Vulnerabilities / Threats

9/8/2016
10:30 AM
Leni Selvaggio
Leni Selvaggio
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Shifting Mindset Of Financial Services CSOs

They're getting more realistic and developing strategies to close security gaps.

In June 2015, Websense reported that the rate of attacks against financial services firms is four times higher than companies in other industries. It’s not surprising why hackers target these companies; that’s where the money is. That’s where the information is. When a hacker succeeds in attacking a bank, he or she could access customers’ personal information and defraud them, too.

In spite of the frightening statistics, financial services security experts actually feel more confident about their security. At least, more secure than a year ago. What comes as an even greater surprise is that they’re using fewer security solutions than last year.

Last year, we studied organizations across several industries in 12 countries to access their security resources, capabilities, and sophistication. In total, the report, entitled The Cisco 2016 Security Capabilities Benchmark Study, surveyed more than 2,400 security professionals, including chief information security officers (CISOs) and security operations managers in Australia, Brazil, China, France, Germany, India, Italy, Japan, Mexico, Russia, the United Kingdom, and the United States. We then analyzed IT security capabilities in the financial services industry, using comparative data from the study, and discovered an interesting dichotomy between what these security professionals say and what they do.

In 2014, 66% said their systems for detecting network anomalies and defending against shifts in threats were highly effective; in 2015, that number rose to 76%. In 2014, 67% said that security tools for determining the scope of a compromise were highly effective; that number rose to 74% in 2015. These figures stand in stark contrast to security professionals’ behavior as measured by their use of tools.

Financial services organizations are actually decreasing their use of tools to help detect and block threats. In 2014, 57% of survey respondents said they used access control and authorization tools, but the number dropped to 48% in 2015. During that same year, 43% said they used network forensics tools, while only 32% used them in 2015.

What accounts for this duality? There’s a mindset shift underway among financial services security professionals.

Security professionals in the financial services industry are no longer overconfident that their organizations have the skills and expertise to defend against threats. They’ve taken a more realistic approach: CSOs now understand that they can’t rely solely on internal expertise or tools to defend their companies against devastating cyber attacks. Rather, they’re developing specific strategies to help them close gaps so they can protect their firms.

Security professionals in the financial services industry can learn a lot from the steps that we have seen these proactive CSOs taking, which include:

  • Turning to outside help: Our research shows that many financial sector CSOs understand the limitations of internal staff expertise. They’ve begun turning to external security experts to shore up cracks in their defenses. Thirty-seven percent of CSOs in the financial services industry said they have brought in outside help for security issues because they felt their internal pool of knowledge wasn’t strong enough.
  • Training employees to be the first line of defense: Security professionals in the financial sector recognize that when it comes to protecting their firms, employees can be an asset in the fight against cyber attacks. Forty-four percent of CISOs stated that they’ve increased the amount of security awareness training employees receive. They’ve also boosted their investments in training for security staff. When everyone at the company understands that security is a priority and what they can do to keep the firm safe, security professionals sleep better at night.
  • Viewing security as a company-wide issue: Security professionals in the financial services industry are learning that they have to make everyone at their organization aware that security affects the entire firm. For too long, members of the C-suite viewed information security as a cost center rather than a business driver. Persuading the rest of a firm’s leadership that security can boost profits rather than decrease them can be an uphill battle, but CSOs know that keeping their companies safe is a top company-wide priority and needs to be treated as such. Fortunately, many financial services firms are successfully implementing this ideal. Our study also showed that line-of-business managers in financial services are taking more responsibility for security. In 2014, 46% of respondents said that their line-of-business managers contribute to security policies and procedures; in 2015, that number rose to 59%.

Overall, this mindset shift is a positive development. CSOs at financial services organizations are being realistic about their firms’ strengths and weaknesses. They’ve realized that relying solely on technology to prevent attacks isn’t an effective approach; security requires everyone at an organization to do their part. Moreover, by bringing in outside security experts and technology, they’ve demonstrated their willingness to tackle security challenges head on in an effective manner. Although new security challenges will arise, many of today’s financial services CSOs believe they’re ready to meet them. 

Related Content:

Leni Selvaggio has been instrumental in creating and marketing innovative solutions for financial services firms for over 30 years as a supplier of software, hardware and services to the United States and international markets. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/22/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.