Whilst Cybersecurity is acknowledged as being part of a firms Risk and Compliance framework, to protect an institution from cyber attacks and prevent losses, the function is often positioned within IT where CISOs responsible for the Cybersecurity agenda report to either the CIO or CTO.
Currently with firms constrained by IT budgets, they may well choose to treat Cybersecurity based on cost considerations, however, this is a false economy and why the Risk management organisation will take an independent view. This view is from a 2nd line of defence perspective (rather than 1st line / business view) and may lead to prioritisation of certain projects and initiatives to ensure the firm is well protected against future threats. Naturally this will require closer cooperation and integration between the two respective business facing and IT functional areas to achieve a joined up strategy.
With rapid IT changes and complexity, firms in the last 3 years have seen an increase in Cybersecurity spending in the following key areas: -
- Identity and access management (IAM)
- Cyber monitoring and
- Endpoint and network security
For 2021 and beyond, firms see cloud, data analytics and Robotic Process Automation (RPA) as top areas of project spend encompassing cybersecurity solutions in access control, protective technology, and data security.
To create highly secure product solutions, cybersecurity experts recommend a security by design approach for Financial institutions. With emergence of ‘Zero trust’ and ‘least privilege’ as top security concepts where remote working takes place, users, workloads, networks, and devices need to be protected. In the last year alone, during the pandemic this has accelerated at light speed, especially where network boundaries have been penetrated by a variety of users including employees, contractors, and vendor partners.
COVID-19 has forced many firms to speed up their digitization programs everywhere including customer channels, operations, and logistics.
Consequently, Cybercrime has increased taking advantage of attack surfaces, with firms’ cybersecurity defences forced to respond to protect critical assets and keep in synch with IT change.
One of the interesting cybersecurity trends that have emerged is greater board involvement where CISOs have been able to successfully articulate its value. Firms with mature risk management programs for cybsersecurity, have boards now interested in roles, responsibilities, and technical details signalling it is very much a firm-level responsibility and no longer the preserve of the CISO alone to tackle.
New products and services
Embedding cybersecurity into new products and services remain a top priority for large financial institutions. This is especially the case as banks compete with fintechs on new products and innovation at great speed and flexibility where new cybersecurity threats can emerge. So, firms must take precautions in future-proofing their design. Cybersecurity has to create additional controls to ensure risks are managed. For example, new security controls are embedded in the core structure of new channel development before they are implemented. With costs continuing to be a focus following the challenges to business during the pandemic, CISOs will need to look at ways of managing it including outsourcing, increasing automation, and migration of data to the cloud. At HCL, our Cybersecurity services are well equipped to guide clients through their costs benefits analysis, ensuring security is of top priority and not compromised by cost considerations.
Many firms have adopted cloud and migration of their applications with Software-as-a-service (SaaS) and Platform-as-a-service (PaaS) offered by cloud service providers. It is well recognised that adopting Cloud as a strategy, presents new challenges for the cybersecurity function due to increased risk of cyber-attacks as the data and applications are moving outside the firms existing security perimeter.
Data and analytics is another high priority for CISO’s. Financial firms have access to highly sensitive financial records of their customers, consequently any data breach has a significant reputational impact. Globally, when you couple this to integration with third-party data vendors, and the scope of protection of data has significantly increased ensuring the right to data privacy of users along with compliance to regulatory rules such as the GDPR, the California Consumer Privacy Act, and the Federal Financial Institutions Examination Council’s Cybersecurity Profile in the U.S.
AI and RPA
The advances in AI and automation also bring challenges to cybersecurity by way of BOTS which have user privileges and can access sensitive data providing hackers with yet another channel to attack. Firms are by necessity having to invest in addressing these vulnerabilities to ensure 360 degrees protection.
Identity and Access Management (IAM)
The other hot topic is IAM which remains a priority in a cloud native environment as new technologies increase identity and device proliferation. To guarantee a secure environment, data security and protective technology must be set up to prevent data corruption and service attacks.
The road ahead with Cybersecurity
With digitization at the heart of financial institutions agenda continuing in 2021 and beyond, cybersecurity will need to be firmly embedded as part of their transformation. This is a golden opportunity for CISOs who should ensure that cybersecurity solutions align with the firm’s strategy. Getting this right ensures the investments in cybersecurity programs and talent pool keeps up with the pace of rapid change and regulation and adapt to widely expected challenges from innovations and fast technology advancement.
Reshaping the cybersecurity landscape by Deloitte Insights