Security

03:00 PM
Matt Comyns
Matt Comyns
Commentary
50%
50%

Banking on Cyber Security Leadership

How cyber security officers at financial institutions are confronting data protection concerns.

The past several years have seen an alarming increase in the number of successful high-profile cyberattacks on large commercial entities, including financial and consumer retail institutions once thought impenetrable. According to Cisco's 2014 Annual Security Report, all the networks of the world's 30 largest multinational companies have indicated the existence of malicious traffic. These threats can take various forms, including hackers and criminal organizations, state-sponsored attacks, dishonest customers, and even disgruntled employees. Less likely but possible sources include competitors intent on corporate espionage and techno-terrorist groups like the Syrian Electronic Army.

As a result of the growing number of security breaches and ensuing heightened public awareness, many institutions have taken action to protect themselves, strengthening internal data infrastructures, and hiring seasoned security experts to combat the increased sophistication and frequency of cyberattacks. With bigger budgets and valuable assets to protect, financial institutions have been at the forefront of this transformation.

Bankable assets
Due to the inherent nature of finance, banks typically have highly valuable assets that need to be protected. With cyber security in mind, leadership looks at several key areas: essential assets and potential vulnerabilities, regulatory requirements, existing cyberdefenses, and additional resources needed to maintain security.

Clearly delineating which assets are most vital to the business and then identifying potential vulnerabilities are the first steps in establishing a strong line of cyberdefense. Financial institutions must also consider the regulatory requirements that pertain to them. For example, the Gramm-Leach-Bliley Act (a.k.a. the Financial Services Modernization Act of 1999) requires banks and other financial institutions to develop a formal information security plan to protect customer data. Per the law, the written plan must include a dedicated information security officer, a comprehensive risk analysis, the tested program, and changes as necessary.

Before determining what additional people, processes, and technology are needed for a robust cybersecurity program, banks should look at what they already have in place to protect against potential threats. Most institutions have a team of fraud protection experts. This team can bring its field-tested experience to a comprehensive program that includes a substantial investment in cyber security talent and state-of-the-art technology.

Creating a cyber security c-suite
Banks are now hiring executives with unique backgrounds in cyber security leadership. These dedicated executives, such as chief information security officers (CISOs), are tasked with educating teams on high-tech security measures and implementing best practices. They often have international experience and strong communication skills. In addition, their backgrounds tend to fall into four categories.

    • Military or law enforcement professionals: Large banks are placing a premium on former military and law enforcement personnel, due to their international experience managing teams from remote locations. For example, Jim Cummings, global head of infrastructure protection, business continuity, and military affairs at JP Morgan Chase, is a military veteran. Banks tend to hire experts like Cummings with defense training, who may not be the most technical candidates but bring other crucial abilities to the job. Many veterans display a high level of focus, international experience, and excellent communication skills -- ideal for risk management.

 

    • Technologists: With an increased level of high-tech know-how, these professionals frequently hold a technical degree in engineering or computer science. These executives typically begin their careers in corporate IT (e.g., applications development or networks) before migrating over to cybersecurity.

 

    • Cyber security "lifers": With a corporate background and a technical degree in engineering or computer science, these executives often begin their careers in the cyber security department of large organizations and work their way upward. They are generally recruited by banks looking for candidates with cyber security experience.

 

  • Cyber security product specialists: These executives often begin their careers as vendors of cyber security products. With years in the field and cyber security-specific knowledge, these specialists are similar to CISOs with military or law enforcement backgrounds in that they have real-life experience.

Cultivating cyber security talent
As cyberattacks evolve and become increasingly sophisticated, banks need to acquire and nurture their cyber security talent. The first step is recruitment. Banks must hire top talent with excellent communication skills, international experience, and the ability to adapt quickly to a constantly changing cyber security landscape.

The next step is retention. In today's world, the best cyber security leaders are paid accordingly. Salaries are even increasing below the c-suite; the top earners are often paid anywhere from $400,000 to $600,000. Many of the CISOs at leading banks are already earning seven figures. In addition, many top cyber security experts have compensation packages that include stock options based on their seniority and expertise.

In terms of reporting, they expect direct engagement with the CEO and members of the board in order to be effective, as well as a competent cyber security team with hands-on experience.

Cybercrime constantly changes with every technological breakthrough, presenting new challenges for companies with valuable data to protect. In order to safeguard their assets, banks will need not only to develop a comprehensive cyber security plan that is up to the task, but also to hire and retain the right talent for the job.

Matt Comyns is the global co-head of the Cyber Security practice and a leader in the Digital Transformation practice. In Cyber Security, he recruits chief information security officers, senior consultants, and niche leaders (head ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly22
50%
50%
Kelly22,
User Rank: Author
8/29/2014 | 2:01:44 PM
Re: Security C-suite concept
The competition for top cybersecurity talent is sure to be tough - especially when it's no longer enough to just have extensive tech experience. Banks (well, financial services businesses in general) would be smart to start seeking out experts that also have international experience and strong communication skills, two must-haves in today's digital environment.  
KBurger
50%
50%
KBurger,
User Rank: Author
8/29/2014 | 11:37:57 AM
Security C-suite concept
Very timely update, Matt. The concept of the "security c-suite" should be a wake-up call to many organizations, and I've read elsewhere how the CISO and chief risk officer roles are high-profile and hot today. Of course, many different industries are seeking to cultivate this type of talent, as well, so banks and other financial services companies are likely to find themselves in an intense competition for "the best and the brightest" -- similar to the battle for data/analytics, digital and customer experience expertise.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology Oct. 14, 2014
Bank Systems & Technology's new Must Reads is a compendium of our best recent coverage of customer analytics. Learn what big data means for banks, meet Wells Fargo CDO Charles Thomas, find out how to connect with your Gen Y customers, and more.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.