A recent Deloitte study surveyed chief information security officers (CISOs) from over 50 companies about how they are discharging their responsibilities in protecting the digital fortresses at banks, investment management firms, insurance companies, and other financial services institutions (FSIs).

While the findings may not represent the full diversity of practices in the industry due to the small sample size, learning from the experience of peers can help FSIs avoid having to reinvent the wheel in efforts to protect their people and systems against the latest cyber threats.

Overall, the study found organisations are working within a broad spectrum of cybersecurity strategies, structures, and budget priorities. The findings suggest that clear differences exist within the industry based on company size, maturity level, and even ownership structure.

While it’s important to have an adequate budget for cybersecurity, how a program is organised and governed may be equally if not more impactful than how much is spent relative to a company’s overall IT budget or revenue. Indeed, many companies with below average cybersecurity budget allocations managed to achieve a high program maturity level, while some that had higher than average spending were actually less advanced. This dynamic could, in part, reflect the challenges larger, more complex global organisations often face in advancing capabilities versus their smaller counterparts.

If money is not the sole criterion of cybersecurity effectiveness, what factors differentiated the risk management approaches and practices of adaptive respondents from their lower maturity level counterparts? Here are a few observations:

Accountability starts at the top.

Almost all board and management committee members at responding companies were keenly interested in their company’s overall cybersecurity strategy. However, those from adaptive companies suggest their boards are more likely to delve into the details of the cybersecurity budget, specific operational roles and responsibilities, as well as the program’s general progress than are boards of less advanced peer companies. Respondents from informed companies (see image below), which fall two tiers below adaptive on the maturity scale, reported their boards were typically significantly less interested in reviewing current threats, program progress, and security testing results.

Shared responsibilities make a difference.

More than one-half to three-quarters of respondents, depending on the sector, had a fully centralised cybersecurity function. Among the respondents from the largest participating companies, two-thirds reported a centralised approach. However, respondents from adaptive companies were more likely to favour a hybrid approach—featuring centralised functions, but with each business unit and/or region given strategy and execution capabilities and coordinating with one another.

Multiple lines of defence are maintained.

 Most respondents from adaptive firms said their organisations tended to have two separate, independent lines of cyber defence—the first involving security at front line units, and the second being organisation-wide cyber risk management operations.