What do successful cybersecurity programs have in common? According to new research from Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC), they have the attention of executive and board leadership, which also translates to raising security’s profile throughout the organization.
The research, titled, “Pursuing Cybersecurity Maturity at Financial Institutions,” identified the core traits of organizations that have already reached the highest maturity level as it is defined by the National Institute of Standards and Technology (NIST). Calling these highly mature companies “adaptive,” the common traits they share include:
- Securing the involvement of senior leadership, both top executives and the board.
- Raising cybersecurity’s profile within the organization beyond the information technology department to give the security function higher-level attention and greater clout.
- Aligning cybersecurity efforts more closely with the company’s business strategy.
“Managing cyber risk is a bigger, broader challenge than just IT or compliance,” Julie Bernard, a principal with Deloitte Risk and Financial Advisory’s cyber risk services, Deloitte & Touche LLP, told Security Boulevard. “The CISOs in adaptive companies have realized that and have involved a broader stakeholder set: line of business executives, risk and the Board. They are working with—and sometimes challenging—their company colleagues to embed security into the products they create. They are using threat intelligence as well as business and IT changes to inform the next evolution of change in their programs. And, by engaging the broader audience, they are getting support. “
Money: Not the Answer to Becoming Adaptive
Interestingly, the survey found that the amount of money spent on security did not necessarily translate into a higher maturity level. Report authors noted these findings likely mean tactics and strategy are at least equally as important to a risk management program as the amount of money devoted to cybersecurity.
The research also found respondents said they spend anywhere from 6% to 14% of their IT budget on cybersecurity, with an average of 10%—a range of around 0.2% to 0.9% of company spend. Financial institutions are spending about $2,300 per employee on cybersecurity.
Where the CISO Sits Depends on Company Size
The issue of who the CISO should report to and where they should sit in an organization is an oft-debated issue. So how does that stack up in finance? The Deloitte-FS-ISAC research found larger financial companies tended to keep their CISOs within IT: 56% of respondents at these companies said their CISO reported to the CIO or CTO rather than to the CRO or COO, compared to about 1 in 4 midsize and small companies. Smaller companies were most likely to have their CISOs report to the CEO.
The Process of Adapting Never Ends
Although “adaptive” companies are considered to be at the highest level of maturity when it comes to risk mitigation efforts, these organizations “should not rest on their laurels,” the report authors cautioned. CISOs will need to keep their eye to the horizon and continue to be proactive in an ever-evolving threat landscape.
“While the survey indicated that high-maturity respondents may have settled on a solid governance system and laid the foundation for an effective cyber risk management program, there’s likely still much work to be done to keep fortifying defenses and response capabilities,” the authors said.