Security a strategic objective, not just IT’s problem

The speed and frequency of cybercriminal activity continues to accelerate, requiring financial institutions to constantly re-evaluate and revamp their defenses.

For example, in 2013, 88% of attacks against financial services companies were successful in less than a day, according to an investigative report on data security by Verizon. However, only 21% of these were discovered within a day, and only 40% of these were restored within a day.

This report was cited in a recent white paper by the Deloitte Center for Financial Services, which calls for a complete transformation of cybersecurity around the three tenets of security, vigilance, and resiliency.

While the general thrust so far in the defense against cyber attacks has been to install ever increasing layers of security, “the reality in today’s world is you cannot prevent all attacks. You need to be what we’re calling secure, vigilant, and resilient,” says Vikram Bhat, principal and head of the organization’s financial services department, in an interview with Banking Exchange. “You need to be constantly vigilant internally, looking at your environment, and externally, looking at what’s going on outside. You need to be able to react quickly.

“That’s not easy with the amount of data and information that flows across. The reality—and a core tenet of the white paper—is that technology management is about creating the risk transparency both internally within your environment and what goes on outside your environment. The reality is you do need that good information flow, and rapid flow, of information across silos.”

Here’s a condensed version of Deloitte’s recommendations for financial institutions to develop a more comprehensive organizational approach to cyber risk management:

• Make the cyber risk strategy executive-driven with clear accountability—While the CISO or IT risk officer clearly has a very significant role to play, for sustainable success firms may consider appoint a chief operating officer or chief administrative officer equivalent to lead a cross-functional team to drive the cyber risk agenda. By appointing a senior leader and establishing a cross-functional council, firm leadership can send a clear message that cyber risk is an enterprise agenda item, and not just a technology issue.

• Dedicate a cyber threat management unit to sustain a dynamic, intelligence-driven approach to security—Rapid information sharing, active collaboration, and collective learning can be critical to the team’s ability to reduce detection times and, in many cases, avoid incidents completely. This team should have a defined operating model and information flow with other responsible parts of the organization including infrastructure, application development, vulnerability management, security operations, incident response and forensics, and fraud.

• Use automation and analytics to create internal and external risk transparency—Revisit IT security investments and prioritize investments to create the required automation and analytics in their environment. Financial services companies should also consider storing as much as three to six months’ worth of important data for historical analysis purposes. Social media analytics is another area that many are paying closer attention to for intelligence, brand protection, and crisis management.

• Strengthen the role of employees in the defense chain by fostering a cyber risk-aware culture—Understand that employees might possess functional expertise, but do not necessarily have the skills to spot suspicious cyber activities. A significant change in tactics related to cyber training and awareness is likely to be required. This could include cyber war-gaming exercises that bring together different parts of the organization in real-life simulations, as well as insightful training videos, or perhaps even tablet-based applications for their executives.

• Collaborate beyond company walls to address common enemies—Financial services companies could greatly benefit from building industry relationships and furthering the public-private partnership. Build relationships with law enforcement contacts, forensic and incident-response specialists, cyber-savvy law firms, and communications and public relations firms. Leverage industry associations and government agencies, including the Financial Services’ Information Sharing and Analysis Center and the Department of Homeland Security, among others.

Access the complete paper