10 Pitfalls Every Finance CISO Should Avoid in 2023
1
get started
Challenges Facing Financial Services Organizations
Ever-intensifying attacks that are often too sophisticated to be stopped by traditional endpoint defenses A highly fluid IT environment that increasingly extends to remote users, customers, other organizations, and the cloud Budget and headcount limitations that don’t keep pace with the growing magnitude of your cybersecurity challenge
According to the Global Threat Intelligence Report, manufacturing experienced a 300 percent increase in worldwide attacks in 2021. What are your processes for monitoring for risks? What happens if you have an incident?
300%
If you’re responsible for cybersecurity at a bank, credit union, or other financial services organization, you face three serious problems:
If you’re responsible for cybersecurity at a bank, credit union, or other financial services organization, you face ever-intensifying attacks a highly fluid IT environment, and budget and headcount limitations. To make matters worse, financial services are a top target for the bad guys. And the consequences of a breach are often significant in terms of cost, reputation, and regulatory penalties. Fortunately, there are some concrete steps you can take to avoid becoming the next victim. Based on our unmatched experience in proactive threat detection and response, adversarial security testing, and post-breach incident response, we’re sharing 10 pitfalls facing financial services CISOs and how to align your strategic thinking and plans to avoid them.
1. 2. 3.
Three Serious Problems
Three problems you need to be aware of:
2
extended perimeter
Ever-intensifying attacks
Fluid IT environments
Limited budget and headcount
Problem #1: Ever-intensifying attacks
The first priority for any security leader in the financial services industry is to defend their organization from cyberattacks. So here are some important facts to be aware of: Financial Services are a prime target. Banks, as Willie Sutton famously noted, are where the money is. That’s why financial services consistently ranks at the top of attack rankings by industry. And it’s why Federal Reserve Chairman Jerome Powell called cyberattacks the #1 threat to the global financial system. Attack volume keeps increasing. The banking industry reported 30% more ransomware attacks in the first half of 2021 than in all of 2020. This is in part due to a growing open market for attacks-as-a-service — and in part because hostile state actors are utilizing cyber as warfare by other means. Attackers keep getting smarter. In an underground marketplace, Secureworks researchers found over 2 million stolen credentials from infostealers. Attackers use innovative distribution methods including cloned websites and Trojanized installers for messaging apps such as Signal. Phishing attacks, business email compromise (BEC), and other multifaceted exploits require new defenses — and new approaches to security operations (SecOps).
3
According to a survey by analytics firm Verint, security and fraud protection are replacing “low or no fees” as the top reasons why consumers choose a new bank. How is your security protection differentiating you from your competition?
Experience Index: Banking
Problem #2: Fluid IT environments
4
The environment you’re called to defend is larger, more complex, and more dynamic than ever. This adds to the difficulties you face in several ways, including: More assets to protect. As you add servers, users, data, and applications, you make your threat surface larger. You also increase the number of discrete software elements you must patch for known vulnerabilities. And you give attackers more places to hide once they get a foothold in your environment. Increased cloud presence. The cloud itself is inherently more secure than your on-premises environment, because cloud providers enjoy economies of scale that allow them to invest in stronger security measures than your organization can individually. However, if an attacker evades your defenses, they can move to the cloud — where they can mask their activities from you and from your cloud provider using stolen credentials to appear legitimate. In fact, Secureworks recently found that in 2022 nearly 55% of security incidents came from cloud telemetry sources. A rise in remote work. Remote work was already on the rise before the pandemic. Now that it has become even more commonplace, it opens your organization to a host of vulnerabilities associated with both remote access and inadvertent human carelessness. Digital partnering. Finance is a highly collaborative activity that brings together asset managers, lenders, rating agencies, and other third parties. The more you interact with these partners electronically, the more you expose your organization to the kind of digital “contagion” that characterizes many modern attacks.
Problem #3: Limited budget and headcount
Security budgets are generally rising, and financial services tend to invest a bit more in security than organizations in other markets. But single-digit increases in a security budget that comprises a mere 3-4% of total IT spend won’t keep pace with the above-noted combination of 1) a growing volume of increasingly sophisticated threats and 2) a growing threat surface that keeps extending further and further beyond the four walls of your physical facilities. And your headcount is not only limited by your budget for dedicated staff salaries. There is a worldwide shortage of qualified cybersecurity professionals. Because of that, the U.S. Commerce Department estimates that there are around 465,000 unfilled cybersecurity positions domestically. And 95% of cybersecurity professionals say the situation is not improving. As CISO for a financial services organization, you must therefore not only think about how to protect your organization most effectively. You also have to figure out how to do it efficiently.
