June 07, 2019

Cybersecurity - What Should Companies and Boards Do?

Amit Srivastav

Amit Srivastav
Executive Director/Morgan Stanley

Share This Post

Non-financial risks dominate financial risks for financial institutions now and that cybersecurity is the top risk based on recent surveys compared to traditional financial risks like market risk and credit risk. Right on the back of that this week, I came across the second annual survey by the Deloitte and FS-ISAC (Financial Services Information Sharing and Analysis Center) on the state of cybersecurity in financial institutions. The survey confirms the view that cybersecurity should be an integral part of the firm's strategy in order to be successful which would mean a strong independent risk function similar to other risk stripes. 

In particular, the survey noted the three defining characteristics below which distinguish the most mature cybersecurity programs based on the framework for cybersecurity established by National Institute for Security and Technology (NIST).

Defining characteristics of advanced cybersecurity programs

  1. Level of Senior Leadership and Board Involvement
  2. Level of cybersecurity's profile within the organization beyond IT
  3. Level of alignment with business strategy

The three indicators above show that the maturity and success of the cybersecurity program for a firm depend on the governance framework established for it: how well is it embedded within the firm's strategy and to what extent Senior Management is involved in shaping and monitoring it.

Budget is always an important consideration but the defining characteristics of the maturity of the cybersecurity program do not directly include the amount of money spent or the tools and technology being used. Interestingly, smaller financial institutions are spending more than larger financial firms as a percentage of their overall IT budget as per the Deloitte FS-ISAC survey, but the firms meeting the NIST definition of maturity are not the ones spending the most.

In summary, as per the survey, the firms having the most success and maturity in dealing with cybersecurity are the ones who do not view cybersecurity as a problem that the IT 'folks' need to deal with and those that do not see cybersecurity as a technology problem.

Comments? You can contact me directly via my AdvisoryCloud profile.

Share This Post