It’s 2019 and Most CISOs at Financial Institutions Demand Bigger Cybersecurity Budgets

Almost a quarter of Chief Information Security Officers (CISOs) in the finance sector have drawn up plans to compel their Chief Financial Officer (CFO) to spend extra dollars on their organization’s cybersecurity posture, according to a new study.

APT-style campaigns like the Carbanak operation have increased in scope and number in recent years, scoring major hits against financial institutions. The group behind Carbanak alone is said to have stolen upwards of 1 billion dollars.

CISOs at financial institutions are thus feeling increased pressure to protect their organizations from bad actors. However, according to a recent survey, they lack the resources they need to live up to that challenge.

Of 301 CISOs surveyed by the Financial Services Information Sharing and Analysis Center (FS-ISAC), 73% plan to ask their CFO to bump up cybersecurity spending. According to those surveyed, a mere 10% of their organizations’ overall budget actually goes into cyber defenses. And only half of that meager expenditure goes to infrastructure and asset management.

“The advancement and adoption of new technologies coupled with increased geopolitical tension has fueled a rapidly evolving cyber threat landscape,” said Steve Silberstein, CEO of FS-ISAC. “An effective cybersecurity program needs to adapt to this environment and funding must be deemed as a cross-functional investment.”

“Institutions are now finding vulnerabilities across other functions of the business with employees and third-party vendors becoming areas of increasing concern. A holistic approach to cyber is critical to mitigate current and long-term risks,” Silberstein added.

If other studies are any indication, one of the biggest shortages is the cybersecurity skill gap. The third annual global study of cybersecurity professionals by the Information Systems Security Association (ISSA) has found this issue impacts 74% of global organizations. The cybersecurity skills shortage is also considered the root cause of an increase in security incidents, as organizations are lagging in cybersecurity awareness and can’t keep up with the growing cybersecurity workload.