5
Cyber insurers are taking a more stringent look at an organization’s security posture. In fact, in the second quarter of 2022, U.S. cyber-insurance prices increased 79% from the previous year — and more than doubled in the preceding two quarters. What actions are you taking to help reduce your cyber-insurance premiums?
Global Insurance Market Index
Top 10 Pitfalls Every Financial Services CISO Must Avoid in 2023
Financial services CISOs have to do a lot more than just 10 things. But we all prioritize our to-do lists. And when it comes to mitigating risk, prioritization is key. The following list is specifically tailored to financial services: banks, credit unions, investment/asset managers, and the like. It is based on Secureworks’ extensive engagements in the financial sector — as well as our uniquely broad perspective based on: Global threat intelligence. The Secureworks Counter Threat Unit (CTU) is one of the industry’s foremost research teams, constantly scanning the globe to identify threat actors, understand their tactics, techniques, and exploits (TTE), and analyze emerging trends in malicious activity. Adversarial testing. The Secureworks CTU’s Adversary Group is heavily engaged in pen-testing and adversarial simulation exercises to help our customers discover vulnerabilities in their environments before the adversary does. This testing activity gives us high-value insight into the shortcomings of financial services security. Incident response. Financial services often call upon Secureworks to identify, neutralize, and remediate active persistent threats (APTs) that have established a beachhead within their environments. These engagements give us further insight into what can go wrong with financial services SecOps — and why.
6
In a survey of bank board members and executives, 45% said their institutions rely on outdated technology. They cited cybersecurity as the top area where they were expanding their capabilities. How are you working to both maximize your existing technology and expand your cybersecurity capabilities?
Bank Director Magazine
Pitfall #1: An endpoint/perimeter mentality
You don’t get to become a financial services CISO without years of experience in security. However, as noted earlier, the nature of the threats you’ll face going forward are quite different from those you’ve faced in the past. Relying on endpoint security alone is a mistake. Secureworks found that in 2022 less than 50% of security investigations included any endpoint telemetry. In other words, relying on an endpoint detection and response (EDR) solution alone would have missed over 50% of threats. It’s also no longer useful to structure your cyber defense primarily as a perimeter that you try to prevent attackers from breaching. In fact, you can be sure that attackers will get past your perimeter somewhat regularly — so new approaches are essential. Key aspects of your new approach should include: Zero Trust access control that requires strong authentication based on multifactor proof of identity, location, and/or cross-checking of potential anomalies such as time-of-day and session duration. Zero Trust also means that access is diligently restricted to “just enough” — and is not propagated beyond explicitly required purposes. A “whole security” model that incorporates telemetry from networks, clouds, and other sources in addition to endpoints. EDR solutions are too myopic in their view, which is why extended detection and response (XDR) solutions, such as Secureworks Taegis XDR™, are gaining so quickly in popularity. A stronger emphasis on aggressive threat hunting to reduce APT dwell times. You simply cannot ensure the impermeability of your environment. So you must prioritize the discovery of and response to active threats. After all, every hour you allow an attacker to keep probing your environment and moving laterally greatly increases the risk that they will achieve their malicious objectives.
7
external threats
internal threats
Pitfall #2: Asking your people to do too much
Good leaders can motivate their teams to perform at a high level. So you should certainly use your leadership skills to help your SecOps team fulfill its potential. However, smart leaders also understand that you can push people too hard. This is often what happens to cybersecurity professionals, given the pressures they face. The statistics speak for themselves:
8
ransomware
business email compromise
Risks to Virtual Environments
More than a third of cybersecurity professionals are considering quitting their jobs in the next six months due to burnout. 42% report suffering from headaches due to excessive workloads. 23% are planning to quit their current jobs within six months due to better prospects elsewhere.
Does this mean you should coddle your staff and allow them to leave your organization exposed to risk? Of course not. But it does indicate that workload management is a strategic factor in cybersecurity, given the innately stressful reality that your SecOps team has to stop threat actors every time — but threat actors only have to get past them once.
• • •
Pitfall #3: Accumulating too many tools
Given all the ways threat actors can attack your environment, it can be tempting to acquire lots of shiny new tools for your security toolbox. But beware — the SecOps teams with the most toys doesn’t always win. That’s because:
9
Manufacturing has seen a marked rise in ransomware-related breaches. 82% of the threat actors are external. How are you equipped to defend, detect and respond?
