Banks can no longer consider cybersecurity strictly as an IT issue—it must be embraced throughout the organization, says an expert in EY’s cyber risk management area.
“Cybersecurity is not possible without embedding it into the business process,” says Ertem Osmanoglu, EY’s cybersecurity and risk management executive, in an interview with Banking Exchange. Osmanoglu has more than 20 years of experience dealing with financial institutions and related technology.
“The best way to expand involvement is by bringing cyber-resiliency and cyber-agility into the business process,” say Osmanoglu. “If you treat it as an IT problem, that doesn’t go anywhere. A lot of failed programs have treated this topic as an IT issue. It’s everybody’s problem in an organization, from the board of directors to the employees.”
In a sense, this is of a piece with the “three lines of defense” approach to compliance and risk management that is required of the largest banks, and that is catching on among other institutions. In that technique, the business line units serve as the first line of defense against risks and compliance errors.
Focusing on preventive and predictive technologies that can get in front of attacks is a key approach, Osmanoglu says. Relying on reactive and detective methods comes too late—the damage has been done.
The following is a edited recap of the interview.
Banking Exchange: How can banks proactively identify cyber risk to limit damage, theft, and business disruption?
Osmanoglu: If you look at the last five or six years banks have implemented many point-in-time technological solutions and capabilities. They’ve looked at cybersecurity as a technological issue, an IT problem. So, they’ve said, “IT, fix it.”
But if you look at how the industry has transformed, cyber is truly a business issue. In order to proactively address it, you have to apply it to your end-to-end business workflow.
Working with our clients—and this is nothing scientific, but just having looked at a number of firms—when you look at the coverage of the actual capabilities against the business workflows, you probably reach somewhere between 55%-60% coverage. For financial institutions that’s insufficient to provide an adequate level of controls.
What banks need to do is ask such questions, from the perspective of a business process, as:
• What are the critical business processes?
• What are the high-value assets that support those business processes?
• Who might want to target those assets?
• What infrastructure, devices, servers, things like that, support those high-value assets?
• How do your cybersecurity capabilities protect those assets?
Asking simple questions like these will immediately identify where major gaps exist.
Banking Exchange: How can the bank’s systemic framework become agile enough to evolve with changing business and environmental threats?
Osmanoglu: Our clients are looking to embed cyber agility and resilience into their security programs. That’s the context change and cultural change that is needed to transform these organizations.
Until they are able to dynamically adjust their controls—almost real-time based on changing threat landscapes or the company’s risk thresholds—it’s going to be really hard to catch up with the attack patterns.
Their capabilities, when you look at it in a siloed way, have very, very strong deployments. But you can see the weaknesses when you look at how the capabilities apply to enterprise-wide deployment and coverage, and how they apply to the ecosystem in general.
What is needed here is an industry-wide transformation. It’s a mindset change that starts from the board level to executive management. Cyber needs to be treated as a business risk.
Banking Exchange: What solutions are available to measure internal cybersecurity risk?
Osmanoglu: Banks need to act in a smarter way, with capabilities that can help them tie attack activity and patterns to business workflow and high-value assets. Then they need to know expected patterns of business activity. And then they can separate the bad activity from the good.
This seems very easy to say, but how do you make it practical? This is where data science and cybersecurity come together. Both of these functions need to work very, very closely together.
Banking Exchange: What criteria should banks consider when evaluating and selecting a specific program?
Osmanoglu: They should examine how reliable and effective the controls and the capabilities are at any given point in time.
Then you take it to the next level. That is, if something goes wrong and you are still breached, how quickly can you recover and resume normal business operations?
Typically, many programs historically focus a great deal of time on what I call the reactive and detective side of the equation. That’s not working as effectively as most people hoped. Now there is more focus in the industry on what I call the preventive and predictive model.
That means really looking at the lateral movement of data across the enterprise. It means being able to determine the behavior of any entity, which could be a human being, a server, a business function, an application—imagine all these different types of components that exist in the digital world. You can determine the normal behavior of each entity.
Then you need capabilities that look at the anomalies in behavior across those components. That’s the area where you can get in front of these attacks.
With the old signature-based detective capabilities, by the time you detect the damage the attackers have probably been in your organization somewhere between 90 and 250 days. It’s too late.
That’s why you need more of the dynamic cyber data science and cybersecurity functions working together to come up with areas of focus and the capability of dynamically adjusting security controls and containing attacks.
John Ginovsky recently posted a “Making Sense Of It All Blog” about the importance of spreading cybersecurity awareness throughout the bank. Read “Looking for cyber culprits? Check the corporate directory”