The great reassessment
Your cybersecurity strategy to kick start 2023.
The great reassessment: Your cybersecurity strategy to kick start 2023
Financial services organizations are at an inflection point as we usher in a new era of cybersecurity—one requiring a holistic approach. The ongoing appetite for accelerated digital transformation, coupled with the tailwinds associated with high levels of geopolitical and market volatility, is transforming the way global financial services assess cyber risks as well as prioritize cybersecurity and IT solutions.
Prior to the onset of the global pandemic, many financial organizations approached their cybersecurity strategy in a reactive, ad hoc, and tactical way—patching gaps as they appeared, quickly and imperfectly. While this may have been tolerable for managing cybersecurity threats then, today’s hybrid workforce and the need to remotely and securely access critical business data changes the approach companies must take to protect their organizations. It’s time to approach cybersecurity strategies with the topline, critical business objectives they deserve—with intentionality, a critical eye, and the short- and long-term in mind.
There are three first steps every leadership team should take to properly re-assess their cybersecurity strategy.
Shift the internal narrative on cybersecurity to the business priority.
Start thinking about cyber risk on par with credit risk, default risk, economic risk, and other traditionally understood financial risks. Then appoint someone to lead your cybersecurity program and give them the authority—and budget—to secure the enterprise. Next, create a dedicated senior leadership committee to advocate for the cybersecurity strategy at the decision-maker level. This group should manage the creation of and ensure alignment with the guiding cybersecurity strategy that meets the organization’s specific needs, today and in the future. With cyberattacks on the rise, companies have a responsibility to prioritize cybersecurity like they would financial risks, which means putting together a board of directors that understands what cybersecurity is needed and has the expertise to execute on it.
As expected, when cybersecurity needs increase, so does the need for board members who have cyber expertise. In fact, according to the Heidrick & Struggles’ Board Monitor, the sharpest increases in expertise among new board members from 2020 to 2021 were for sustainability (from 6% to 14%) and cybersecurity (8% to 17%).
Board members’ expertise also contributes to how companies prioritize cybersecurity on their quarterly agendas. According to the EY Global Information Security Survey 2021 (GISS), four in 10 (39%) organizations put cybersecurity on their board agendas quarterly, up from 29% in 2020. However, in EY’s Global Board Risk Study 2021, only 9% of boards declared themselves extremely confident the cybersecurity risks and mitigation measures presented to them could protect their organization from major cyberattacks, which was down from 20% last year.
Get honest about your organization’s current approach to cybersecurity.
Fully audit your current cybersecurity framework by acknowledging blind spots and categorizing your current vulnerabilities by the level of risk and importance. This also means considering what priorities have shifted or become obsolete over the last 12-24 months, including the shortcuts that may have been taken and the needs that were shelved from the beginning.
From a lack of organizational infrastructure visibility to system and tool integration to communication, the pandemic caused many organizations to implement more hurried builds, which has created challenges for cybersecurity teams. For instance, 56% of cybersecurity teams weren’t consulted, or consulted too late, when leadership teams made these urgent, executive level cybersecurity decisions, according to the EY Global Information Security Survey 2021 (GISS). This can cause flaws in defenses to be exploited by cyber attackers.
In comparison, organizations with a designated incident response team that regularly implements their cybersecurity strategy processes—running drills and creating a comprehensive incident response plan—saw savings of $2 million compared to those that did not1. A well-executed plan for when a cyberattack occurs can significantly impact financials and reputation.
Build momentum now.
Integrating your cybersecurity strategy priorities into overarching business plans impacts future budget and financial plans—for the short and long term. By creating monthly and quarterly checkpoints and identifying key deadlines to ensure accountability, organizations will be able to more accurately and efficiently identify immediate next steps and continue making steady progress.
Currently, HIPAA, the Gramm-Leach-Bliley Act, and the Homeland Security Act are the three most important federal cybersecurity laws in effect. They require financial, healthcare, and government entities to ensure their systems’ and data security. An important part of that progress is understanding and keeping track of upcoming regulations that will impact the organization over the next 12 to 18 months, including:
- The US Department of Justice set a three-year strategic plan to bolster its cybersecurity posture and prioritized other improvements to its IT skills, systems, and processes.
- The Financial Crimes Enforcement Network has identified cybercrime as a top priority for anti-money laundering and countering the financing of terrorism policy, and it will be releasing regulations to implement this policy in the very near future.2
- The National Law Review reported reported the SEC announced that its Crypto Assets and Cyber Unit would be nearly doubled in size, from 30 dedicated enforcement positions to 50. The unit’s focus includes enforcing violations of “cybersecurity controls at regulated entities” and “issuer disclosures of cybersecurity incidents and risks.”
These are just a few future regulations top of mind, but it’s important for organizations to go beyond meeting these requirements. As financial services organizations adapt to a quickly changing and complex cybersecurity environment, digital acceleration, and market volatility, there is a unique opportunity to reassess and establish a cybersecurity strategy that meets current and future needs.
Cybersecurity has moved from a business-siloed and regulatory-driven mandate to a topline organizational objective. It’s time for a holistic approach to cybersecurity that reflects change and ensures needs are met today and for the future.
More from The Sphere Blog
Helping to identify the intersection of people, process, tools and budget for optimal risk control.