It may seem impossible to combat cybersecurity risks when new products are being released into industry markets tenfold. We consider how financial services security teams can solve the basics of security.
James Doggett, CISO, Panaseer, tells us why financial services organisations struggle to demonstrate strong control over their enterprise cyberhygiene, despite investing a fair amount of money into security.
In 2018, the Financial Conduct Authority reported that the number of cyberattacks against financial services companies had risen by more than 80%. So, why are attacks up when most of the financial sector has been working hard and spending lots of money on cybersecurity? Yes, the threats are greater and our environments are more complex but maybe we’ve been spending the money on the wrong things. Surprisingly, maybe the best place to start is with the basics.
Financial services organisations still find it difficult to demonstrate strong control over their enterprise cyberhygiene and thus effectively remediate cybersecurity risks. This is because the bigger the company, the more challenging it is to maintain these ‘basics’, such as identifying IT assets, updating software, patching it, operating standard controls and educating users. However, given that addressing this issue of enterprise cyberhygiene could stop the majority of all threats, it needs to continue to be a key focus for financial services security teams around the globe.
Back to the basics
Why is it that industry has been trying to solve the basics of security for literally decades? They are still dealing with too much access, code vulnerabilities, system patching, etc. And it’s not like they haven’t been trying. In fact, many of them have been trying so hard, to no avail. It’s so easy today to get caught up in the latest threat, the latest article the Board flags and play the whack-a-mole game in security. Not only is this inefficient but it takes their eyes off the real problem – enterprise cyberhygiene.
Additionally, they seem to have more and more people wanting to challenge, audit, or review their cybersecurity posture, especially those in the financial sector. Does having audit, regulators, second line of defence, vendors and partners constantly testing their security interfere with normal operations?
Every day there are new and advanced security tools hitting the market which are designed to help solve the problem; but then why are the numbers of breaches continuing to rise? No one can give up and say it’s just a battle that cannot be won. Yes, it’s natural to be attracted to new shiny balls – the super technical security risks. And yes, these risks are real, but does focusing on them really provide the best ROI for security? Ultimately, most problems are arising from bad actors taking advantage of very basic flaws in the security ecosystem.
This article will focus on how those who work in financial services security teams can approach solving the basics of security. Let’s start with a question – how much time do you and your team spend gathering data to make decisions, reporting to superiors and the board, and figuring out where a project is in terms of risk reduction? Without doubt, most will spend an inordinate amount of time manually gathering data that commonly has errors.
Everyone seems to have more than enough tools to identify security risks, in fact, probably too many. What you’ll likely not have is:
- Processes to bring all security risk information together and the ability to enrich the data so you know who owns it and which risk is most important to resolve
- Trust in the completeness and accuracy of the data from both your perspective and your peers in IT and the business
- Automated processes to let you do this over and over again so you always know where you stand
The right data at the right time
When I worked as a CISO, I found that we had no shortage of security information coming from the plethora of security and network tools in place. But what I needed was the right information to make security risk decisions on a timely basis. To accomplish this, I needed to join all the data from all the disparate security and other tools into one place and into one framework to allow me to understand the company risk posture and make the appropriate decisions on what to fix and what not to.
In order to make the best decisions on remediation and to actually affect the changes needed to improve a company’s risk posture, you need to:
- Enrich your data with information about ownership, geography, business unit, management hierarchy, business criticality, etc.
- Facilitate exploring and investigating anomalies from multiple perspectives
- Unify/normalise the data so that there is a consistent definition of each device, risk, entity
Trust the data
Before beginning conversations with anyone (within security or elsewhere in the company) about security remediation, the discussion always seems to start with the quality of the data. This is especially true in the security realm, where it’s much easier to talk about how the data is wrong than how to solve the security issue.
Most security teams have presented data to the Board of Directors, only to find out later that data was missing a key part of the company or otherwise not accurate. It’s tough to regain that trust at that level once lost. Also, many of those who perform the actual remediation of security risks (e.g., IT and Application Development teams) tend to only focus on the quality of the data until the security teams can prove their data is accurate and relevant. So it’s critical to build controls into the gathering, consolidation, enrichment and presentation of security-related data. You must have accurate and timely data to be relevant to the business and leadership.
Need for automation
And while last, this may be the most important factor to addressing the issue of enterprise cyberhygiene. Trying to do this manually (especially every month or more frequently) is too expensive, too inaccurate and prone to errors, and from what I experienced, too slow to be relevant. Security teams have neither the funding nor the staffing to keep trying to do this manually.
Why is it that industry has developed endless tools to identify all the problems in security, but so little to manage the rest of the processes? Where is the automation to help security teams identify the security efforts that provide the greatest ROI? Where is the automation to help them have complete and accurate data at their fingertips all the time? And where is the automation that allows them to measure their progress continuously? Point solution after point solution may reduce risks, but they will not reduce the overall company security risk posture. Automation is required to solve these basics of security.
Being one of the more regulated industries we deal with, the financial sector also seems to carry the highest burden of expectation. Having the right information, in the right format at the right time, aligned to a security framework, will go a long way towards demonstrated sufficient controls over the security landscape. It’s time that the basics became the new shiny sexy initiative – with refined and strategic enterprise cyberhygiene; you really can improve your cyber-risk posture and sustain those results.