Connect with us

Finance

CISOs IN FINANCE: HOW TO LEAD THE PRIVACY STRATEGY

Published

on

Sophie Chase-Borthwick, Director of Data Ethics and Privacy, Calligo

 

Privacy is essentially just a data security problem, right? Surely, the requirement to act more responsibly with personal and sensitive data equates to protecting it better, encrypting it and preventing hacks and leaks?

 

Many financial businesses assume exactly this, and that data privacy, whether GDPR or California’s new CCPA, is merely an IT security problem. However, it goes far wider than that.

 

For the chief information security officers (CISOs) that have been assigned responsibility for privacy within their organisation, it can often be seen as an unenviable task. Few boards and and executive teams understand the detail of what is required for GDPR adherence or Privacy by Design to assign enough or the right resource to the task.

 

In fact, we regularly hear stories from financial services organisations of all sizes about shoddy approaches to data privacy, especially GDPR, with some assuming that just because they have a data security function, adherence is a given.


However, as an experienced CISO, you will understand that privacy is not as simple as ring-fencing your data. You will appreciate that because GDPR in particular requires the responsible management and use of data, just as much as its responsible protection, that a privacy strategy needs involvement from every part of a financial organisation, including marketing, HR, sales etc.

 

But many businesses did not think like this. Or more accurately, many CISOs were fully aware of the extent of the task, but were not given the time or resource to address it appropriately. Many were forced to focus on the parts they could fix the fastest and the easiest, predominantly technology and data protection, leaving major gaps in processes and people – the two other equally-important pills of adherence.  

 

Others were bending over backwards to cover the basics of the new requirements, but saw their wider security strategies either derailed or delayed in the process, leaving many financial businesses more susceptible to security breaches than they were before. These are real scenarios that we have seen time and again amongst our clients.

 

So, how is it possible to balance data privacy with wider security strategy? Many argued when GDPR came into force that it represented a huge opportunity for those in CISO roles to change the perception of their input and value to a business; from simple data protection to instead safeguarding data across its entire lifecycle.

 

But how can you put this into practice? How can a CISO build the strategy that achieves the immediate data privacy goal, while enhancing – not weakening – wider data security initiatives, and their own standing?

 

Assess your business holistically

There are eight domains that require addressing for a successful privacy strategy: governance and accountability; risk management; security management; third party management; incident management; personal information management; rights of data subjects; and finally, understanding the scope of your organisation as it pertains to the relevant legislation.

The most obvious observation for many CISOs will be that many of these areas are outside their traditional scope. However, they all need equal attention and they are all unavoidably part of the project they are leading. The trick is to not let yourself focus on only the more easily-addressed “home turf” security areas, nor be drawn by the business too far into the non-security areas.

Ask for help

For some, this will be one of the hardest steps – either personally or politically – but it is essential. As mentioned above, there are eight areas that need addressing equally. This means that assistance from experts across the wider business is vital. No one expects a CISO to be well-versed in the legal rights of data subjects, or in how to build a perfect Privacy Policy, but you will need to recruit support from the internal subject matter experts who are, then act as the intermediary between them all, and lead from the front.

Perform a GAP analysis

Before you can even think about aligning your organisation to a privacy strategy, you must identify your baseline and areas of improvement. What are the minimum requirements within each of the eight areas for your business to be in line with the legislation facing you? And, what constitutes particularly robust observance? Finally, where on this spectrum are you aiming for and how does that compare to your current state?  

Present your action plan

The GAP analysis will have provided you with a starting point and a series of non-conformances to address. The next step is to prioritise the remedial tasks required and plan how they will be executed. It is however imperative to demonstrate that the plan is tied to, but not wholly based on, the security strategy. Sales, marketing, HR, IT etc. must all understand that they have equal parts to play, and be equal in their accountability.


Secure wider resource

The final part of the process is to identify the most suitable individuals to assist. This controlled delegation maintains the CISO’s position as the lead on the project, ensures good project management and execution, while also safeguarding the security team’s resources.

 

It’s clear that a privacy strategy is an organisation-wide initiative and encompasses all areas of technology, people and processes. It requires far more than building higher walls around your data, or simply gaining renewed consent from customers. However, it’s important to remember that this will not be widely understood, and given it is commonplace post-GDPR for CISOs to be handed responsibility for privacy, you will need to take the initiative on a whole host of procedures and processes that span your entire enterprise – and may not be within your comfort zone.

However, get it right and you will engender more trust from within your customer base – an important commercial outcome that you can take no small amount of credit for.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Business

How bug bounty programs can help financial institutions be more secure

Published

on

By

Rodolphe Harand, Managing Director at YesWeHack

 

Financial services have been one of the most heavily targeted industries by cybercriminals for several years. One alarming stat from the Boston Consulting Group found these firms to be 300x as likely as other companies to be targeted by cyberattacks.

