In my last post (Risk Management version 2020?) on evolving nature of Risk Management, I noted that non-financial risks dominate financial risks for financial institutions now and that cybersecurity is the top risk based on recent surveys compared to traditional financial risks like market risk and credit risk. Right on the back of that this week, I came across the second annual survey by the Deloitte and FS-ISAC (Financial Services Information Sharing and Analysis Center) on state of cybersecurity in financial instititutions (Cybersecurity maturity Deloitte-FS ISAC 2018 survey); the survey confirms the view that cybersecurity should be an integral part of the Firm’s strategy in order to be successful which would mean a strong independent risk function similar to other risk stripes .
In particular, the survey noted the three defining characteristics below which distinguish the most mature cybersecurity programs based on the framework for cybersecurity established by National Institute for Security and Technology (NIST).
Defining characteristics of advanced cybersecurity programs
- Level of Senior Leadership and Board Involvement
- Level of cybersecurity’s profile within organization beyond IT
- Level of alignment with business strategy
The 3 indicators above show that the maturity and success of the cybersecurity program for a Firm depends on the governance framework established for it; how well is it embedded within the Firm’s strategy and to what extent Senior Management are involved in shaping and monitoring it.
Budget is always an important consideration but the defining characteristics of the maturity of the cybersecurity program do not directly include the amount of money spent or the tools and technology being used. Interestingly, smaller financial institutions are spending more than larger financial firms as a percentage of their overall IT budget as per the Deloitte FS-ISAC survey, but the firms meeting the NIST definition of maturity are not the one’s spending the most.
In summary as per the survey, the Firms having the most success and maturity in dealing with cybersecurity are the one’s who do not view cybersecurity as a problem that the IT ‘folks’ need to deal with and those that do not see cybersecurity as a technology problem.