By: Saket Modi, Co-Founder and CEO at Safe Security
Can I jump over two or three guys like I used to? No. Am I as fast as I used to be? No, but I still have the fundamentals and smarts. That’s what enables me to still be a dominant player. As a kid growing up, I never skipped steps. I always worked on fundamentals because I know athleticism is fleeting — Kobe Bryant
For any discipline — be it sports, music or academics — the grasp on fundamentals needs to be strong. One cannot, after all, write a sentence without first learning the alphabet.
The pandemic has catalyzed digital changes within organizations and outside them as their customers embraced open banking and digital transactions. According to Business Insider Intelligence’s Mobile Banking Competitive Edge study, 89% of survey respondents said they use mobile banking. Deloitte reports that 35% of customers increased their online banking usage during Covid-19, and Visa saw about 13 million Latin American customers make their first online transaction in the first quarter of 2020.
With such a digital boom, cybersecurity has come into sharp focus. However, the fundamentals of how cybersecurity is approached are still unclear, which is why we still see businesses spend on the bottomless well and still get breached.
According to a Deloitte report, financial institutions are expected to spend roughly 11% of their IT budget on cybersecurity, with the largest banks in the U.S. investing $1 billion each! However, while organizations are improving in cyberattack planning, detection, and response, their ability to contain an active threat has declined by 13%, according to IBM’s Cyber Resilient Organization Report.
What Are the Fundamentals?
Currently, the five vectors of the banking sector — people, processes, technology, third-parties and cybersecurity products — are viewed in silos and treated as such. People, security, security tools, compliance and audits are considered fundamental to cybersecurity when they are a part of a granular picture. Organizations are purchasing more products to generate more lists, based not on objective measurements but subjective abstractions of the CIO, security team or competitor enterprises. On average, enterprises deploy 45 cybersecurity-related tools. However, there is a definite lack of cohesiveness in determining what is going well and what could be better. To put it in perspective, enterprises that deploy over 50 cybersecurity tools rank themselves 8% lower in their ability to detect threats than other companies employing fewer toolsets!
There is no industry standard determining the fundamentals enabling financial institutes (FI) to answer one simple question: How secure are they today? When the CEO can be held accountable for an organization’s breach (as per the GDPR), the board gets more curious and involved in the decision-making processes of cybersecurity than ever before. In such a scenario, cybersecurity should transform from being jargon-rich to simple, unified and easy. Managing, mitigating and measuring risk objectively is the fundamental shift required, and this comes with the knowledge of an enterprise’s breach likelihood.
Financial Institutions Needed to Adopt Breach Likelihood Yesterday
Gartner defines integrated risk management (IRM) as “practices and processes supported by a risk-aware culture and enabling technologies, that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks.”
The building block of IRM is enterprise risk. Currently, organizations have tried and failed to protect data by looking at cybersecurity through compliance frameworks only, with point-in-time reports from siloed tools. It is time they move from reactive and defensive risk management to predictive risk management through breach likelihood, which simplifies cybersecurity.
Computing an enterprise’s breach likelihood leverages technology that is not alien to the BFSI sector. Machine learning-enabled predictions are already being deployed in insurance, employee welfare and customer experience. A large online payments system uses deep learning, algorithms, multi-class models and more to sieve fraudulent and genuine transactions by deriving actionable insights from their story-model analysis.
Cybersecurity can also be simplified using technology that already exists. The fundamental element of cybersecurity is as basic as knowing the enterprise breach likelihood that can be calculated from enterprise-wide signals. Breach likelihood prediction in the banking sector shifts power to the cybersecurity team and the organization, enabling them to prevent rather than react to threats. Be it the possibility of a breach through ransomware, cloud misconfigurations or business email compromise, breach likelihood gives an as-is metric for cyber risks and a means to prioritize vulnerabilities. This simplifies the understanding and management of cybersecurity.
FIs willing to invest in methods that simplify cybersecurity can begin with:
· Stepping away from a compliance-only qualitative approach to ensure no vectors — people, processes, technology or cybersecurity products for both first and third parties — go unaddressed.
· Consolidating reports from all cybersecurity products/services to a single dashboard. This will help security and risk management teams prioritize risks across the enterprise in a single view.
· Measuring their cyber risk posture in its as-is state. They either accept the risk and improve their risk posture by purchasing cyber insurances, accept the risk and forgo any changes, especially when the investment required to mitigate the risk is larger than its dollar value impact, or mitigate the vulnerabilities by defining their cyber risk appetite and cyber risk tolerance.
To date, the fundamental approach of securing any business has been reactive. Investments in cybersecurity have historically maintained a check-the-box approach to meet compliance and audit requirements. There are many distractions and abstractions surrounding cybersecurity, especially when it is a qualitative analysis. Once the foundation is solid with an industry-wide breach likelihood adoption, cybersecurity will become a solution rather than a problem that security executives perceive as right now.