By Joe Alecci, Associate Director, IT & Cybersecurity
The risk landscape for financial institutions is constantly changing with a myriad of new regulations and growing cybersecurity threats. In this environment, surveys continue to show that Boards of Directors and Senior Management lack confidence in their institution's cybersecurity capabilities and that cybersecurity governance is often inadequate. There seems to be a correlation between the level of confidence in the ability to defend against a cyber attack and the level of participation in the development and oversight of the institution's overall cybersecurity strategy. To put it simply, less participation = less confidence, more participation = more confidence.
Another aspect that may influence this equation is the composition of the Board of Directors itself. Many institutions do not have a Board member with an information security background, and some Boards relegate cybersecurity responsibility solely to the IT Department. There also may be a tendency toward thinking that "IT's got this covered" or "We have a CISO; it's his job." So how can we improve these issues?
Step one, get informed! Boards need to look internally and be honest about their level of understanding and comfort pertaining to cybersecurity. Boards would be wise to consider adding a qualified Board member or enlisting the help of an outside expert who can keep you informed about trends and risks facing your institution, provide guidance and insight on managing these risks, and answer questions you may have about your cybersecurity program. One thing we know for certain about cybersecurity oversight is that ignorance is not a control (or a viable defense).
Step two, get prepared! Once you have a general understanding of your cybersecurity program and/or have enlisted expert help, it is important to get specific and meaningful information. What are the specific risks and vulnerabilities your institution is facing? What is being done about these risks and what is needed going forward? Although much of this information may be buried within your risk assessment, asking the right questions and having frequent, thorough presentations and ongoing dialogue with your CISO or Cybersecurity Team can help improve preparedness and lead to better decision-making. Additionally, including the CISO/Cybersecurity Team in the planning phase of any strategic bank initiative will increase overall cybersecurity maturity within the organization.
Step three, get involved! Did you know that the vast majority of Directors and Senior Management do not know if their institution's incident response plan is adequate? The reality is that while most banks have an incident response plan, and although it's reviewed as part of an internal audit, it typically is not tested in a meaningful way. Getting involved in periodic, thorough incident response plan testing from the identification phase through remediation and post mortem exercises can provide significant insight into your institution's defense capabilities or lack thereof.
Cybersecurity is one area that touches all aspects of your organization and can have an impact at every level, from entry level employees to the Chairman of the Board. Therefore, a culture of security and compliance needs to be enterprise-wide, including the Board of Directors. Regular education, enlisting outside expertise, and actively participating in the development, oversight, testing and ongoing improvement from the top down will help increase confidence "across the Board."
To learn about P&G's IT/Cybersecurity Internal Audit & Risk Management Services, please email WhatsYourRisk@pandgassociates.com or call 877-651-1700.
Joseph Alecci, CISA, CISM, CISSP, CRISC, CEH
Associate Director, IT & Cybersecurity
Joseph Alecci leads the IT/Cybersecurity Audit & Risk Management Group at P&G Associates. He has over 20 years of experience in information systems and auditing management and is a member of the ISACA N.J. Chapter Board of Directors.