Vulnerabilities / Threats

9/8/2016
10:30 AM
Leni Selvaggio
Leni Selvaggio
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Shifting Mindset Of Financial Services CSOs

They're getting more realistic and developing strategies to close security gaps.

In June 2015, Websense reported that the rate of attacks against financial services firms is four times higher than companies in other industries. It’s not surprising why hackers target these companies; that’s where the money is. That’s where the information is. When a hacker succeeds in attacking a bank, he or she could access customers’ personal information and defraud them, too.

In spite of the frightening statistics, financial services security experts actually feel more confident about their security. At least, more secure than a year ago. What comes as an even greater surprise is that they’re using fewer security solutions than last year.

Last year, we studied organizations across several industries in 12 countries to access their security resources, capabilities, and sophistication. In total, the report, entitled The Cisco 2016 Security Capabilities Benchmark Study, surveyed more than 2,400 security professionals, including chief information security officers (CISOs) and security operations managers in Australia, Brazil, China, France, Germany, India, Italy, Japan, Mexico, Russia, the United Kingdom, and the United States. We then analyzed IT security capabilities in the financial services industry, using comparative data from the study, and discovered an interesting dichotomy between what these security professionals say and what they do.

In 2014, 66% said their systems for detecting network anomalies and defending against shifts in threats were highly effective; in 2015, that number rose to 76%. In 2014, 67% said that security tools for determining the scope of a compromise were highly effective; that number rose to 74% in 2015. These figures stand in stark contrast to security professionals’ behavior as measured by their use of tools.

Financial services organizations are actually decreasing their use of tools to help detect and block threats. In 2014, 57% of survey respondents said they used access control and authorization tools, but the number dropped to 48% in 2015. During that same year, 43% said they used network forensics tools, while only 32% used them in 2015.

What accounts for this duality? There’s a mindset shift underway among financial services security professionals.

Security professionals in the financial services industry are no longer overconfident that their organizations have the skills and expertise to defend against threats. They’ve taken a more realistic approach: CSOs now understand that they can’t rely solely on internal expertise or tools to defend their companies against devastating cyber attacks. Rather, they’re developing specific strategies to help them close gaps so they can protect their firms.

Security professionals in the financial services industry can learn a lot from the steps that we have seen these proactive CSOs taking, which include:

  • Turning to outside help: Our research shows that many financial sector CSOs understand the limitations of internal staff expertise. They’ve begun turning to external security experts to shore up cracks in their defenses. Thirty-seven percent of CSOs in the financial services industry said they have brought in outside help for security issues because they felt their internal pool of knowledge wasn’t strong enough.
  • Training employees to be the first line of defense: Security professionals in the financial sector recognize that when it comes to protecting their firms, employees can be an asset in the fight against cyber attacks. Forty-four percent of CISOs stated that they’ve increased the amount of security awareness training employees receive. They’ve also boosted their investments in training for security staff. When everyone at the company understands that security is a priority and what they can do to keep the firm safe, security professionals sleep better at night.
  • Viewing security as a company-wide issue: Security professionals in the financial services industry are learning that they have to make everyone at their organization aware that security affects the entire firm. For too long, members of the C-suite viewed information security as a cost center rather than a business driver. Persuading the rest of a firm’s leadership that security can boost profits rather than decrease them can be an uphill battle, but CSOs know that keeping their companies safe is a top company-wide priority and needs to be treated as such. Fortunately, many financial services firms are successfully implementing this ideal. Our study also showed that line-of-business managers in financial services are taking more responsibility for security. In 2014, 46% of respondents said that their line-of-business managers contribute to security policies and procedures; in 2015, that number rose to 59%.

Overall, this mindset shift is a positive development. CSOs at financial services organizations are being realistic about their firms’ strengths and weaknesses. They’ve realized that relying solely on technology to prevent attacks isn’t an effective approach; security requires everyone at an organization to do their part. Moreover, by bringing in outside security experts and technology, they’ve demonstrated their willingness to tackle security challenges head on in an effective manner. Although new security challenges will arise, many of today’s financial services CSOs believe they’re ready to meet them. 

Related Content:

Leni Selvaggio has been instrumental in creating and marketing innovative solutions for financial services firms for over 30 years as a supplier of software, hardware and services to the United States and international markets. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.