Is Leadership Paying Attention to Your Security?

What do successful cybersecurity programs have in common? According to new research from Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC), they have the attention of executive and board leadership, which also translates to raising security’s profile throughout the organization.

The research, titled, “Pursuing Cybersecurity Maturity at Financial Institutions,” identified the core traits of organizations that have already reached the highest maturity level as it is defined by the National Institute of Standards and Technology (NIST). Calling these highly mature companies “adaptive,” the common traits they share include:

DevOps Connect:DevSecOps @ RSAC 2022
  • Securing the involvement of senior leadership, both top executives and the board.
  • Raising cybersecurity’s profile within the organization beyond the information technology department to give the security function higher-level attention and greater clout.
  • Aligning cybersecurity efforts more closely with the company’s business strategy.

“Managing cyber risk is a bigger, broader challenge than just IT or compliance,” Julie Bernard, a principal with Deloitte Risk and Financial Advisory’s cyber risk services, Deloitte & Touche LLP, told Security Boulevard. “The CISOs in adaptive companies have realized that and have involved a broader stakeholder set: line of business executives, risk and the Board. They are working with—and sometimes challenging—their company colleagues to embed security into the products they create. They are using threat intelligence as well as business and IT changes to inform the next evolution of change in their programs. And, by engaging the broader audience, they are getting support. “

Money: Not the Answer to Becoming Adaptive

Interestingly, the survey found that the amount of money spent on security did not necessarily translate into a higher maturity level. Report authors noted these findings likely mean tactics and strategy are at least equally as important to a risk management program as the amount of money devoted to cybersecurity.

The research also found respondents said they spend anywhere from 6% to 14% of their IT budget on cybersecurity, with an average of 10%—a range of around 0.2% to 0.9% of company spend. Financial institutions are spending about $2,300 per employee on cybersecurity.

Where the CISO Sits Depends on Company Size

The issue of who the CISO should report to and where they should sit in an organization is an oft-debated issue. So how does that stack up in finance? The Deloitte-FS-ISAC research found larger financial companies tended to keep their CISOs within IT: 56% of respondents at these companies said their CISO reported to the CIO or CTO rather than to the CRO or COO, compared to about 1 in 4 midsize and small companies. Smaller companies were most likely to have their CISOs report to the CEO.

The Process of Adapting Never Ends

Although “adaptive” companies are considered to be at the highest level of maturity when it comes to risk mitigation efforts, these organizations “should not rest on their laurels,” the report authors cautioned. CISOs will need to keep their eye to the horizon and continue to be proactive in an ever-evolving threat landscape.

“While the survey indicated that high-maturity respondents may have settled on a solid governance system and laid the foundation for an effective cyber risk management program, there’s likely still much work to be done to keep fortifying defenses and response capabilities,” the authors said.

Joan Goodchild

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Joan Goodchild

Joan is a veteran journalist, editor and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

joan-goodchild has 37 posts and counting.See all posts by joan-goodchild