Financial institutions report noticeably higher rates of success in achieving security program goals as compared to other industries, according to a recent study.
A Cisco survey asked 4800 IT, security and privacy professionals around the world about how successful their security programs are and why. Of the participants, 589 were from the financial services sector.
“Financial services tend to be very much on the cutting edge in security,” said Dave Lewis, Global Advisory CISO at Cisco Canada. “A lot of the challenges that you’re seeing organizations dealing with today, the finance sector dealt with ten years ago.”
The banking sector’s security initiatives score particularly high on supporting business objectives and managing risk. While the sector still outpaced other industries, there is room to improve its operational efficiency.
Security and business needs are in synch
Security professionals in the finance industry rated their ability to keep up with business needs as well above the global average. “They understand what it is they’re trying to protect,” said Lewis. “They understand their fiduciary responsibility in the organization because if things go wrong, the resulting costs are significant.” For example, Lewis noted that there are incredible costs for financial institutions for every minute that Internet banking is down.
What accounts for their security program success in supporting the business? The research shows that technology is a strong foundation. Many pointed to the fact that their security technology resources were more than sufficient to support their mission. Two key factors are that financial firms invest in proactive refreshes and a well-integrated tech stack to maintain best-of-breed modern infrastructure. This pays off in the ability to deliver on business needs and increases the confidence of executives.
The sector also scores well at building a strong security culture. The study shows that accurate threat detection builds trust in both employees and consumers. “A security team that competently separates signal from noise and maintains situational awareness for the organization is a beautiful and inspiring thing to see,” states the report. “The security culture has managed to permeate within the staff so they are enabling the staff to be part of the solution,” added Lewis.
Setting a high bar on managing risk
The highest rated security practice in financial institutions is compliance with regulatory requirements. However, the study shows that for all industries, compliance alone does not make a security program successful. “For most organizations, compliance is the bare minimum that you have to do, whereas financial services excel beyond that because they know the gravity of what could happen,” said Lewis.
Here again, good security technology shows up as a major success factor for managing risk. “Financial institutions are afflicted by constant threats from all sides and fending them off is much easier with the right tools,” said the report. Prompt disaster recovery is also shown to improve the resiliency of security programs.
The strongest contributor to managing risk is the practice of clear security reporting to corporate leadership. This level of visibility in the boardroom may be one of the reasons why security teams in financial institutions have the funding for top-level technology. Clear reporting to executives is shown to increase the chances of success in managing risks by 16.5 per cent. Managing the security of vendors is also a key differentiator for security success in the financial sector.
Efficient operations boost security
Security programs in the financial sector received higher than average ratings on operational efficiency, but not by as much. “Implementing anything new requires a lot of heavy lifting for an organization the size of a Canadian bank,” noted Lewis. “They may not be as fast and nimble as a smaller shop because of the scope of protective measures they have to take. They’re deliberately deliberate about how they do things.”
Financial sector respondents scored their success at running cost-effective programs at 45 per cent. They indicated that the key success factors here include accurate threat detection, sufficient security staff and security awareness training.
The survey also showed a link between clear reporting to executives and talent retention. Again, strong support from senior levels likely translates to better funding and security tools that create an attractive working environment for security talent.
Overall, the security programs in financial institutions have a high level of maturity, said Lewis. “Most of the banks have been in existence for well over 100 years, so they have gone through the lather, rinse, repeat of how to do security. While nobody’s perfect, they do an excellent job.”