Cybersecurity Governance: How to Protect the Bank
Brought to you by Diligent Corporation
Modern banking increasingly relies upon technology and the internet to manage and streamline business operations. With increased dependence on technology comes an increased risk of security threats. Kaspersky Lab reported it had detected 323,000 malware files per day using its software in 2016. This number is 4 percent higher than in 2015.
The impact of a successful cyberattack is often quite damaging: legal liabilities, brand reputation, lack of trust from customers and partners, and ultimately, revenue. The average cost of a data breach is now up to $4 million, according to a 2016 Ponemon study.
Banks are responsible for more data than ever and as data use continues to grow, banks face the challenge of properly creating strategies, frameworks and policies for keeping sensitive data secure. Meanwhile, criminals develop new and sophisticated tactics to target valuable data.
Security is, and should be, a concern for all employees. However, leadership must be responsible for establishing and maintaining a framework for information security governance. Information security governance is defined as a subset of enterprise governance that provides strategic direction, ensures objectives are achieved, and manages risks while monitoring the success or failure of the IT security program.
Whether it is the board of directors, executive management or a steering committee that is involved—or all of these—information security governance requires strategic planning and decision-making.
Best Practices
Despite the threats of cyberattacks and data breaches, banks can take proactive steps to better position themselves for successful security governance. What follows are five strategic best practices for information security governance:
1. Take a holistic approach.
Security strategy is about aligning and connecting with business and IT objectives. A holistic approach can provide leadership with more levels of control and visibility.
What data needs to be protected? Where are the risks? Take a unified view of how information security impacts your organization and how employees view security. Get early buy-in from key stakeholders, such as those in the IT, sales, marketing, operations and legal departments. Scope out what data needs to be protected and how that fits into the larger picture.
2. Increase awareness and training.
Although developed by leadership, information security governance speaks to all employees within the organization and requires continued level of awareness. Governance creates policies and assigns accountabilities, but each member is responsible for following the security standards.
Constant training and education on security best practices is vital. The cyberthreat landscape is rapidly changing and employees, and company training, must keep up. This way, if new threats emerge, you will be prepared.
3. Monitor and measure.
Information security governance should never have a “set it, then forget it” approach. It’s about ongoing assessment and measuring. Monitoring ensures that objectives are being achieved and resources are appropriately managed. What security governance policies are working? Which policies are not?
Conduct mock data breach scenarios to test the efficacy of corporate teams and company incident response plans. Test results can reveal strong and weak links—what the bank needs to concentrate on, and what security governance policies work well under pressure.
4. Foster open communication.
Stakeholders should feel they can openly communicate directly with leadership, even when sharing bad news. Open communication promotes trust and brings a higher level of visibility throughout. Engagement is key. Consider creating a steering committee comprised of executive management and key team leads (IT, marketing, finance, PR, legal, operations, etc.) to review and assess current security risks.
5. Promote agility and adaptability.
Gone are the days of monolithic, cumbersome governance; banks need to adapt quickly to meet the changing tide of security threats. IT management, which is typically concerned with making tactical decisions to mitigate security risks, might have some hands-on experience and opinions about the effectiveness of a particular security policy, but their recommendations can only go so far without C-suite support. Leadership must quickly determine how to implement suggested changes throughout the bank. And if a security governance policy is ineffective, leadership must be willing to jettison the policy.
Overall, successful information security governance involves a continuous process of learning, revising and adapting. Banks need to be proactive and strategic with their security posture. Threats and incidents are inevitable, but moving strategic security governance to the forefront of your organization can help protect valuable information.
Download the full Diligent white paper: Five Best Practices for Information Security Governance.