Connect with us

Finance

CISOs IN FINANCE: HOW TO LEAD THE PRIVACY STRATEGY

Published

on

Sophie Chase-Borthwick, Director of Data Ethics and Privacy, Calligo

 

Privacy is essentially just a data security problem, right? Surely, the requirement to act more responsibly with personal and sensitive data equates to protecting it better, encrypting it and preventing hacks and leaks?

 

Many financial businesses assume exactly this, and that data privacy, whether GDPR or California’s new CCPA, is merely an IT security problem. However, it goes far wider than that.

 

For the chief information security officers (CISOs) that have been assigned responsibility for privacy within their organisation, it can often be seen as an unenviable task. Few boards and and executive teams understand the detail of what is required for GDPR adherence or Privacy by Design to assign enough or the right resource to the task.

 

In fact, we regularly hear stories from financial services organisations of all sizes about shoddy approaches to data privacy, especially GDPR, with some assuming that just because they have a data security function, adherence is a given.


However, as an experienced CISO, you will understand that privacy is not as simple as ring-fencing your data. You will appreciate that because GDPR in particular requires the responsible management and use of data, just as much as its responsible protection, that a privacy strategy needs involvement from every part of a financial organisation, including marketing, HR, sales etc.

 

But many businesses did not think like this. Or more accurately, many CISOs were fully aware of the extent of the task, but were not given the time or resource to address it appropriately. Many were forced to focus on the parts they could fix the fastest and the easiest, predominantly technology and data protection, leaving major gaps in processes and people – the two other equally-important pills of adherence.  

 

Others were bending over backwards to cover the basics of the new requirements, but saw their wider security strategies either derailed or delayed in the process, leaving many financial businesses more susceptible to security breaches than they were before. These are real scenarios that we have seen time and again amongst our clients.

 

So, how is it possible to balance data privacy with wider security strategy? Many argued when GDPR came into force that it represented a huge opportunity for those in CISO roles to change the perception of their input and value to a business; from simple data protection to instead safeguarding data across its entire lifecycle.

 

But how can you put this into practice? How can a CISO build the strategy that achieves the immediate data privacy goal, while enhancing – not weakening – wider data security initiatives, and their own standing?

 

Assess your business holistically

There are eight domains that require addressing for a successful privacy strategy: governance and accountability; risk management; security management; third party management; incident management; personal information management; rights of data subjects; and finally, understanding the scope of your organisation as it pertains to the relevant legislation.

The most obvious observation for many CISOs will be that many of these areas are outside their traditional scope. However, they all need equal attention and they are all unavoidably part of the project they are leading. The trick is to not let yourself focus on only the more easily-addressed “home turf” security areas, nor be drawn by the business too far into the non-security areas.

Ask for help

For some, this will be one of the hardest steps – either personally or politically – but it is essential. As mentioned above, there are eight areas that need addressing equally. This means that assistance from experts across the wider business is vital. No one expects a CISO to be well-versed in the legal rights of data subjects, or in how to build a perfect Privacy Policy, but you will need to recruit support from the internal subject matter experts who are, then act as the intermediary between them all, and lead from the front.

Perform a GAP analysis

Before you can even think about aligning your organisation to a privacy strategy, you must identify your baseline and areas of improvement. What are the minimum requirements within each of the eight areas for your business to be in line with the legislation facing you? And, what constitutes particularly robust observance? Finally, where on this spectrum are you aiming for and how does that compare to your current state?  

Present your action plan

The GAP analysis will have provided you with a starting point and a series of non-conformances to address. The next step is to prioritise the remedial tasks required and plan how they will be executed. It is however imperative to demonstrate that the plan is tied to, but not wholly based on, the security strategy. Sales, marketing, HR, IT etc. must all understand that they have equal parts to play, and be equal in their accountability.


Secure wider resource

The final part of the process is to identify the most suitable individuals to assist. This controlled delegation maintains the CISO’s position as the lead on the project, ensures good project management and execution, while also safeguarding the security team’s resources.

 

It’s clear that a privacy strategy is an organisation-wide initiative and encompasses all areas of technology, people and processes. It requires far more than building higher walls around your data, or simply gaining renewed consent from customers. However, it’s important to remember that this will not be widely understood, and given it is commonplace post-GDPR for CISOs to be handed responsibility for privacy, you will need to take the initiative on a whole host of procedures and processes that span your entire enterprise – and may not be within your comfort zone.

However, get it right and you will engender more trust from within your customer base – an important commercial outcome that you can take no small amount of credit for.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Finance

CAN THE CLOUD REVOLUTIONISE FINANCE?

