The past several years have seen an alarming increase in the number of successful high-profile cyberattacks on large commercial entities, including financial and consumer retail institutions once thought impenetrable. According to Cisco's 2014 Annual Security Report, all the networks of the world's 30 largest multinational companies have indicated the existence of malicious traffic. These threats can take various forms, including hackers and criminal organizations, state-sponsored attacks, dishonest customers, and even disgruntled employees. Less likely but possible sources include competitors intent on corporate espionage and techno-terrorist groups like the Syrian Electronic Army.
As a result of the growing number of security breaches and ensuing heightened public awareness, many institutions have taken action to protect themselves, strengthening internal data infrastructures, and hiring seasoned security experts to combat the increased sophistication and frequency of cyberattacks. With bigger budgets and valuable assets to protect, financial institutions have been at the forefront of this transformation.
Due to the inherent nature of finance, banks typically have highly valuable assets that need to be protected. With cyber security in mind, leadership looks at several key areas: essential assets and potential vulnerabilities, regulatory requirements, existing cyberdefenses, and additional resources needed to maintain security.
Clearly delineating which assets are most vital to the business and then identifying potential vulnerabilities are the first steps in establishing a strong line of cyberdefense. Financial institutions must also consider the regulatory requirements that pertain to them. For example, the Gramm-Leach-Bliley Act (a.k.a. the Financial Services Modernization Act of 1999) requires banks and other financial institutions to develop a formal information security plan to protect customer data. Per the law, the written plan must include a dedicated information security officer, a comprehensive risk analysis, the tested program, and changes as necessary.
Before determining what additional people, processes, and technology are needed for a robust cybersecurity program, banks should look at what they already have in place to protect against potential threats. Most institutions have a team of fraud protection experts. This team can bring its field-tested experience to a comprehensive program that includes a substantial investment in cyber security talent and state-of-the-art technology.
Creating a cyber security c-suite
Banks are now hiring executives with unique backgrounds in cyber security leadership. These dedicated executives, such as chief information security officers (CISOs), are tasked with educating teams on high-tech security measures and implementing best practices. They often have international experience and strong communication skills. In addition, their backgrounds tend to fall into four categories.
- Military or law enforcement professionals: Large banks are placing a premium on former military and law enforcement personnel, due to their international experience managing teams from remote locations. For example, Jim Cummings, global head of infrastructure protection, business continuity, and military affairs at JP Morgan Chase, is a military veteran. Banks tend to hire experts like Cummings with defense training, who may not be the most technical candidates but bring other crucial abilities to the job. Many veterans display a high level of focus, international experience, and excellent communication skills -- ideal for risk management.
- Technologists: With an increased level of high-tech know-how, these professionals frequently hold a technical degree in engineering or computer science. These executives typically begin their careers in corporate IT (e.g., applications development or networks) before migrating over to cybersecurity.
- Cyber security "lifers": With a corporate background and a technical degree in engineering or computer science, these executives often begin their careers in the cyber security department of large organizations and work their way upward. They are generally recruited by banks looking for candidates with cyber security experience.
- Cyber security product specialists: These executives often begin their careers as vendors of cyber security products. With years in the field and cyber security-specific knowledge, these specialists are similar to CISOs with military or law enforcement backgrounds in that they have real-life experience.
Cultivating cyber security talent
As cyberattacks evolve and become increasingly sophisticated, banks need to acquire and nurture their cyber security talent. The first step is recruitment. Banks must hire top talent with excellent communication skills, international experience, and the ability to adapt quickly to a constantly changing cyber security landscape.
The next step is retention. In today's world, the best cyber security leaders are paid accordingly. Salaries are even increasing below the c-suite; the top earners are often paid anywhere from $400,000 to $600,000. Many of the CISOs at leading banks are already earning seven figures. In addition, many top cyber security experts have compensation packages that include stock options based on their seniority and expertise.
In terms of reporting, they expect direct engagement with the CEO and members of the board in order to be effective, as well as a competent cyber security team with hands-on experience.
Cybercrime constantly changes with every technological breakthrough, presenting new challenges for companies with valuable data to protect. In order to safeguard their assets, banks will need not only to develop a comprehensive cyber security plan that is up to the task, but also to hire and retain the right talent for the job.
Matt Comyns is the global co-head of the Cyber Security practice and a leader in the Digital Transformation practice. In Cyber Security, he recruits chief information security officers, senior consultants, and niche leaders (head ... View Full Bio