Furthermore, the pandemic has led to a significant increase in the number of cyberattacks targeting financial institutions (FIs), with around 74% experiencing a spike in threats linked to COVID-19.

With FIs holding some of the largest collections of sensitive and private data, it’s clear they will remain an attractive target for malicious actors, especially as any data stolen can be used for fraudulent activities. This leads to the reputational damage of the financial entity that was compromised and has a knock-on effect in terms of monetary and reputational damage to affected customers.

For CISOs at FIs, the conundrum faced is how do you protect intellectual and customer data, and ensure accountability and transparency for clients and stakeholders, at a time when the pandemic has created budget constraints. Research from BAE Systems found that last year alone, IT security, cybercrime as well as fraud and risk departments had their budgets cut by a third.

Below we look at how bug bounty programs can help to address these pressing issues.

 

Protecting valuable data

Protecting customer and intellectual data has always been a top priority for FIs. However, as opportunistic cybercriminals have a lot to gain by stealing this valuable data, there is a constant evolution of threats, which means FIs must stay on their toes. By deploying a bug bounty program, FIs can work with ethical hackers that have a wealth of experience and unique skills when it comes to identifying security weaknesses within a FI’s defence, thus helping to implement effective security measures to help prevent data breaches.

Building trust among various stakeholders such as customers, suppliers and investors is critical for achieving business goals. By deploying a bug bounty program, FIs send out a message that they care about protecting the security of the data of those they work with – which in turn can have a cascading effect resulting in better business performance.

 

Improving accountability  

For FIs to win customers and keep them happy, amidst the growing threat of neo banks and customer-centric fintech organisations, speed of innovation is crucial. As such, many FIs have adopted an agile approach to build, test, and release software faster to bring online and mobile banking solutions to market quicker. However, this can create frictions between development and security teams. Security mandates are deemed to be unnecessarily intrusive and a cause of delayed application development and deployment.

Yet, with DevOps teams needing to build and deploy applications faster than ever before, an epidemic of insecure applications has emerged. According to Osterman Research, 81% of developers admit to knowingly releasing vulnerable applications, while research from WhiteSource found 73% of developers are forced to cut corners and sacrifice security over speed.

With developers often not having the time, tools, skills, or motivation to write impeccably secure code, there is an evident need to provide developers with more support when it comes to building applications securely Fortunately, bug bounty programs can provide a “fact-based” financial implication of inherent security flaws within the process. This makes it possible to hold development teams and service providers accountable for creating or delivering insecure products, thus addressing inherent security gaps within the business units and helping to drive continuous improvement.

Moreover, security awareness and education of developments teams can be improved significantly for those developers that are directly involved with the management of vulnerability reports for their bug bounty programs. This is because, the mere fact of exchanging information with ethical hackers, or assimilating the thinking of a potential hacker and having proof of concepts of vulnerability exploitation on their application components, naturally accelerates consideration of security early in the development stage and provides ongoing learning.

 

Get more return on your investment

According to Gartner, 30% of CISOs effectiveness will be directly measured on their ability to create value for the business. When security budgets are challenged, CISOs need to demonstrate business value through initiatives designed to enhance efficiency whilst stretching the dollar.

This is where bug bounties can help tremendously. Compared to conventional penetration testing, bug bounty offers a fast, complete, and measurable return on your security investment, with businesses only paying out for successful discovery of vulnerabilities. Equally, businesses get access to hundreds of ethical hackers that can test their programs, each with their own unique skillsets as opposed to only one skilled researcher testing the network. This results-driven model ensures you pay for the vulnerabilities that pose a threat to your organisation and not for the time or effort it took to find them.

Bug bounty programs also deliver rapid vulnerability discovery across multiple attack surfaces. With this approach, organisations receive prioritised vulnerabilities and real-time remediation advice throughout the process to accelerate the discovery of, and solution to vulnerabilities.

Another appeal of bug bounties is that due to the continuous nature of testing, more vulnerabilities are found over time as opposed to pen-testing. This is key to financial institutions that require agility to keep up with the continuous roll-out and updates of applications.

 

The cornerstone to a successful security programme

The risk posed to financial institutions by cyber threats will only continue, as evidenced by the number of data breaches seen in recent times. The COVID-19 pandemic has only exacerbated these risks, especially with almost all FIs having needed to shift to a remote working environment – which has only widened the attack landscape.

For FIs, a bug bounty program should be considered a fundamental cornerstone of any security strategy, with it being a modern-day cybersecurity solution that is well-equipped to tackle the immediate security challenges they face. In doing so, FIs will not only prove to customers and stakeholders their commitment to data protection and security but this will also be help them to avoid the monetary damages that could be imposed by regulators if a breach was to take place.

