By: Saket Modi, Co-Founder and CEO at Safe Security
Can I jump over two or three guys like I used to? No. Am I as fast as I used to be? No, but I still have the fundamentals and smarts. That’s what enables me to still be a dominant player. As a kid growing up, I never skipped steps. I always worked on fundamentals because I know athleticism is fleeting — Kobe Bryant
For any discipline — be it sports, music or academics — the grasp on fundamentals needs to be strong. One cannot, after all, write a sentence without first learning the alphabet.
The pandemic has catalyzed digital changes within organizations and outside them as their customers embraced open banking and digital transactions. According to Business Insider Intelligence’s Mobile Banking Competitive Edge study, 89% of survey respondents said they use mobile banking. Deloitte reports that 35% of customers increased their online banking usage during Covid-19, and Visa saw about 13 million Latin American customers make their first online transaction in the first quarter of 2020.
With
such a digital boom, cybersecurity has come into sharp focus. However, the
fundamentals of how cybersecurity is approached are still unclear, which is why
we still see businesses spend on the bottomless well and still get breached.
According
to a Deloitte report, financial institutions are expected to
spend roughly 11% of their IT budget on cybersecurity, with the largest banks
in the U.S. investing $1 billion each! However, while organizations are
improving in cyberattack planning, detection, and response, their ability to
contain an active threat has declined by 13%, according to IBM’s Cyber Resilient Organization Report.
What Are the Fundamentals?
Currently,
the five vectors of the banking sector — people, processes, technology,
third-parties and cybersecurity products — are viewed in silos and treated as
such. People, security, security tools, compliance and audits are considered
fundamental to cybersecurity when they are a part of a granular picture. Organizations
are purchasing more products to generate more lists, based not on objective
measurements but subjective abstractions of the CIO, security team or
competitor enterprises. On average, enterprises deploy 45 cybersecurity-related tools.
However, there is a definite lack of cohesiveness in determining what is going
well and what could be better. To put it in perspective, enterprises that
deploy over 50 cybersecurity tools rank themselves
8% lower in
their ability to detect threats than other companies employing fewer toolsets!
There
is no industry standard determining the fundamentals enabling financial
institutes (FI) to answer one simple question: How secure are they today? When
the CEO can be held accountable for an organization’s breach (as per the GDPR),
the board gets more curious and involved in the decision-making processes of
cybersecurity than ever before. In such a scenario, cybersecurity should
transform from being jargon-rich to simple, unified and easy. Managing,
mitigating and measuring risk objectively is the fundamental shift required,
and this comes with the knowledge of an enterprise’s breach likelihood.
Financial Institutions Needed to
Adopt Breach
Likelihood Yesterday
Gartner defines integrated risk management (IRM) as
“practices and processes supported by a risk-aware culture and enabling
technologies, that improve decision making and performance through an
integrated view of how well an organization manages its unique set of risks.”
The
building block of IRM is enterprise risk. Currently, organizations have tried and
failed to protect data by looking at cybersecurity through compliance frameworks
only, with point-in-time reports from siloed tools. It is time they move from
reactive and defensive risk management to predictive risk management through
breach likelihood, which simplifies cybersecurity.
Computing
an enterprise’s breach likelihood leverages technology that is not alien to the
BFSI sector. Machine learning-enabled predictions are already being deployed in
insurance, employee welfare and customer experience. A large online payments
system uses deep learning, algorithms,
multi-class models and more to sieve fraudulent and genuine transactions by
deriving actionable insights from their story-model analysis.
Cybersecurity
can also be simplified using technology that already exists. The fundamental
element of cybersecurity is as basic as knowing the enterprise breach
likelihood that
can be calculated from enterprise-wide signals. Breach likelihood prediction in
the banking sector shifts power to the cybersecurity team and the organization,
enabling them to prevent rather than react to threats. Be it the possibility of
a breach through ransomware, cloud misconfigurations or business email
compromise, breach likelihood gives an as-is metric for cyber risks and a means
to prioritize vulnerabilities. This simplifies the understanding and management
of cybersecurity.
FIs
willing to invest in methods that simplify cybersecurity can begin with:
·
Stepping
away from a compliance-only qualitative approach to ensure no vectors — people,
processes, technology or cybersecurity products for both first and third
parties — go unaddressed.
·
Consolidating
reports from all cybersecurity products/services to a single dashboard. This
will help security and risk management teams prioritize risks across the
enterprise in a single view.
· Measuring their cyber risk posture in its as-is state. They either accept the risk and improve their risk posture by purchasing cyber insurances, accept the risk and forgo any changes, especially when the investment required to mitigate the risk is larger than its dollar value impact, or mitigate the vulnerabilities by defining their cyber risk appetite and cyber risk tolerance.
To
date, the fundamental approach of securing any business has been reactive.
Investments in cybersecurity have historically maintained a check-the-box
approach to meet compliance and audit requirements. There are many distractions
and abstractions surrounding cybersecurity, especially when it is a qualitative
analysis. Once the foundation is solid with an industry-wide breach likelihood
adoption, cybersecurity will become a solution rather than a problem that
security executives perceive as right now.
Comments
Post a Comment