The Bedel Security Blog

Article Review: 3 Keys to Cybersecurity Maturity

Written by Chris Bedel | May 17, 2019

Think you always need to spend more money to make your cybersecurity program better?  Think again.

Deloitte and FS-ISAC teamed up to do a survey on cyber security in financial institutions, and Deloitte recently published an article on the findings, named “Pursuing cybersecurity maturity at financial institutions”, by Sam Friedman and Nikhil Gokhale.

What's interesting about this article is that it starts out talking about the budget of financial institutions as a whole, as a percentage of their overall spend, and as a ratio of the number of full-time employees that they have. And I kept expecting them to tie cyber security maturity back to that budgetary spend. 

But that's not the case.

In fact, it was all non-budgetary items that Deloitte points out as being the three key factors to improving the cyber security maturity at a financial institution.

And so, in this blog post, I'm going to outline what those three key initiatives are, and what my thoughts are on each of those items. 

According to the Deloitte article. The top three items are:

#1 - secure leadership and board involvement

#2 - raise cyber security profile within the organization, beyond IT

#3 - align more closely with business strategy

 So let's take a look at each one.

 #1 - secure leadership and board involvement

 This one stands out to me as a major item and is great to have at the top of the list.

 I recently prepared a presentation to a group of bankers on cybersecurity. And one of the number one red flag items that I could point out to them was lack of board involvement.  I actually presented it in this way:

 “the financial institutions that are most effective in cybersecurity are the ones with an active board; one that wants to know more about cybersecurity and what they can do to help”.

 It's interesting that Deloitte found the very same thing in their survey.

 One of the key takeaways in my mind here is that cyber security doesn't start with budget, and then go into board involvement. In fact, it's the other way around. You need to first get your board involved, and the budget will likely follow.

 If your financial institution is not speaking to your board and talking to them at a business level on a regular basis, your cybersecurity program will struggle to mature.

 #2 - raise cyber security profile within the organization beyond IT

 Translation: get a CISO and make sure they are separate and independent from IT.

 Cybersecurity is not an IT issue and cannot be solved exclusively with IT solutions.  It should be an organization wide effort and it’s tough to do that if it remains in the confines of information technology.

 You want to make sure the reporting lines between the CISO and IT are independent from one another.

[See our post on this matter]

 If you go look at the video that we did on the three roles of cyber security, you’ll see three separate lines of defense: 

  • The IT Department
  • Network and Security Monitoring
  • The CISO

 The authors are making the same point, that cybersecurity should consist of: 

  • Operations
  • Management
  • Oversight 

And too many financial institutions merge these three independent functions together into only 2 or even 1 line of defense. 

So, move your information security department, out of your IT department, and you willmature your cyber security program.

 #3 - align more closely with business strategy

 This is about making sure that your CISO understands the business you’re in and what the major initiatives are.  There can be a lot that falls under this, but the authors pointed out 2 areas that we also see potential improvement on in financial institutions. 

 The survey identified the number 2 overall challenge in managing cybersecurity as keeping up with growth and expansion. 

 In growth minded institutions, we agree 100%, you should be asking:

 “do we have an information security program that can keep up with the growth of your business?”

 Specifically, if you’re thinking about mergers and acquisitions, see [blog post on cyber due diligence before merger and acquisition]

 The second part is more specific, but equally important.  As business strategy continues to push data and systems and processes out to the cloud, the financial institution needs to ensure that the controls are adequate to mitigate the risk.

 As this migration continues, this means a focus on: 

  • Vendor Management
  • Multi Factor Authentication
  • Encryption
  • Monitoring
  • Access Controls

 Make sure your CISO has a seat at the table when it comes to business strategy, so that your ISP can mature at the right pace.

 Conclusion

 The authors wrap up the article by saying something that you all know to be true: that cybersecurity maturity is an ongoing effort.

 You know this isn't a one and done process.And we agree wholeheartedly that mature financial institutions never stop improving.

 For any help at your financial institution with any three of these key concepts, drop us a line at support@bedelsecurity.com.

 For the full article:https://www2.deloitte.com/insights/us/en/industry/financial-services/cybersecurity-maturity-financial-institutions-cyber-risk.html