Senior Management Perspective on Cybersecurity
Even though no financial institution is immune from cyber attack, only 1 of 3 of respondents say their board is involved in the review of security and privacy risks. This is not just a cybersecurity problem, it is a board problem; affecting all aspects of the business, starting at the top. A recent survey of 276 directors and officers at publicly traded companies, found that corporate boards of directors revealed strong support for greater corporate accountability for issues related to cybersecurity and said they were preparing for an increase in lawsuits and regulations linked to cyber security.
“…companies cannot lose sight that cybersecurity is not only all about the “data”, it is also all about the “people” who control and have access to that data. Today, creating a culture of cybersecurity from the boardroom down to the breakroom and throughout all company departments is crucial.”
-Christine Marciano, Cyber Risk Managers, LLC
Separation of IT and Cybersecurity
Regulators are starting to recognize and require the separation of IT and Cybersecurity risk tracking; one of the most prominent examples is the FFIEC CAT regulations.
Similar to loan risk, banks need to have a system of checks and balances. In most financial institutions, cybersecurity is intermingled with Operational IT risk management, but it is actually a separate risk that needs to be managed independently from IT. This approach is necessary to be secure and compliant. Proper security requires clearly defined policies where proper controls, processes, and monitoring emanate. Lumping cybersecurity risk into IT risk relegates cybersecurity to second class citizen, which can leave a financial institution vulnerable.
There are many solutions that address parts of your cybersecurity program, but DefenseStorm is the only company that can manage your cybersecurity risk end to end. We are a new layer that can see and manage the entire cybersecurity program. Aspects of your cybersecurity program include:
- Policy – a guiding principle (Internet usage should be limited to business needs)
- Process – how you implement the policy (internet usage guidelines are published and all users are required to sign off after training)
- Control – quantifiable rules that make up the policy (no access to Facebook on the corporate wifi)
- Monitoring – people/ technology that watch to make sure policies are being followed (automatic alerts notify our security administrators when Facebook is accessed)
What Can You Do About It?
The first step to get your board involved is to educate yourself and the board on exactly how they should and can best participate in cybersecurity for your company. Once you have a process in place, begin building proper reporting mechanisms and ensure that reviewing these reports is on the agenda for board meeting discussion.
According to the Global State of Information Security, these reports should contain several different categories to assist in organization and easy report scanning.
In addition to education and reporting, you should also follow the recommended FFIEC regulatory guidelines. This provides an overall view into your cybersecurity program and where it need improvement. Installing a SIEM (security information event management) tool is another smart method to help combat the ever present cybersecurity risk. Conducting regular vulnerability scans and penetration testing allows you to see how your cybersecurity program holds up to real-world circumstances and hacking attempts. Make sure that you do not substitute one for the other; both vulnerability scans and penetration testing are important to your network security.
Storing your audit logs off-site provides an extra level of security by preventing tampering. You can also utilize features like log aggregation, anomaly detection, threat feeds, and automated alerts to satisfy new FFIEC requirements.
The threat of a cyber attack is never going away; in fact it is becoming more prevalent. Nobody is exempt from that threat. The board plays a significant role in determining cybersecurity success. If the board determines cybersecurity is a high priority, the rest of the company follows. To try and combat the growing and evolving nature of cyber attacks, more regulations and guidelines are on the horizon, forcing culpability higher up. To get ahead of the curve, start building policies that provide compliance for guidelines such as FFIEC CAT, and a team of security experts to monitor your network and recommend improvements.