 

Continue Reading

Finance

Five predictions set impact the finance teams in 2022

Published

on

By

By Rob Israch, GM Europe at Tipalti

 

The CFO now has a very different set of responsibilities in comparison to a few years ago; 2021 saw sustainability move up the C-suite agenda, Brexit was officially pushed through meaning new rules and regulations for industries, and pandemic uncertainty caused further disruption for businesses. Understandably then, 97% of UK CFOs believe their role has become more complex over the last two years, according to latest research by Tipalti. Finance leaders, who were already rushed off their feet, are now having to wear even more hats.

Operating in a new climate, with new challenges and circumstances, finance teams must be ready to innovate to find new solutions to changing business needs. From becoming more attuned to ESG ratings to fighting against the burden of manual processes and tasks, below we explore what finance teams can expect to experience in 2022.

 

  1. A tightening of CEO-CFO relationship

As opposed to solely managing financial operations and ensuring compliance, the CFOs relationship with the CEO will intensify in 2022. This shift will see the CFO become increasingly involved in looking at the strategic ways the business can grow and diversify.

Nearly two-fifths (39%) of CFOs have noted a larger demand to collaborate with the c-suite now than two years ago. However, organisations are still slowed down by old ways of working, as nearly a third (29%) of CFOs state they are having to deal with more manual finance operations. As a result, CFOs aren’t afforded time to support the business leader in the way that their job requires.

Rob Israch

By innovating financial processes through automation, finance teams can free up time for the strategic tasks that matter most to the business. In fact, UK CEOs believe that the ability to prioritise innovation (25%) and the ability to improve financial and business reporting accuracy and timeliness are the most important qualities for a successful CFO today.

 

  1. Invoice payments fraud will be harder to fight

Every year, defending against fraud gets increasingly challenging. As accounts payable complexities rise, finance teams will experience payments fraud at an alarming rate.

Finance teams today are tasked with managing more diverse payment methods, increasing cross-border transactions and dynamic tax compliance and financial reporting. Yet, teams struggle to cope when operations are processed manually. The most common perpetrator of payment fraud is manual processes. They are neither efficient nor airtight enough to ensure optimum financial control. Busy finance teams, escalating complexities in AP and error prone manual processing sets the perfect scene for fraudsters to take advantage.

To mitigate such risk, companies need to leverage people, processes and technology. This means investing in robust technologies such as automation to standardise procedures. Data entry will be minimised, end-to-end payments processing visibility will be optimised and policy compliance becomes automated. Not only does AP automation relieve workflows by minimising manual intervention, but the technology acts as a hub for enforcing strong financial controls as the number of people and systems involved in payment processing is reduced substantially.

In addition, 2022 will see more multi-entity businesses emerge as organisations recognise the value of the ‘work from anywhere’ model. It can be challenging to manage finance functions across these multiple entities, and that is often why different business units in geographical locations run their finances in isolation, with varying processes and approvals being managed in different ways. However, with no central control or oversight, you run the risk of internal fraud.

 

  1. Finance leaders will need to focus on ESG initiatives

Following COP26, business leaders are under pressure to set and meet green targets, and many are turning to their CFOs for solutions. In fact, CFOs ranked incorporating environmental, social and governance (ESG) and sustainability into the business and its operations as the greatest driver of complexity in their role (27%), above even the global pandemic (22%).

A key reason for this is that ESG ratings have become an important tool for asset managers and investors to evaluate and compare future investment prospects. Currently more than a quarter (28%) of UK business leaders rank international growth as a top priority for the year ahead, so a less than favourable ESG rating is not an option. So far, the challenge for CFOs has been finding the time to work on sustainable initiatives.

 

  1. Uncertainty will continue to loom over the UK post-Brexit

It has been over five years since the UK voted for Brexit – but it will most certainly be on the agenda in 2022 as new regulations emerge. There are a number of challenges that Brexit brings, and much uncertainty still remains in place.

In navigating the uncharted waters of Brexit, businesses will encounter new hurdles when looking to fill roles, as the Global Talent Visa makes competition for skilled employees more formidable than ever before. With the visa application deadline passed, some employees may have chosen to move back home contributing to headcount issues for finance teams.

Moreover, the UK is still yet to agree many key trade agreements. Businesses will need to stay vigilant – watching out for any changes at relatively short notice and be ready to adapt.

 

  1. Employee wellbeing will need to be prioritised

Along with many other departments, the Great Resignation period has meant finance is experiencing Churn. Whilst the wellbeing of all employees will be a key focus for the c-suite this year, CFOs will need to ensure the work of the finance team is engaging and talent is not wasted on tedious and time-consuming operations. Introducing automation to take care of those manual tasks will free up time to upskill employees, while making them feel valued in their role.

