Financial services organizations that have begun their digital transformation journey recognize that to be successful, they must rethink their security strategy. This recognition includes prioritizing innovation to detect and mitigate threats, particularly within their data centers, and allowing their digital transformation agenda to be defined by advancing their security posture.
The financial services industry experienced more than 1,300 breach incidents in 2015, according to Verizon’s 2016 Data Breach Investigations Report. That’s the most of any market, apart from the public sector and the entertainment industry. Also, in the 2016 Vormetric Data Threat Report – Financial Services Edition, 90 percent of financial services IT executives surveyed said that they felt vulnerable to data threats – and 44 percent had already experienced a data breach.
Ironically, financial services CSOs and CISOs are expressing greater confidence in their security initiatives, despite the massive increases in cyberattacks, malware and data breaches and their use of fewer security solutions than in previous years.
So, where is the newfound confidence coming from?
Cisco recently surveyed more than 2,400 security professionals across 12 different countries for a new report entitled, Security in Financial Services: Managing the Complexity of Digital Transformation. The research found that rather than investing in new security tools, financial services organizations are coming to terms with the limitations of their internal staff’s knowledge and existing technologies. Now, they are placing greater emphasis on employee training and third-party assistance in securing their networks. Undoubtedly, the mindset of the financial services CSO is undergoing a significant shift.
Confidence with fewer solutions
Our research unveiled several interesting dichotomies in financial security experts’ perception versus their actions. In the report, we analyzed IT security capabilities in the financial services industry using comparative data from the 2015 Cisco Security Capabilities Benchmark Study.
With regard to CSO perception, we found that 76 percent of survey respondents said that their systems for detecting network anomalies and defending against shifting adoptive threats were highly effective, up from 66 percent in 2014. In addition, 74 percent of respondents said that security tools for determining the scope of a compromise were highly effective, up from 67 percent in 2014. Respondents also showed enhanced confidence in their tools’ ability to block known threats and help enforce security policies.
However, the increasing belief in system efficacy contradicts respondents’ actions, as financial services firms have begun decreasing their use of tools to help detect and prevent cyberattacks. For instance, from 2014 to 2015, the number of survey participants who said they used access control and authorization tools fell by 9 percent. The use of network forensic tools decreased as well, dropping from 43 percent to 32 percent in that same timespan.
Other threat defenses on the decline included patching and configuration, secured wireless, web security and email/messaging security. These findings beg the question: why do financial services CSOs feel more secure, even though they are using fewer tools? Are other factors driving the reduction in use, even as the frequency and scale of cyber threats continue to grow?
Looking outward to digitize and win
The organizations that are finding the most success in securing their networks as they undergo digital transformation are those who are implementing a number of new strategies to make up for their shortcomings. These tactics include the following:
Outsource security services to close gaps
Thirty-seven percent of financial services organizations said that they outsource security services due to lack of internal expertise. Advising/consulting, auditing, monitoring and incident response are the most frequently outsourced activities.
Increase line-of-business managers’ role in security
Lines of business (LOBs) sometimes introduce technology without the knowledge or governance of the IT and security teams in an effort to quickly improve a process or customer service. This affects the ability to enforce security policies across every single system, thereby putting the rest of the business at risk. Today, 59 percent of financial organizations say that LOB managers are encouraged to contribute to security policies and procedures.
Agilely combating threats and minimizing risk requires skilled personnel, both inside and outside the security team. Many firms are expanding their training programs, with 44 percent of respondents saying they have increased security awareness among employees as well as security staff.
Make security a company-wide initiative
In addition to training employees outside of the security team, it is important to instill security awareness company-wide. Security impacts the entire organization, not just a single department, function or process.
With the pace of digital transformation accelerating, the changing mindset of the financial services CSO has come at an opportune time. By investing in outside resources, training the right people and exploring new company-wide security strategies, financial organizations can more effectively minimize risk and maximize the value of their new, digital business models.
(About the author: Jeff Kastelic is a practice advisor in financial services at Cisco.)