September 14, 2015

238 Views

4 things CIO/CROs are looking for in information security?

The situation in financial institutions

The Financial Services market is facing many disruptions in several areas, such as digital, mobile, cloud, alternative payment players, and more that are shaping how banks are/should/will alter their business models to stay relevant and create customer delight. A recent survey by EY suggested that by 2030 the rural-urban divide will shrink in favor of increased urban population, and the aging tech savvy population should be served with new banking models.

The current state of information security – GRC (Governance, Risk and Compliance) in organizations

Global financial crises are not new and a look at the number of crises over the past 30 years suggests commonalities that have triggered them in the first place: excessive exuberance, poor regulatory oversight, dodgy accounting, herd mentalities and, in many cases, a sense of infallibility. Few examples would include, the LATAM sovereign debt crisis (1982), the savings and loans crisis (1980s), the stock market crash (1987) - where computers were executing a high number of trades in rapid fashion and it created something of a self-inflicted crash, the Asia crisis (1997-98), and the recent global financial crisis (2008). These crises have badly hurt the world economy and in turn eroded the faith in financial institutions.

At the same time, with the rapid advent of technology, threats/attacks have also become sophisticated and any lax from an information security point of view would pose a huge risk for banks. From viruses and worms in 1997, to malware in 2004, to APTs in 2007, and finally to key and certificate-based attacks in 2013, threat sophistication has come a long way and is still evolving as new channels/modes of banking evolve. In fact, the CEO/CISO of FireEye says: “The threat landscape has evolved, as cyber threats have outpaced traditional signature-based security defenses, such as antivirus, and permeated around the world, enabling cyber criminals to easily evade detection and establish connections inside the perimeter of major organizations.”

PwC recently conducted a survey on information security breaches and some of the key findings, mentioned below, would provide companies with information to benchmark themselves against others in their sector and beyond.

  • The number of security breaches have increased, the scale and cost has nearly doubled. 11% of respondents changed the nature of their business as a result of their worst breach.
  • Nearly 9 out of 10 large organizations surveyed suffer some form of security breach – suggesting that these incidents are now a near certainty. Businesses should ensure that they are managing the risk accordingly.
  • When looking at drivers for information security-GRC expenditure, ‘Protecting customer information’ and ‘Protecting the organization’s reputation’ account for over half of the responses.
  • The trends in outsourcing certain grc - security functions and the use of ‘Cloud computing and storage’ continue to rise.

What is the CIO/CISO/CCO/CRO of a financial institution looking for?

Against this backdrop, the CISO/CRO/CCO/CIO is looking at robust risk management tools and processes and analytical-driven decisions. They bank on the following for efficient risk management in financial institutions:

1. The ability to manage and reduce risks with business benefits

2. The ability to align information security risk management to the business

3. A proactive approach to information security risk management; Need for sophisticated tools and techniques

4. Fast, confident, risk-informed decision-making

Learn more about Fraud Management and Analytics.