Cybersecurity continues to be a top concern for financial institutions globally, but CISOs are split on their top priorities for securing their organizations against cyber-attacks.
According to the Financial Services Information Sharing and Analysis Center (FS-ISAC) 2018 CISO Cybersecurity Trends report, 35% of CISOs surveyed said that employee training is a top priority for improving security posture in the financial sector (respondents were all FS-ISAC members). Infrastructure upgrades and network defense were prioritized by 25% of CISOs, and breach prevention was the main thrust for 17%.
“The mission-essential business aspects that end-user security awareness training is now playing in global financial organizations must be front-and-center surrounding around all data handling and incident response,” said Dan Lohrmann, chief security officer at security awareness training provider Security Mentor, via email. “Companies can no longer just check the box when it comes to security awareness training. Effective, metrics-driven positive security training results come from brief, frequent and focused content that is intriguing, relevant and uses cutting-edge techniques such as gamification to make the lessons sticky. Staff must see the relevance of what they are learning, and that happens by teaching them things they don’t already know. As new people, processes and technology are introduced into workflows, the corresponding actions related to the business must adjust to the increasing cyberthreats that are facing global enterprises.”
Notably, while cybersecurity used to be handled in the server room, it is now a boardroom topic. The study found that quarterly reports to the board of directors were most common (53%), with some CISOs (8%) reporting more than four times a year or even on a monthly basis. In the era of increasing security threats and vulnerabilities, CISOs know that keeping top leadership and boards updated regularly on these security risks and effective defenses is a top priority.
The report also found that CISOs reporting into a technical function like CIO tended to prioritize infrastructure upgrades, network defense and breach prevention. On the other hand, CISOs reporting into a non-technical function like COO or general counsel prioritized employee training. The majority of CISOs still don’t report to the CEO (only 8%).
“One thing that is missing is trending forecasts on reporting structures,” said Greg Reber, CEO at AsTech, a San Francisco-based security consulting company, via email. “At AsTech, we see moves away from CISOs reporting to CIOs, as the incentives can be at odds – CIOs may need to get things done quickly to realize financial goals, moving processing to the cloud environments for example - while CISOs are chiefly concerned with risk management.”
Bret Fund, founder and CEO at Denver-based cybersecurity academy SecureSet, told Infosecurity: “It’s interesting, though not surprising, to see that who a CISO reports to drives the types of investments organizations will make into security. I think that speaks to CISOs seeing first-hand how their largest risks of breach rest in the people component vs. the product or process components. Executives and boards cannot underestimate the need for a robust security culture inside their organizations and the way that you achieve that is through proper education and training.”
In the report, FS-ISAC encourages more frequent and timely reporting to the board of directors to ensure businesses maintain an "at the ready" risk posture and that cyber-practices are transparent to board members. CISOs should also have expanded reporting responsibilities or dual-reporting responsibilities within the corporate structure to ensure critical information flows freely. Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision-making, the group pointed out.
The report also included a list of best practices for security. Dovetailing with the priorities of the respondents, the group recommends training for employees, regardless of reporting structure, because employees serve as the first line of defense. This should include awareness about downloading and executing unknown applications on company assets and in accordance with corporate policies and relevant regulations, as well as training employees on how to report suspicious emails and attachments.
“Cybersecurity preparedness starts with proper training of employees,” said Kathie Miley, COO of Cybrary, via email. “We all know that cyber education is critical for today’s businesses, but it is particularly imperative for the financial sector. The bottom line is that employees must be held responsible and accountable for cybersecurity training and they need to understand the basics of cyber hygiene – it’s not just the job of the CISO or IT security teams anymore.”
She added, “Continuous learning should become a nonnegotiable requirement in every organization, at every level. We need to let staff learn and become part of the solution. Specifically, cybersecurity training programs within organizations should be distinct to their role; identify critical assets and expose employees to the impact of vulnerabilities on the organization, their job and their customers or stakeholders.”