Published

on

By

By Walter Heck, CTO, HeleCloud 

 

The scale of the Cloud revolution that businesses have gone through over the last few years can’t be overstated. Across almost every industry, businesses that have migrated to the Cloud have seen increased revenues, higher productivity and were more prepared to face the challenges of the pandemic than those relying on legacy infrastructure.

However, one industry that has been slow to realise the potential of the Cloud has been finance. PwC found that 81% of banking CEOs were ‘concerned’ about adopting digital tools too quickly however,  even though 91% of hedge fund executives who adopted Cloud solutions stated that their chosen cloud solutions performed ‘better than expected’. Those sitting on the fence when it comes to the cloud can afford to do so no longer. The speed, security and efficiency offered by the cloud is already changing the face of finance, as it has so many industries before it.

 

How Cloud can help Finance?

Compliance continues to be an area that financial institutions of all shapes and sizes are spending an increasing amount of time and money on. The majority (71%) of large firms are cutting the size of their compliance departments while GDPR, Brexit and increased global economic sanctions make even simple tasks regulatory headaches. Compliance is also costing the finance sector more every year. Since the financial crash, Deloitte estimates Deloitte that compliance costs have increased by as much as 60% for retail and consumer banks.

Migrating to the Cloud can solve many of these compliance issues for financial service institutions. For instance, by leveraging modern technologies on the Cloud, such as Artificial Intelligence (AI) and Machine Learning (ML), organisations can ensure financial activities remain compliant with local regulations, no matter where the data is stored. AI can also process this data far quicker and more effectively than humans, ensuring compliance matters are solved quickly and with little room for error.

With companies downsizing their expensive compliance departments, while at the same time regulation increase, the role of Cloud-based automation in compliance is set to become even more important to the financial sector.

Financial institutions that utilise Cloud-based automation allow themselves the peace of mind that they are less likely to be faced with sanctions from regulators for unforeseen or unknown infractions when carrying out day to day activities. With the cost of non-compliance running into the billions every year, neutralising this threat has the potential to save significant amounts of money for the financial institutions who make the move to the Cloud.

 

Security

Data security is vital to the survival of financial institutions. With strict rules in place, and punishments for breaches from regulators and governments increasingly common. As the number of cyber-attacks continues to increase, and costly ransomware continues to put companies out of business, it is imperative that financial institutions take the necessary steps to secure their data.

Traditional on-premises storage and data management solutions of the type utilised by many financial institutions are frequent victims of various types of cyber-attack. Gartner research has shown that up to 60% fewer attacks occur on Cloud structures when compared to on-premises alternatives.

There are many reasons for this but one of the simplest is remote access. An IBM study highlighted that 95% of security failures at companies are due to human error. This can be anything from employees using unapproved third-party applications to being the victim of ‘spill over’ malware for an attack on a different company that bleeds onto another’s on-premises infrastructure. With data being stored and managed remotely, the Cloud offers fewer direct contact points between employees and valuable company data.

However, not all Cloud solutions are created equal and when going alone companies can often find themselves under-utilising the security benefits of the Cloud and leaving themselves vulnerable to threats. Selecting the right Cloud service provider is vital. Storing sensitive data on a Cloud service enabled and managed by an experienced, trustworthy partner, ensures that client and customer data remains safe and accessible without the litany of security issues that come with on-premises infrastructure.

 

Partnering with a Cloud enabler

The Cloud is already revolutionising finance in the way it has so many other industries. Big players such as JP Morgan and Goldman Sachs have started migrating core applications to the Cloud and setting up Cloud hubs in major American cities. Almost half (43%) of financial services decision makers have stated their intent to increase their reliance on the Cloud over the coming year as more and more finance professionals see the benefits that larger competitors are reaping from Cloud migration.

In periods of great change and uncertainty, it can be tempting to bury your head in the sand and stick to the way things are already being done. However, those who ignore the Cloud revolution leave themselves vulnerable in a rapidly changing and unforgiving business climate. An experienced Cloud services partner can help guide a business on its Cloud journey and ensure they receive all the security and productivity benefits the Cloud offers. With more and more major players moving processes and workflows onto the Cloud, it is up to each finance decision maker to change now, or be overtaken by their forward looking and savvy competitors.

 

Continue Reading

Finance

PREPARING YOUR HEDGE FUND FOR THE MODERN CYBERCRIMINAL

Published

on

By

By: Simon Eyre, Head of Europe, Drawbridge

 

The familiar adage that “every organization is a target” when it comes to cyber-attacks, solidifies its place as an undeniable truth for companies in all industries each year. Spring has barely begun and we have already seen what could be one of the biggest cyberattacks of 2021. When thousands of companies were compromised due to the exploitation of flaws in the Microsoft Exchange Server email software, organisations across the globe were once again faced with the reality that the modern cybercriminal will use any opportunity to gain leverage in the cyberspace and get a monetary advantage.

