Other parts of this series:
CISOs – business adept and tech-savvy
It’s self-evident that financial services firms need to apply advanced technologies in their defenses if they’re to stay ahead of today’s cyber adversaries. But technology alone won’t solve the problem. To be cyber resilient, firms need more.
Our research and client experience highlight two prerequisites in particular. One is board-level access and engagement for cybersecurity leaders, to keep cyber risks front and centre as a business priority. The other is a culture that prioritizes security – not just in the IT and Information Security functions, but across the organisation. These two imperatives are linked, since achieving the first supports the second.
Engaging with the board
How to deliver against both? To ensure cybersecurity gets the high ranking it merits on the Board’s risk agenda, firms must to break down the traditional silos within the organisation and integrate the role of Chief Information Security Officer (CISO) closely into the wider business. This means having a CISO who is empowered to engage actively with the CEO and board and feels every bit as much at home in the C-suite as the security center.
This integration into the business places more demands on the CISO, requiring them to be both business-adept and tech-savvy. But it also ensures that their voice is heard at board level, strengthening the firm’s security stance and capabilities.
This is an opportunity many UK financial services firms are missing out on. According to our 2018 State of Cyber Resilience research, only 57 per cent of CISOs in banking & capital markets and just 49 per cent in insurance report directly to the CEO or board. Equally worryingly, only 13 per cent of CISOs in banking and 17 per cent in insurance have budget authorization – a significant drop from last year.
Embedding a “security first” culture
These findings underline that there’s still a lot to be done to integrate CISOs into the business. And we find that those firms that do this successfully have a head start in establishing a further key pillar of cyber resilience: infusing a “security first” culture everywhere in the organisation.
Creating and embedding such a culture is vital, because cybersecurity threats transcend any single function or even geography, instead impacting the entire business everywhere it operates. It follows that cyber issues are too great to be handled solely by one central team.
This means that viewing cybersecurity as “someone else’s problem” simply multiplies the risks it presents. To achieve cyber resilience, everyone in the organisation needs to be aware, involved and engaged.
Time for a rethink?
So, does your CISO have the opportunity to engage regularly and directly with the CEO or board, and keep them abreast of cybersecurity risk and developments? And does your workforce have a “security first” culture that focuses on cyber threats alongside other business risks? If your answer to either question is “no”, it may be time for a rethink.
In my next post, I’ll share the three cyber performance measures that matter for UK banks and insurers. In the meantime, to learn more, read our 2018 State of Cyber Resilience reports for Banking & Capital Markets and Insurance.