Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/8/2016
10:30 AM
Leni Selvaggio
Leni Selvaggio
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Shifting Mindset Of Financial Services CSOs

They're getting more realistic and developing strategies to close security gaps.

In June 2015, Websense reported that the rate of attacks against financial services firms is four times higher than companies in other industries. It’s not surprising why hackers target these companies; that’s where the money is. That’s where the information is. When a hacker succeeds in attacking a bank, he or she could access customers’ personal information and defraud them, too.

In spite of the frightening statistics, financial services security experts actually feel more confident about their security. At least, more secure than a year ago. What comes as an even greater surprise is that they’re using fewer security solutions than last year.

Last year, we studied organizations across several industries in 12 countries to access their security resources, capabilities, and sophistication. In total, the report, entitled The Cisco 2016 Security Capabilities Benchmark Study, surveyed more than 2,400 security professionals, including chief information security officers (CISOs) and security operations managers in Australia, Brazil, China, France, Germany, India, Italy, Japan, Mexico, Russia, the United Kingdom, and the United States. We then analyzed IT security capabilities in the financial services industry, using comparative data from the study, and discovered an interesting dichotomy between what these security professionals say and what they do.

In 2014, 66% said their systems for detecting network anomalies and defending against shifts in threats were highly effective; in 2015, that number rose to 76%. In 2014, 67% said that security tools for determining the scope of a compromise were highly effective; that number rose to 74% in 2015. These figures stand in stark contrast to security professionals’ behavior as measured by their use of tools.

Financial services organizations are actually decreasing their use of tools to help detect and block threats. In 2014, 57% of survey respondents said they used access control and authorization tools, but the number dropped to 48% in 2015. During that same year, 43% said they used network forensics tools, while only 32% used them in 2015.

What accounts for this duality? There’s a mindset shift underway among financial services security professionals.

Security professionals in the financial services industry are no longer overconfident that their organizations have the skills and expertise to defend against threats. They’ve taken a more realistic approach: CSOs now understand that they can’t rely solely on internal expertise or tools to defend their companies against devastating cyber attacks. Rather, they’re developing specific strategies to help them close gaps so they can protect their firms.

Security professionals in the financial services industry can learn a lot from the steps that we have seen these proactive CSOs taking, which include:

  • Turning to outside help: Our research shows that many financial sector CSOs understand the limitations of internal staff expertise. They’ve begun turning to external security experts to shore up cracks in their defenses. Thirty-seven percent of CSOs in the financial services industry said they have brought in outside help for security issues because they felt their internal pool of knowledge wasn’t strong enough.
  • Training employees to be the first line of defense: Security professionals in the financial sector recognize that when it comes to protecting their firms, employees can be an asset in the fight against cyber attacks. Forty-four percent of CISOs stated that they’ve increased the amount of security awareness training employees receive. They’ve also boosted their investments in training for security staff. When everyone at the company understands that security is a priority and what they can do to keep the firm safe, security professionals sleep better at night.
  • Viewing security as a company-wide issue: Security professionals in the financial services industry are learning that they have to make everyone at their organization aware that security affects the entire firm. For too long, members of the C-suite viewed information security as a cost center rather than a business driver. Persuading the rest of a firm’s leadership that security can boost profits rather than decrease them can be an uphill battle, but CSOs know that keeping their companies safe is a top company-wide priority and needs to be treated as such. Fortunately, many financial services firms are successfully implementing this ideal. Our study also showed that line-of-business managers in financial services are taking more responsibility for security. In 2014, 46% of respondents said that their line-of-business managers contribute to security policies and procedures; in 2015, that number rose to 59%.

Overall, this mindset shift is a positive development. CSOs at financial services organizations are being realistic about their firms’ strengths and weaknesses. They’ve realized that relying solely on technology to prevent attacks isn’t an effective approach; security requires everyone at an organization to do their part. Moreover, by bringing in outside security experts and technology, they’ve demonstrated their willingness to tackle security challenges head on in an effective manner. Although new security challenges will arise, many of today’s financial services CSOs believe they’re ready to meet them. 

Related Content:

Leni Selvaggio has been instrumental in creating and marketing innovative solutions for financial services firms for over 30 years as a supplier of software, hardware and services to the United States and international markets. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26244
PUBLISHED: 2020-12-02
Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expecte...
CVE-2020-28206
PUBLISHED: 2020-12-02
An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An "User enumeration and Improper Restriction of Excessive Authentication Attempts" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also ...
CVE-2017-14451
PUBLISHED: 2020-12-02
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send m...
CVE-2017-2910
PUBLISHED: 2020-12-02
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.
CVE-2020-13493
PUBLISHED: 2020-12-02
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. A specially crafted USDC file format path jumps decompression heap overflow in a way path jumps are processed. To trigger this vulnerability, the victim needs to open an atta...