Forces are at work to at least strongly encourage, if not require, that every bank employ a chief information security officer—different than a chief information officer.
These forces include regulatory actions in the works, as well as internal industry forces—caused by the unstoppable onslaught of cybercrime.
Exam Council weighs in
The first indication of this comes in the Federal Financial Institutions Examination Counsel’s recently revised management handbook, which covers both boards and senior staff. In general, it advocates “incorporation of cyber security concepts as part of information security.”
Among many other things, the handbook specifically differentiates the roles of CISOs and CIOs.
The CISO, it says, “is responsible for overseeing and reporting on the management and mitigation of information security risks across the institution and should be held accountable for the results of this oversight and reporting.”
The CIO, it says, “is responsible and should be held accountable for the development and implementation of the IT strategy to support the institution’s business strategy in line with its risk appetite.”
Two quite different things.
And to drive this point home, FFIEC states: “The CISO should be an enterprise-wide risk manager rather than a production resource devoted to IT operations.” [Emphasis added.]
For the time being at least, an operative word in the FFIEC booklet is “should.”
However, in the booklet’s appendix, which outlines examination procedures, one section says: “Review the institution’s structure to determine whether the board established the following: … e. A CISO or information security officer position responsible for the management and mitigation of information security risks.”
This certainly is more directly related to the CISO issue than the examination procedure listed in the 2006 FFIEC Information Security Examination Booklet, which instructs: “Determine whether security responsibilities are appropriately apportioned among senior management, front-line management, IT staff, information security professionals, and other staff, recognizing that some roles must be independent from others.”
The new revised management booklet just hit the streets and no doubt is being pored over throughout the industry as this is written.
Maybe it won’t be an option much longer
Next, though, comes a strong indication that regulators are considering actually requiring all banks to hire a CISO.
This comes from a very recent proposal by the New York State Department of Financial Services, which is reacting to the hacking breach of JPMorgan Chase that reportedly generated hundreds of millions of dollars of illegal profit and compromised 83 million customer accounts.
That state agency recently sent a letter to all the federal banking, credit union, and financial services regulators, as well as to the Conference of State Bank Supervisors and similar state financial services groups, asking them to read and comment on a long list of proposed new regulations.
The inclusion of all these agencies in the discussion makes this a national, rather than just an individual state, issue. To be clear, at this point this is a proposal, but it does invite widespread input from the addressed parties.
To the CISO point, the proposal states this:
“Each covered entity would be required to designate a qualified employee to serve as the Chief Information Security Officer (CISO) responsible for overseeing and implementing its cyber security program and enforcing its cyber security policy. The CISO would also be required to submit to the [NYDFS] an annual report, reviewed by the entity’s board, assessing the cyber security program and the cyber security risks to the entity.”
[Of course, should this be generally adopted, such an annual report would go to other regulators as appropriate.]
Joann McGowan, a Celent analyst, already has commented on the proposal in her blog: “This will be a huge undertaking for financial institutions. Costs have yet to be evaluated but will be in the millions of dollars.”
CISO—bank’s missing leadership on cyber crime?
To be fair, it’s obvious that losses to financial institutions due to cybercrime already are in the millions of dollars. More to the point, a number of studies point to a general conclusion that a contributing factor of such losses to banks, and to businesses in general, is the lack of trained information security people, led by CISOs.
NICE Actimize conducted a financial crime operations survey among professionals from large financial institutions this summer. Some of its findings lead directly to acknowledgment of the value of a consolidated information security function:
• Too many cops, not enough chiefs. Among financial institutions with at least $60 billion in assets, 53% had more than ten analytic or detection systems, and 31% had more than 20 systems.
“These disconnected solutions and the disparate activities associated with them not only affect efficiency, but also prevent financial institutions from uncovering hidden relationships that help identify crime,” NICE Actimize says.
• “Failure to communicate.” The biggest challenges to achieving unified financial crime and compliance risk management are the consolidation of siloed systems (58%), possession of an organization structure where different functions have varying or competing priorities (56%), and the integration of complex in-house systems (47%).
“With regulator focus on processes and controls, financial institutions have become motivated to increase the consistency and transparency of investigations, a process which is greatly simplified by the implementation of centralized case management,” says Chad Hetherington, global vice-president and general manager, Enterprise Risk Case Management, NICE Actimize.
Recognition of issue grows widely
Other studies, looking at the broader business environment, say much the same thing.
• DomainTools commissioned a survey by the SANS Institute about the general demand for cyber security tools and resources.
Among its findings from 476 senior executives at businesses each with more than 20,000 employees: 35% cite a lack of centralized reporting and remediation controls as a barrier to identifying cyber security incidents.
“Underinvestment in skilled security personnel remains a significant barrier for implementing more powerful solutions,” says Tim Chen, CEO, DomainTools.
• At this summer’s annual Black Hat USA conference a survey of 500 top-level security experts produced this result: Only 27% said they feel their organization has enough staff to defend itself against current threats.
• A large international EY (formerly Ernst and Young) survey produced this finding: 57% said that the contribution and value that the information security function provides to their organization is compromised by the lack of skilled talent available. This is up slightly from 53% in the survey’s previous year. Looking specifically at banking and capital markets industries, the survey—conducted among 1,755 organizations from 67 countries—found that 56% list “identify and access management” as a top priority for information security.
Outlook not yet certain
Where this is really going is anybody’s guess. The federal and state regulatory initiatives mentioned are either still being interpreted or commented upon. The industry surveys have yet to be thoroughly analyzed and acted upon.
Still, it seems reasonable to speculate that the future role of the chief information security officer is ripe for inclusion and expansion at the highest levels of financial institution management.
Sources used for this article include: