used by traders, salespeople and others at banks, brokers and buy-side firms. These include desktop apps for trading, market data, news, research, order management and collaboration, which collectively come at a cost of billions of dollars a year to the industry. In the face of evolving market structure, regulatory change and technology change, our need to continuously improve the apps we use has never been greater; and yet the vast majority of these apps update at most once or twice a year.
Contrast this with the most successful apps on our iOS and Android devices that update monthly, on average. Or better yet, consider that Facebook (a company with massive data, security and uptime requirements) deploys new features intra-day and does A/B testing in production. Why do they do this?
The first answer is obvious: They do it to make us happier, faster. But there are three other equally important reasons:
- They can fail fast and iterate on the product more quickly.
- They can calculate the ROI on new features and make better decisions.
- It’s actually simpler and costs less money to build products this way.
Those of you who are product managers or business analysts have no doubt had this experience. A trader (who is making a lot of money for the firm) tells you he absolutely, 100% needs a new feature in the trading app and they’re losing money each day that goes by without it. You change your priorities (upsetting the engineers in the process) and months later you’re able to deliver the new feature. As you make your way onto the trading floor (triumphantly) to show off the new feature, you’re met with a blank stare: the trader has by this time forgotten all about it and moved on.
How much is that button worth? Facebook can tell you. Our personal apps are becoming much more responsive to our needs, and they’re reaping the financial rewards through improved usage and lower costs of development. Why aren’t more of our capital markets apps applying these lessons?
The Security Challenge
Desktop apps (e.g., trading, OMS/EMS, market data, etc.) are installed locally because they need to provide a responsive, customizable, real-time experience (e.g., pop-ups, push notifications, window layout management). By virtue of being installed, these apps have full, unfettered access to the desktop and operating system. This means they pose significant security threats: the ability to steal data and files or to deploy malware on the desktop.
To protect against threats, end users at banks and buy-side firms aren’t allowed to install software themselves, and auto-update is broadly prohibited. The most diligent IT security teams run desktop apps through security reviews that include “static analysis” and “dynamic analysis” of the software. Once approved, the software is “packaged” for deployment from central servers.
Inside a bank, even trusted in-house development teams struggle to navigate their firm’s deployment processes. For third-party app providers, the challenge is exponentially more complex because there is a different security and packaging process at every firm; and full rollout of an app across multiple banks and buy-side firms can take anywhere from 6 to 18 months.
How much is that button worth? You’ll have the answer next year when the trader may not care anymore and you’ve spent your budget building the wrong thing.
We can’t compromise security. If anything, we should dramatically improve security. But that doesn’t necessarily mean slowing the app deployment process even further. To solve the problem, we can start by asking why any app needs unfettered access to the desktop or operating system. The answer for the vast majority of apps is: They don’t!
Trading apps and market data apps really shouldn’t be reading your file system, accessing your camera or installing other software on your desktop. And in the rare circumstances when there is a good reason to do these things, the features should be vetted and approved, not by the end user (“Click OK to give full file system access”) but by central IT.
Security sandboxing should be the basic standard for desktop apps in capital markets. Once sandboxed, apps are completely isolated from the desktop and from other apps running on the desktop, except where the actions are explicitly authorized. In the current environment of unprecedented hacking and with the significant security breaches of the last year at banks and major corporations, we should not accept anything less.
An Industry-Wide Operating Layer
This approach to security is not new. It is how our web browsers work and why IT doesn’t security-review and package websites at banks. Websites run in a security sandbox that protects the desktop from malicious attacks. Similarly, mobile apps running on iOS and Android are prevented from having access to your personal data (contacts, location, etc.) – unless you authorize it explicitly. Otherwise, who would ever be comfortable downloading an app or allowing the app to automatically update?
Today, we lack an iOS or Android for capital markets desktop apps that enables instant deployment and also enforces security through sandboxing and centrally managed policies. If we can establish this common operating layer and make it ubiquitous on desktops at banks, brokers and buy-side firms, our capital markets desktop apps will be able to continuously improve and at a significantly lower cost, like our personal apps do today. We will unlock innovation that is stifled by our outdated deployment processes. And we will finally be able to answer the question: “How much is that button worth?” … before it’s too late.
Originally published on the TabbFORUM
This column does not necessarily reflect the views or opinions of FinReg Alert or Tradeweb Markets LLC.