The state of cybersecurity at financial institutions
There’s no “one-size-fits-all” approach
How do financial services firms measure success with cybersecurity? A Deloitte survey examined how firms developed and deployed best practices. While many approaches are unique to individual firms, institutions are best to scrutinize and learn from their peers’ experiences.
We surveyed CISOs from 51 companies about how they are discharging their responsibilities in protecting the digital fortresses at banks, investment management firms, insurance companies, and other financial services institutions (FSIs). The results provide a preliminary snapshot of how many FSIs may go about handling cybersecurity, while generating intriguing insights that warrant further exploration.
CISOs strive to upgrade cybersecurity
How do you measure what “good” looks like when it comes to cybersecurity at financial services companies?
The answer may be difficult to determine in the midst of a constantly changing threat landscape, and at a time when shifting business priorities and exponential technology forces are changing how many organizations approach management of cyber risks. In dealing with these challenges, chief information security officers (CISOs) often face a number of difficult questions:
- Does the operating model (centralized vs. decentralized) matter?
- Which factors determine the role of CISOs in terms of reporting relationships and influence within their companies?
- What role does the innovation agenda play in deciding how much of the cyber risk budget could be used for transformative vs. operational investments?
- Is there an “efficiency ratio” that can be applied to cyber risk management functions?
- Is there an empirical way to compare one financial institution’s cyber risk management program to another?
Observations from the survey
Characteristics often differ by maturity level
If money is not the sole criterion of cybersecurity effectiveness, what factors differentiated the risk management approaches and practices of adaptive respondents—those that have reached the highest implementation tier in the NIST framework—from their lower maturity level counterparts? Here are a few observations:
- Accountability starts at the top
- Shared responsibilities make a difference
- Multiple lines of defense are maintained
- Cyber risk exposure is distributed
- Outside support is sought
Size tends to matter when it comes to cybersecurity programs
The study raised a number of other points of distinction when it comes to how larger financial institutions responding to the survey handle their cybersecurity operations. Among the more noteworthy observations:
- FSIs may not be allocating enough resources
- Type of ownership makes a difference
- Meat and potatoes over dessert (Survey respondents spent more than two-thirds of their cybersecurity budgets on operational activities, vs. less than one-third on transformational initiatives)
- CISO reporting relationships vary
- Innovation is a top priority
Lessons learned from the survey and hands-on interaction with companies
While this survey represents a small sample of the financial services community, the results nevertheless indicate steps companies can consider as they continue to upgrade their cybersecurity capabilities and maturity level. In many cases, these observations seem to reinforce the fact that there is a wide spectrum in the maturity of cyber risk management throughout the industry. As a whole, companies should keep raising their game to stay on top of evolving cyber exposures while enabling secure innovation.
Financial institutions should consider the following actions:
- Proactively engage the board
- Engage the entire organization in cybersecurity
- Provide multiple lines of defense
- Alter the mix of a CISO’s responsibilities
At present, we have just scratched the surface when it comes to cybersecurity benchmarking. Future surveys are likely to seek more information on cybersecurity budgets and headcounts by maturity level and company size to create benchmarks such as:
- Maturity score by NIST domain
- Cybersecurity spending as a percentage of IT spending, as well as per FTE
- Number of cyber risk FTEs as a percentage of information security and total IT personnel
However, while benchmarks could help financial institutions assess their readiness to handle cyber risk, remaining secure, vigilant, and resilient also likely requires the industry to look beyond their own experiences and continue working together with broader communities facing the same threats.