By Stephen Gailey, Solutions Architect at Exabeam
Many bank boards do not understand the cybersecurity threats facing their organisation. They see the information security budget and believe that they are taking action, but they don’t fully build relationships the chief information security officer (CISO) and their team. The Financial Conduct Authority (FCA) recently issued a study warning that many banks are not prepared to handle cybersecurity issues, despite them spending a greater proportion of their opex on security than almost any other sector.
The reality is that because the credit crunch, much of this information security spend has been used to meet regulatory and compliance challenges rather than to address the changing cyberthreat landscape. Increased budgets also have done little to change the composition from the board – many still have no information security experience at that level, and security professionals in a position to translate the threats and challenges into language the board will understand remain scarce.
Changing with the times
Banks tend to react to events. They are usually well prepared when it comes to standard forms of attack and can cope with malware or external attacks fairly well. Insider threats, however, remain a really significant problem. Most banks still have weak controls around JML (Joiner/Mover/Leaver) and privileged access. They also provide problems with security monitoring. Large banks are complex and generate a lot of security data – often in the billions of discrete events. Even at a time of machine learning and large data analytics, most banks still rely on people to review those events. With such huge volumes of knowledge, manually narrowing these right down to identify suspicious activity is an all but impossible task.
Part of the issue is that banks were early to determine the need for security operations and developed teams and departments to fulfill these needs. But as the threats facing banks are changing, many have failed to adapt to the new realities, simply acquiring technology in an attempt to fill gaps in security. As an effect, bank security organisations are actually large, but operate in siloes. They have access to almost every security technology on the planet, but disparate teams are vying for supremacy in organisations that are being choked by embedded operations practices, which are no longer fit for purpose.
The CISO's challenge
CISOs in this environment face the daunting challenge of bringing the organisation up to a modern standard, whilst managing pressures from external regulators and internal audit teams. These stakeholders are focused on the effective operation of controls that may have little or no relevance towards the organisation as a whole.
A CISO presenting security improvement intends to a board made-up (generally) of the previous generation is unlikely to achieve the support they need to embark on what is likely to be a multi-year change programme. Those that do will soon see a significant proportion of the budget – if not the entire budget – consumed by the remediation of the next failed audit, or a knee jerk reaction to a bank security incident.
Banks are, after all, in the business of risk management, and have a tendency to take action when a regulator dictates, or once the risk to their business warrants the expense of deploying new controls. This is where regulators have an important role. But they need to better understand what security controls are required if they are to prescribe more specific controls for banks to adopt.
It is little wonder that banks are turning to outside organisations to provide some or all of the security services they need, however this strategy is unlikely to be successful, as many vulnerabilities stem from internal complexity. Banks often run large, complex legacy systems that are difficult to upgrade or restructure and frequently, are not well understood. Banks must bite the bullet and overhaul both mess of legacy implemented security technologies, while also addressing the siloed and inefficient organisational structures and poor working practices which have developed.
Managing risk is indeed the important thing issue. Banks who get it wrong will either over invest in compliance and security – building added complexity to their environment, limiting their own ability to adapt to the market – or they will suffer major breaches. The latter will impact their reputation and price them much more than a robust security programme.
There is little doubt that the boards of numerous banks are complacent about security threats. We might have to wait for a new generation of bank executives until we see significant change in this situation, but until then, CISOs must educate their boards. They must fight for his or her budgets, the right emphasis on spending, as well as for engagement with their security programmes. This must move away from purely compliance and audit related challenges and for the modern threats and risks that banks now face.