Financial firms improve cybersecurity with core capabilities

May 8, 2019

A blog post by Sam Friedman, insurance research leader, and Nikhil Gokhale, insurance research manager at the Deloitte Center for Financial Services, Deloitte Services LP

Just like happiness, money can’t always buy cybersecurity excellence

Money isn’t everything when it comes to bolstering cybersecurity at financial institutions. Indeed, the most advanced risk managers in financial services aren’t necessarily those who spend the most. Instead, cybersecurity planning, execution, and governance are more likely to be the key differentiators in terms of maturity.

That was one of the main takeaways from our analysis of the second annual survey of chief information security officers (CISOs) at banks, insurance companies, investment management firms, and other industry players, conducted by the Financial Services Information Sharing and Analysis Center (FS-ISAC), working in conjunction with Deloitte Cyber Risk Services.

The survey found a wide range of cybersecurity spending among survey respondents, whether comparing companies by size (based on revenue), industry sector, or risk management maturity level. But more importantly, we were able to identify several core traits of those that have reached the highest maturity level as defined by the National Institute of Standards and Technology (NIST).

It stands to reason that organizations that can integrate these fundamental elements and follow the example set by leading cybersecurity programs are more likely to become effective risk managers and remain at the top of their game in the face of an ever-evolving threat landscape.

These defining characteristics include the following:

• Securing the involvement of senior leadership, especially board members.
  
  The survey found that the boards and management committees of those survey respondents at the most mature companies were much more interested in nearly all areas of cybersecurity than were those among less mature organizations.
  
  This can make a significant difference in a company’s cybersecurity capabilities. Better education of board members by CISOs and other C-Suite executives around current threats and security risks, as well as their implications for the business, could galvanize increased engagement while helping gain adequate resources for cybersecurity.

• Raising cybersecurity’s profile within the organization beyond the information technology (IT) department to give the risk management function higher-level attention and greater clout.
  
  Cyber threats are increasingly being acknowledged as one of the most critical business risk exposures facing an organization, well beyond any technology challenges they pose. More mature companies have therefore recognized the need to raise the cybersecurity department’s profile, enabling decisions that are above and independent of other IT considerations or constraints.
  
  For example, the most mature respondents were more likely to elevate the cybersecurity function’s prominence by completely segregating cybersecurity from IT, while those at a level below that appear to be moving in this direction, as they were more likely to segregate the two functions even while maintaining common lines of reporting. Those with the lowest levels of maturity were by far the most likely to keep cybersecurity as part of IT and least likely to split the functions and give cyber a separate identity.
  
  The theme of raising cybersecurity’s profile and segregating it from IT was also reflected in the reporting structure at the most mature companies surveyed, where more CISOs reported to COOs and CROs than to CIOs and CTOs.

• Aligning cybersecurity efforts more closely with the company’s overall business strategy 
  
  Companies with the most mature risk management programs recognized that cybersecurity needs to be more closely tied to overall strategy. “Business growth and expansion” was identified as the second biggest challenge by the most mature respondents, as opposed to being only the fourth and fifth priorities among those at the lesser two maturity levels. Indeed, less mature respondents are often still contending with much more basic issues. Those who are one level below advanced cited “difficulty prioritizing options for securing the enterprise” as their second biggest challenge, while the number one problem facing the least mature respondents was “lack of management support and inadequate funding.”
  
  Dealing with growth and expansion challenges will be crucial for CISOs, as cybersecurity considerations will likely multiply along with the introduction of new platforms, products, geographic regions, apps, and web capabilities.

Cybersecurity is a journey, not a destination

While the survey indicated that high maturity respondents may have settled on a solid governance system and laid the foundation for an effective cyber risk management program, there’s still much work to be done to keep fortifying defenses and response capabilities across the industry. Such efforts have taken on a new sense of urgency in this age of heightened consumer sensitivity about data security and privacy, as well as additional regulatory demands.

Achieving excellence in cybersecurity will therefore remain an ongoing journey, with many twists and turns, rather than an ultimate destination. Cyberattacks will continue to be bolder and more sophisticated, challenging financial institutions to respond in kind. Companies will need to continuously upgrade their capabilities—both human and technological—to stay one step ahead of those seeking to penetrate their digital fortress and compromise their operations.

For more information about these core characteristics, as well as a look at cybersecurity spending levels and characteristics by industry and size of company, see Deloitte’s full report on Deloitte Insights, “Pursuing cybersecurity maturity at financial institutions.” You may register for our live May 9 DBrief webcast.