Eugene Grygo, Chief Content Editor, FTF News
Cybersecurity is definitely (and finally) on the radar of executives and boardrooms of securities trading firms, and financial chief information security officers (CISOs) should make the most of their greater influence upon the top decision-makers, according to the first cybersecurity trends survey that the Financial Services Information Sharing and Analysis Center (FS-ISAC) conducted upon its members.
The results of its 2018 CISO Cybersecurity Trends show that although cybersecurity was once relegated to those in IT and operations overseeing the server room (often the main target), it has become a boardroom concern.
“The study found that quarterly reports to the board of directors were most common (53 percent) with some CISOs (eight percent) reporting more than four times a year or even on a monthly basis,” according to FS-ISAC.” In the era of increasing security threats and vulnerabilities, CISOs know that keeping top leadership and boards updated regularly on these security risks and effective defenses is a top priority.”
The survey also questioned CISOs about the most critical cyber-defense methods, frequency of cyber-preparedness reporting to their respective boards of directors, and “the current cyber chain of command within their respective financial organizations,” according to FS-ISAC.
- Different Priorities for the Most Critical Defense
“CISOs surveyed were split on their top priorities for securing their organizations against cyberattacks. Most (35 percent) of CISOs surveyed said that employee training is a top priority for improving security posture in the financial sector,” according to the survey. “Infrastructure upgrades and network defense are also prioritized by (25 percent) CISOs; and breach prevention by 17 percent.” The survey found that CISOs who report to a chief information officer via a technical function “prioritize infrastructure upgrades, network defense and breach prevention.” Those CISOs reporting into a non-technical function like the chief operations officer (COO) or the general counsel “prioritize employee training.”
- Lines of Command: Most CISOs report to Chief Information Officers
“As security has increasingly become a concern for financial institutions, the role of the CISO has been thrust into the organizational spotlight,” according to the survey. “The study found that the majority of CISOs don’t report to the CEO; the top cyber chain of command is more likely to be the CIO [chief information officer]; followed by Chief Risk Officer (CRO) and then COO.” Overall, 66 percent of the CISOs surveyed say they report into the chief information officer, CRO and COO while only eight percent of CISOs report into the CEO. Despite the reporting lines, the higher frequency of reporting to the board of directors on cybersecurity was not impacted.
- FS-ISAC Recommendations for 2018
- In the wake of the survey, FS-ISAC officials are recommending that the cybersecurity training employees “should be prioritized for all CISOs, regardless of reporting structure because employees serve as the first line of defense.” That training should cover “awareness about downloading and executing unknown applications on company assets,” that should follow corporate policies and relevant regulations. Employees should also be trained on how to report suspicious emails and attachments.
- FS-ISAC officials also support “more frequent and timely reporting to the board of directors to ensure businesses maintain an ‘at the ready’ risk posture and that cyberpractices are transparent to board members.”
- In keeping with a threat landscape that is shift and widening, FS-ISAC wants CISOs to have “expanded reporting responsibilities or dual-reporting responsibilities within the corporate structure to ensure critical information flows freely,” according to the survey. “Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision making.”
FS-ISAC is a non-profit corporation focused on the continuity of the global financial services infrastructure and orderly function of the sector. Established in 1999, the organization has approximately 7,000 members worldwide. FSISAC shares threat and vulnerability information, conducts coordinated contingency planning exercises, manages rapid response communications for both cyber and physical events, conducts education and training programs, and facilitate collaboration among other key sectors and government agencies, officials say.
Need a Reprint?