Vulnerabilities / Threats

9/8/2016
10:30 AM
Leni Selvaggio
Leni Selvaggio
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Shifting Mindset Of Financial Services CSOs

They're getting more realistic and developing strategies to close security gaps.

In June 2015, Websense reported that the rate of attacks against financial services firms is four times higher than companies in other industries. It’s not surprising why hackers target these companies; that’s where the money is. That’s where the information is. When a hacker succeeds in attacking a bank, he or she could access customers’ personal information and defraud them, too.

In spite of the frightening statistics, financial services security experts actually feel more confident about their security. At least, more secure than a year ago. What comes as an even greater surprise is that they’re using fewer security solutions than last year.

Last year, we studied organizations across several industries in 12 countries to access their security resources, capabilities, and sophistication. In total, the report, entitled The Cisco 2016 Security Capabilities Benchmark Study, surveyed more than 2,400 security professionals, including chief information security officers (CISOs) and security operations managers in Australia, Brazil, China, France, Germany, India, Italy, Japan, Mexico, Russia, the United Kingdom, and the United States. We then analyzed IT security capabilities in the financial services industry, using comparative data from the study, and discovered an interesting dichotomy between what these security professionals say and what they do.

In 2014, 66% said their systems for detecting network anomalies and defending against shifts in threats were highly effective; in 2015, that number rose to 76%. In 2014, 67% said that security tools for determining the scope of a compromise were highly effective; that number rose to 74% in 2015. These figures stand in stark contrast to security professionals’ behavior as measured by their use of tools.

Financial services organizations are actually decreasing their use of tools to help detect and block threats. In 2014, 57% of survey respondents said they used access control and authorization tools, but the number dropped to 48% in 2015. During that same year, 43% said they used network forensics tools, while only 32% used them in 2015.

What accounts for this duality? There’s a mindset shift underway among financial services security professionals.

Security professionals in the financial services industry are no longer overconfident that their organizations have the skills and expertise to defend against threats. They’ve taken a more realistic approach: CSOs now understand that they can’t rely solely on internal expertise or tools to defend their companies against devastating cyber attacks. Rather, they’re developing specific strategies to help them close gaps so they can protect their firms.

Security professionals in the financial services industry can learn a lot from the steps that we have seen these proactive CSOs taking, which include:

  • Turning to outside help: Our research shows that many financial sector CSOs understand the limitations of internal staff expertise. They’ve begun turning to external security experts to shore up cracks in their defenses. Thirty-seven percent of CSOs in the financial services industry said they have brought in outside help for security issues because they felt their internal pool of knowledge wasn’t strong enough.
  • Training employees to be the first line of defense: Security professionals in the financial sector recognize that when it comes to protecting their firms, employees can be an asset in the fight against cyber attacks. Forty-four percent of CISOs stated that they’ve increased the amount of security awareness training employees receive. They’ve also boosted their investments in training for security staff. When everyone at the company understands that security is a priority and what they can do to keep the firm safe, security professionals sleep better at night.
  • Viewing security as a company-wide issue: Security professionals in the financial services industry are learning that they have to make everyone at their organization aware that security affects the entire firm. For too long, members of the C-suite viewed information security as a cost center rather than a business driver. Persuading the rest of a firm’s leadership that security can boost profits rather than decrease them can be an uphill battle, but CSOs know that keeping their companies safe is a top company-wide priority and needs to be treated as such. Fortunately, many financial services firms are successfully implementing this ideal. Our study also showed that line-of-business managers in financial services are taking more responsibility for security. In 2014, 46% of respondents said that their line-of-business managers contribute to security policies and procedures; in 2015, that number rose to 59%.

Overall, this mindset shift is a positive development. CSOs at financial services organizations are being realistic about their firms’ strengths and weaknesses. They’ve realized that relying solely on technology to prevent attacks isn’t an effective approach; security requires everyone at an organization to do their part. Moreover, by bringing in outside security experts and technology, they’ve demonstrated their willingness to tackle security challenges head on in an effective manner. Although new security challenges will arise, many of today’s financial services CSOs believe they’re ready to meet them. 

Related Content:

Leni Selvaggio has been instrumental in creating and marketing innovative solutions for financial services firms for over 30 years as a supplier of software, hardware and services to the United States and international markets. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
NC Water Utility Fights Post-Hurricane Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.