Today’s criminal is capable, skilled, and always following the money. This is what makes the financial industry a tempting target, with alternative investment firms being increasingly being targeted by criminals. Very recently, Sequoia Capital, one of the largest venture capital firms in the world, was successfully phished with sensitive data being exposed to criminal eyes.

So, what can hedge funds do to prepare the organization for an impending cyberattack?

 

One size fits all?

It is tempting to bolt-on the latest technology on the market, and trust that the product will do ‘what it says on the box’. When constructing a robust cybersecurity program, to avoid investing in cybersecurity plans that are seemingly “one size fits all”, hedge funds should firstly focus on evaluating the cybersecurity landscape and understanding the most common threats and potential attack vectors. The firm’s leadership and cybersecurity team should identify what factors would make your business a target and why would you be at risk, as well as consider the types of cyberattacks your peers have experienced. Ask questions such as: “What kind of breaches and attacks are happening in the industry to firms of our size and strategy?”, “How are other firms mitigating these risks and how can our fund do the same?” and “Where are the cracks in the technical armor?”

During this process, you should consider what data is most important to your business. What are the crown jewels of the hedge fund? Consider where this data is stored, who has access to it, how it is transmitted and whether vendors process it. Never underestimate what might be of value to a cybercriminal. Your most important data can include corporate data, communication records, or personal data of staff and investors.

Prioritize protecting your data and protecting against the most likely attacks that would disrupt the business.

 

Plenty of phish in the sea

Phishing remains a weapon of choice for the modern cybercriminal. In 2020, we saw as number of attacks occur via social engineering, voice/email phishing and impersonation. One notable example is the unfortunate set of events that set in motion the eventual closure of Levitas, an Australian hedge fund. After sending a fake Zoom invite and it being accepted, hackers planted malware and gained control over an executive’s email, leading to the approval of $8.7M in fraudulent invoices. Shortly after, the firm’s largest investor pulled their planned investment, resulting in the fund being scheduled to wind down.

What can we learn from this? Any employee in the hedge fund could fall victim to a phishing attack, as these emails, calls and invites are carefully crafted and virtually indistinguishable from the real deal. An important mitigation strategy is to invest in high quality staff awareness training that goes beyond ticking boxes on a generic on-demand course and tests. Hedge funds should establish a training program that is relevant to the business, the work environment, and its risks, as well as the systems in use. Standard template training is insufficient in preparing staff for the delicately created and convincing attacks of cybercriminals.

 

A balanced blend of staff training and technology

Most cybersecurity experts would agree that defense in depth is critical. This means that the hedge fund’s technology and staff should work in harmony to achieve the highest degree of protection for the firm. Many cyberattacks, especially phishing, have time on their side. Once an employee has been convinced to click on a link, criminals will lurk in the background and look for vulnerabilities within the business. To address this issue, in addition to employee training, hedge funds should invest in a vulnerability management solution that helps discover weaknesses within the system. Hedge funds should continually perform vulnerability management with recurring penetration testing of their environment to ensure the safety of their data and uninterrupted service.

 

The importance of vendor management

Hedge funds today work with a network of independent partners or vendors that support the running of their operations. From law firms, to auditors, brokers, marketers, researchers and administrators, the hedge fund’s network expands into a complex spider’s web, increasing the likelihood of a successful cyberattack with each new silk thread. Why? Criminals will not always go for the bullseye, but rather compromise a target that might have weaker defenses and use their network as a steppingstone to the hedge fund’s valuable data. This is one of the reasons why regulators and hedge fund investors are hyper focused on vendor due diligence. To minimize risk, hedge fund managers should hold vendors to the same cybersecurity standards as the business itself. Remember, your firm’s network is only as secure as the weakest vendor with access to your data. Extensive due diligence of third parties should not be optional – it is required.

Criminals continue to be attracted to valuable data, and hedge funds can expect to be increasingly targeted due to the nature of their business and large transactions being processed every day. To avoid financial and reputational damage due to a cyber-attack, as well as ensure regulatory compliance while navigating a complex regulatory environment, hedge funds must invest in and develop a robust cybersecurity program that is tailored to the alternative investment industry. By focusing on the most important data, most likely attacks and equally investing in people and technology, hedge fund managers can protect their business, while building a reputation as a reliable partner in the alternative investment industry.

 

Continue Reading

Magazine

Trending

Top 109 hours ago

DOGECOIN MADNESS

by Nathalie Janson, Associate Professor at NEOMA Business School   After the unstoppable increase of Bitcoin (BTC) since January –...

