In a new study by the The Financial Services Information Sharing and Analysis Center (FS-ISAC), CISOs weighed in on the most critical cyber-defense methods, frequency of cyber-preparedness reporting to their respective boards of directors as well as the current cyber chain of command within their respective financial organizations.
CISOs surveyed were split on their top priorities for securing their organizations against cyberattacks. 35 percent of CISOs surveyed said that employee training is a top priority for improving security posture in the financial sector. Infrastructure upgrades and network defense are also prioritized by 25 percent of CISOs; and breach prevention by 17 percent.
CISOs reporting into a technical function like CIO prioritize infrastructure upgrades, network defense and breach prevention. CISOs reporting into a non-technical function like the COO or the General Counsel prioritize employee training.
Frequency of reporting
While cybersecurity used to be handled in the server room, it is now a board room topic. The study found that quarterly reports to the board of directors were most common (53 percent) with some CISOs (eight percent) reporting more than four times a year or even on a monthly basis. In the era of increasing security threats and vulnerabilities, CISOs know that keeping top leadership and boards updated regularly on these security risks and effective defenses is a top priority.
Most CISOs report to CIO, not CEO
As security has increasingly become a concern for financial institutions, the role of the CISO has been thrust into the organizational spotlight. The study found that the majority of CISOs don’t report to the CEO; the top cyber chain of command is more likely to be the CIO; followed by CRO and then COO.
Sixty-six percent of CISOs report into the CIO, CRO and COO. Only eight percent of CISOs report into the CEO. The study found that the reporting relationship did not impact frequency of reporting to the board of directors on cybersecurity.
Recommendations for 2018
Training employees should be prioritized for all CISOs, regardless of reporting structure because employees serve as the first line of defense. Employee training should include awareness about downloading and executing unknown applications on company assets, and in accordance with corporate policies and relevant regulations, and training employees on how to report suspicious emails and attachments.