Financial services organizations face security attacks three times as frequently as companies in any other industry. Hackers are not only targeting these firms for their money, but also for the wealth of customers’ personal information available. Just one successful attack can make way for hundreds more. The Identity Theft Resource Center (ITRC) demonstrated this domino effect in its 2015 study of 781 data breaches (71 involving financial institutions). Those breaches are believed to have exposed more than 5 million customer records.
Still, financial services security professionals don’t seem to be phased. In fact, our recent Security Capabilities Benchmark Study shows that they are more confident about their firms’ security than they were a year ago. Many have even reduced the number of security solutions and tools they use to detect and block threats.
In the study, we surveyed more than 2,400 security professionals, including chief information security officers (CISOs) and security operations (SecOps) managers in 12 different countries, about their security initiatives. Then, we analyzed the IT security capabilities and tools used across the industry and compared our findings to the initial study. We found a drastic contradiction between what financial services security experts say, and what they do.
What Financial CSOs Say...
In 2015, 76 percent of survey respondents said that their systems for detecting network anomalies and defending against shifts in adoptive threats are highly effective. In 2014, that number was only 66 percent. Also in 2015, 74 percent said that security tools for determining the scope of a compromise were highly effective. In 2014, that number was slightly lower, at 67 percent.
"Successful CSOs realize that effective security measures go beyond a software program or the latest encryption application"
…And What They Do
When we looked at how security professionals use these tools, the duality became all the more clear. In 2015, 48 percent of respondents said they use access control and authorization tools to block threats – down from 57 percent the previous year. Thirty-two percent used network forensic tools in 2015, compared to the 48 percent who said they used them in 2014.
The Shifting CSO Mindset
While there is a discrepancy between survey respondents’ thoughts and actions, one thing is true: the mindsets of financial services CSOs are shifting. And, it’s not necessarily a bad thing. Instead of exuding a sense of overconfidence in their firms’ ability to thwart threats, the modern CSO has accepted the firm’s strengths and weaknesses and assumed a more realistic point of view – internal technology, tools and expertise can only go so far. Now, CSOs are focusing on developing specific strategies to close security gaps.
In our research, we’ve observed a few common practices followed by the most proactive CSOs. First, many view security as a company-wide issue. In the past, the C-Suite was deemed security another “cost of doing business,” rather than a business driver. In actuality, security can help a company grow its profits. Although this may be difficult to convey to C-level executives and decision makers, successful CSOs understand that security is a top priority. Therefore, they are increasing their efforts to get everyone at their organization involved, making them aware that security can affect the entire company, not just a single department or function. Many financial services firms are already embracing this notion and line-of-business managers taking on more security-related responsibilities. In 2015, 59 percent (up from 46 percent in 2014) of survey participants noted that line-of-business managers are actively contributing to security policies and procedures.
Second, CSOs are training their employees as their first line of defence against cyber-attacks and hackers. Our research unveiled that that 44 percent of CISOs say they have increased the amount of security awareness training for employees, as well as increased their budget for training security staff. From customer service reps to CEOs, it is vital that everyone is properly trained and proactively involved in the company’s security initiatives. Third, we found that 37 percent of financial services CSOs are turning to outside help due to an insufficient internal pool of knowledge. Like technology, internal staff expertise has limitations and bringing in external security experts can provide a much-needed boost and fill some holes.
Although CSOs in the financial services industry are using fewer technologies and tools to defend and protect their firms from security breaches and cyber-attacks, their shifting mindset represents a positive change. Successful CSOs realize that effective security measures go beyond a software program or the latest encryption application; they require organization-wide awareness, support from your employees, and at times, outside help. Your company – and more importantly, your customers – depend on it.