Business9 hours ago

TOP TIPS FOR BOOSTING YOUR CASH FLOW AND BUSINESS IN 2021

Ian Gass, CEO at Agitate   Many small businesses are still dealing with the disruption caused by the pandemic. Improving financial...

Wealth Management9 hours ago

WHY COMPLICATED INCOME STRUCTURES SHOULDN’T PREVENT HIGH NET WORTH INDIVIDUALS FROM INVESTING IN PROPERTY

Mike Coates, Founder and CEO of Commercial Expert   An investor’s preference is usually to split their investment across different...

News10 hours ago

ENTRUST INTRODUCES ADAPTIVE ISSUANCE™ PRODUCTION ANALYTICS SOLUTION TO OPTIMIZE CARD ISSUANCE OPERATIONS

The new solution provides intelligent, data-driven insights to card issuers with Central Issuance systems for improved and timely management decisions...

Technology2 days ago

OPTIMISING DIGITAL EXPERIENCE IN AN INTERNET-RELIANT FINANCIAL SECTOR

Tony Finn, EMEAR Lead, ThousandEyes   It would be unfair to say that the events of the last year have...

Finance2 days ago

CAN THE CLOUD REVOLUTIONISE FINANCE?

By Walter Heck, CTO, HeleCloud    The scale of the Cloud revolution that businesses have gone through over the last few...

Business2 days ago

BRIDGING THE DIGITAL EMPLOYEE EXPERIENCE GAP

Matthew Sturman, senior technical consultant, AppLearn   While the financial sector was arguably some way along the digital transformation curve...

Business2 days ago

6 TIPS FOR KEEPING DATA SECURE WHEN WORKING FROM HOME

Tim Bandos, CISO at Digital Guardian   The importance of data in the financial sector has grown exponentially in recent...

Top 102 days ago

SOFTPOS: EVERYTHING KEY PLAYERS NEED TO KNOW ABOUT DEVICES

By François Drouard, SLM Terminal & Mobile and Emmanuel Desdoigts, Project Manager at Fime   SoftPOS solutions harness untapped potential...

Wealth Management2 days ago

WHAT DOES RETIREMENT MEAN TO YOU?

By Gary Fisher, Head: Member Education Services and Individual Consulting at Alexander Forbes   No matter your age or current...

Business3 days ago

HOW AN OUTDATED PROCUREMENT PROCESS WILL IMPACT CUSTOMER RETENTION

Never before has the business world been held to ransom by an invisible and yet totally disruptive force. We are,...

Technology3 days ago

DIGITAL TRANSFORMATION FOR FINANCE: LEADING WITH SAAS AND COLLABORATION TOOLS

Gary Duggan, VP Technology Solutions EMEA at Riverbed Technology   Throughout the pandemic, software as a service (SaaS) and collaboration...

Finance3 days ago

PREPARING YOUR HEDGE FUND FOR THE MODERN CYBERCRIMINAL

By: Simon Eyre, Head of Europe, Drawbridge   The familiar adage that “every organization is a target” when it comes...

Business3 days ago

UK READY TO SPEED UP THE DIGITAL TRANSFORMATION REVOLUTION

More than half of businesses set to accelerate projects due to pandemic British business is set for a digital revolution...

Finance3 days ago

ADAPTING YOUR ATTITUDE TOWARDS MONEY AS YOU AGE

By Buhle Langa, financial well-being consultant at Alexander Forbes   Much of financial wellbeing begins with the choices that we make...

News3 days ago

DELOITTE: 61% OF EXECUTIVES, DOUBLE PRE-COVID 19 LEVELS, FOCUSED ON TRANSFORMING WORK

Amid unprecedented workforce disruption from the COVID-19 pandemic, organizations are enacting radically new ways of working and operating – and the...

News3 days ago

FINCAD ANNOUNCES COMPREHENSIVE BOND DATA AND ANALYTICS SERVICE

Combines Market-Leading Derivatives Analytics Services with Data and Insight on Fixed Income Securities In One Simple Solution FINCAD, a pioneer...

News3 days ago

ALVEO ANNOUNCES NEW ESG DATA MANAGEMENT CAPABILITY TO HELP MEET SFDR REQUIREMENTS

Alveo, a leading financial data management solutions provider, announces new environmental, social and governance (ESG) data management functionality. The new functionality...

Business3 days ago

THE FUTURE OF REGULATION IS UNFOLDING IN YOUR UNSTRUCTURED DATA

By Simon Cole, CEO at Automated Intelligence.   When you picture the future of finance, what do you see? The...

News3 days ago

AGILE LEADERSHIP: HOW TO CLOSE THE ‘KNOWING-DOING’ GAP

Almost all organisations are looking for faster, smarter ways to deliver their mission critical programmes and/or recovering programmes that have...

Trending