By Stephen Gailey, Solutions Architect at Exabeam
Many bank boards do not understand the cybersecurity threats facing their organisation. They see the information security budget and feel that they are taking action, but they don’t fully engage with the chief information security officer (CISO) and their team. The Financial Conduct Authority (FCA) recently issued a report warning that many banks are not prepared to handle cybersecurity issues, despite them spending a higher proportion of their opex on security than almost any other sector.
The reality is that since the credit crunch, much of this information security spend has been used to meet regulatory and compliance challenges rather than to address the changing cyberthreat landscape. Increased budgets have also done little to change the composition of the board – many still have no information security experience at that level, and security professionals able to translate the threats and challenges into language the board will understand remain scarce.
Changing with the times
Banks tend to react to events. They are generally well prepared when it comes to standard forms of attack and can cope with malware or external attacks fairly well. Insider threats, however, remain a very significant problem. Most banks still have weak controls around JML (Joiner/Mover/Leaver) and privileged access. They also have problems with security monitoring. Large banks are complex and generate a lot of security data – often in the billions of discrete events. Even in an age of machine learning and big data analytics, most banks still rely on people to review those events. With such huge volumes of information, manually narrowing these down to identify suspicious activity is an all but impossible task.
Part of the issue is that banks were early to recognise the need for security operations and developed teams and departments to fulfill these needs. But as the threats facing banks are changing, many have failed to adapt to the new realities, simply acquiring new technologies in an attempt to fill gaps in security. As a result, bank security organisations are now large, but operate in siloes. They have access to almost every security technology under the sun, but disparate teams are vying for supremacy in organisations that are being choked by embedded operations practices, which are no longer fit for purpose.
The CISO’s challenge
CISOs in this environment face the daunting challenge of bringing the organisation up to a modern standard, whilst managing pressures from external regulators and internal audit teams. These stakeholders are focused on the effective operation of controls that may have little or no relevance to the organisation as a whole.
A CISO presenting security improvement plans to a board made-up (generally) of a previous generation is unlikely to gain the support they need to embark on what is likely to be a multi-year change programme. Those that do will soon see a significant proportion of the budget – if not the entire budget – consumed by the remediation of the next failed audit, or a knee jerk reaction to a bank security incident.
Banks are, after all, in the business of risk management, and tend to take action when a regulator dictates, or when the risk to their business warrants the expense of deploying new controls. This is where regulators have an important role. But they need to better understand what security controls are required if they are to prescribe more specific controls for banks to adopt.
Looking away
It is little wonder that banks are turning to outside organisations to provide some or all of the security services they need, but this strategy is unlikely to be successful, as many vulnerabilities stem from internal complexity. Banks often run large, complex legacy systems that are difficult to upgrade or restructure and often, are not well understood. Banks must bite the bullet and overhaul both the mess of legacy implemented security technologies, while also addressing the siloed and inefficient organisational structures and poor working practices that have developed.
Managing risk is indeed the key issue. Banks who get it wrong will either over spend on compliance and security – building added complexity to their environment, limiting their own ability to adapt to the market – or they will suffer major breaches. The latter will impact their reputation and cost them much more than a robust security programme.
There is little doubt that the boards of many banks are complacent about security threats. We may have to wait for a new generation of bank executives until we see significant change in this situation, but until then, CISOs must educate their boards. They must fight for their budgets, the right emphasis on spending, and for engagement with their security programmes. This needs to move away from purely compliance and audit related challenges and towards the modern threats and risks that banks now face.
