According to the Financial Services Information Sharing and Analysis Center (FS-ISAC) 2018 CISO Cybersecurity Trends report, 35% of CISOs surveyed said that employee training is a top priority for improving security posture in the financial sector (respondents were all FS-ISAC members). Infrastructure upgrades and network defense were prioritized by 25% of CISOs, and breach prevention was the main thrust for 17%.
Notably, while cybersecurity used to be handled in the server room, it is now a boardroom topic. The study found that quarterly reports to the board of directors were most common (53%), with some CISOs (8%) reporting more than four times a year or even on a monthly basis. In the era of increasing security threats and vulnerabilities, CISOs know that keeping top leadership and boards updated regularly on these security risks and effective defenses is a top priority.
The report also found that CISOs reporting into a technical function like CIO tended to prioritize infrastructure upgrades, network defense and breach prevention. On the other hand, CISOs reporting into a non-technical function like COO or general counsel prioritized employee training. The majority of CISOs still don’t report to the CEO (only 8%).
In the report, FS-ISAC encourages more frequent and timely reporting to the board of directors to ensure businesses maintain an “at the ready” risk posture and that cyber-practices are transparent to board members. CISOs should also have expanded reporting responsibilities or dual-reporting responsibilities within the corporate structure to ensure critical information flows freely. Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision-making, the group pointed out.
The report also included a list of best practices for security. Dovetailing with the priorities of the respondents, the group recommends training for employees, regardless of reporting structure, because employees serve as the first line of defense. This should include awareness about downloading and executing unknown applications on company assets and in accordance with corporate policies and relevant regulations, as well as training employees on how to report suspicious emails and attachments.
“Cybersecurity preparedness starts with proper training of employees,” said Kathie Miley, COO of Cybrary, via email. “We all know that cyber education is critical for today’s businesses, but it is particularly imperative for the financial sector. The bottom line is that employees must be held responsible and accountable for cybersecurity training and they need to understand the basics of cyber hygiene – it’s not just the job of the CISO or IT security teams anymore.”
She added, “Continuous learning should become a nonnegotiable requirement in every organization, at every level. We need to let staff learn and become part of the solution. Specifically, cybersecurity training programs within organizations should be distinct to their role; identify critical assets and expose employees to the impact of vulnerabilities on the organization, their job and their customers or stakeholders.”