 

The future office of finance

2022 will see finance teams adapting the way they operate to combat new challenges. With agreements signed following COP26, implementing sustainable initiatives is no longer a choice, and in the wake of Brexit uncertainty, businesses will have to face new rules and regulations head on. On top of this, the CFO will need to pivot away from solely financial operations in order to drive strategy, fight against fraud threats while prioritising the wellbeing of their team.

It’s a complex set of responsibilities and will only be achieved if finance teams are able to move away from manual administrative work and towards new technologies and automation capability. A CFOs time is precious and needs to be reserved for the tasks that matter.

Continue Reading

Magazine

Trending

Technology2 days ago

AI-Powered Fraud Prevention for Digital Transactions

By Martin Rehak, CEO of Resistant AI Fraud is on the rise, thanks to the rapid escalation of digital channels...

Top 103 days ago

The future of retail trading

Joe Jowett, CEO of StrikeX   The 2020s look set to be the decade of the retail trader. As the...

Business3 days ago

Dissecting the expansion of online checkouts

Daniel Kornitzer, Chief Business Development Officer   Card payments have long existed as the preferred payment method for online consumers....

Business3 days ago

How bug bounty programs can help financial institutions be more secure

Rodolphe Harand, Managing Director at YesWeHack   Financial services have been one of the most heavily targeted industries by cybercriminals...

Business3 days ago

Resolving the unintended friction of Web 3.0

Marten Nelson, CEO, M10 Networks   Media is buzzing about Web 3.0 and the metaverse. Companies and investors are scrambling to get...

Wealth Management3 days ago

Predictions for Alternative Data in 2022

Neil Chapman, CEO of Exabel   2021 saw various firsts for alternative data. The $1.6bn flotation of SimilarWeb evidenced the...

News3 days ago

Why Zero Trust and securing the supply chain is key to post-pandemic recovery

Jim Hietala, Vice President, Business Development and Security at The Open Group   Banking and finance have grown to provide...

Finance3 days ago

Five predictions set impact the finance teams in 2022

By Rob Israch, GM Europe at Tipalti   The CFO now has a very different set of responsibilities in comparison...

Finance3 days ago

Three ways to reduce uncertainty in financial services marketing

By Patrick Costello, Senior Product Strategy Director, Optimizely    According to Bain & Company, uncertainty is one of the key factors affecting marketing...

Banking3 days ago

Bringing Automation to Banking

Ron Benegbi, Founder & CEO, Uplinq Financial Technologies   Automation is everywhere you look these days; from supermarkets to warehouses...

Finance3 days ago

Why financial services is stepping into a new era

by James Mingard, Head of Retail & Finance at Maintel   When comparing industries, financial services has arguably fallen behind when...

Business4 days ago

FINANCIAL MARKETS IN 2022: INFLATION, ENERGY PRICES, AND THE CONTRASTING PERFORMANCE OF STOCKS

Bob Jenkins, Head of Research, Refinitiv Lipper   Anyone hoping for a reprieve from the chaos and uncertainty of the...

Business6 days ago

FINTECH TRENDS TO LOOK OUT FOR IN 2022 WHICH WILL CHANGE THE WAY WE DEAL WITH FINANCE!

Embedded Finance is estimated to be a $3.6 trillion market opportunity (Matt Harris, Bain Capital Ventures) Embedded Finance means it’s...

Business6 days ago

THE GREEN REVOLUTION IN INVESTING

It can’t be denied how quickly environmental sustainability has become a focus among everyday consumers, whether they’ve become noticeable through...

Business6 days ago

INVESTMENT IN INNOVATION: 2022 TRENDS AND OPPORTUNITIES

Author: Michael Kodari, Founder and CEO of Kodari Securities (KOSEC)   Moving into 2022, while COVID is still front of...

Business6 days ago

HOW TO CONSOLIDATE INVESTMENT REPORTING OPERATIONS AFTER A MERGER OR ACQUISITION

By Andrew Sehulster and Abbey Shasore   The reason why senior management make an acquisition is to compete better or...

Business6 days ago

FUNDING R&D IS STILL A PRIORITY FOR COMPANIES DESPITE THE PANDEMIC

By Emma Lewis, Myriad Associates   HMRC regularly releases statistics that look at the numbers of R&D Tax Credit claims...

Business7 days ago

Mitigating the insurance risks of climate change through geospatial data visualisation

Richard Toomey, Senior Manager, Commercial Insurance at LexisNexis Risk Solutions UK and Ireland   In the lead up to the...

Top 107 days ago

From compliance to the metaverse: Investment trends to look out for during the year ahead

By Rami Cassis, Founder and CEO of Parabellum Investments   In the investment world, the old saying, knowledge is power,...

News7 days ago

NutreeLife triples production with finance from Siemens Financial Services

Plant-based snack manufacturer NutreeLife has massively increased its production capacity with the help of a hire purchase solution from Siemens...

Trending