Verizon Data Breach Investigations Report, 2021
Adding more tools creates more work for your staff, who have to get up to speed on each one and then constantly toggle between them all. Fragmented monitoring won’t make your organization a whole lot safer, because it’s very difficult for people to correlate data that’s scattered across multiple apps. An oversized security toolbox can be a drain on your budget—especially if you’re paying based on how much data you’re collecting, as is the case with many SIEM solutions.
Does this mean you shouldn’t acquire innovative security solutions? Of course not. But if you’re going to invest in something new, be sure to consider whether you can consolidate, such as through an XDR solution, or phase out one of your older tools.
Pitfall #4: Not connecting security to the business
• •
10
The FBI says that BEC is the #1 costliest cyberattack in the U.S., accounting for nearly $2.4 billion in losses. How are you sure you are not falling prey to the evolving schemes of fraudsters?
FBI 2021 Internet Crime Report
When you’re entrusted with the tremendous responsibility of protecting a financial services organization from the universe of cyberthreats, it’s natural to turn all your attention and energies toward the technical and operational challenges that such protection entails. But be careful. As a security leader, your job is not just to do security for the business. It is also to represent security to the business. This is a non-trivial aspect of being a CISO. When you connect security to the business, you empower your team to deliver more value — and you’re likely to get more funding and more executive support from your organization’s top decision-makers. Consider these facts:
For these reasons and others, it is vitally important to treat security as a function of the business, rather than merely some kind of peripheral technology housekeeping. Reporting can also help here. Using solutions with flexible reporting options, including out-of-the-box executive summary templates, can help non-security leaders feel connected and willing to support and invest.
Security and fraud protection are replacing “low fees or no fees” as the top reasons why consumers choose a new bank. 28% of cybersecurity leaders say their relationship with line-of-business managers is fair or poor.
Pitfall #5: Minimizing reporting and compliance
Reporting isn’t just for internal audiences. Financial services are highly regulated, with a veritable alphabet soup of mandates such as FFIEC, OCIE, and PCI DSS impacting your job as a cybersecurity leader. You can either view these mandates as bothersome burdens — or leverage them to elevate the role and resourcing your organization’s leadership grants you and your team. Remember:
11
The average cost of a data breach in the financial sector was $5.97 million, according to the Ponemon Cost of a Data Breach Report 2022. What level of risk are you willing to take? What capabilities are you looking for to reduce your level of risk?
The FDIC requires that you report any significant cybersecurity incident — including those experienced by third parties — within 36 hours of discovery. Your organization’s ability to expand geographically is directly tied to its ability to comply with the different regulatory mandates relating to information security in different jurisdictions — especially if you want to do business overseas. If you do suffer a breach, the penalties imposed by regulatory auditors will be significantly less severe if you are able to demonstrate best efforts/due diligence, rather than negligence.
Pitfall #6: Betting on perfection
Mitigating risk isn’t just about doing your best to prevent a breach. It’s also about mitigating the adverse impact (in other words, cost) to your organization if and when a significant breach occurs. Unfortunately, in their all-out efforts to prevent a breach, financial services CISOs often under-prepare for the eventuality of one. As a result, the breach becomes more costly and disruptive than it had to be. Smart CISOs take a variety of steps to keep bad days from becoming extremely bad days, such as:
12
Ensuring that backups are properly insulated from the production environment and can actually be used to restore operations in the event of full breach. Engaging in tabletop exercises that involve the entire business — including operations, customer care, legal, HR and PR. Getting the most value out of cyber insurance coverage by demonstrably adopting the best practices cyber insurers look for when they price risk.
Pitfall #7: Under-investing in training
To optimally protect your organization, you’ll need everyone across every department — including both technical and non-technical staff — to be fully engaged in the mission of cybersafety. So make sure you allocate enough of your own budget to continuing education. And advocate passionately for the business to implement a rigorous program of cybersafety training and testing for non-technical staff. Bear in mind that:
13
Some worms are intended as cyber warfare between nations but end up impacting other organizations. NotPetya was a Russian cyberattack against Ukraine, but because of the way it spread, it impacted manufacturing environments worldwide. How are you making sure your competitive differentiation remains yours?
44% of breaches in financial services are the result of employees inadvertently causing harm. 82% of cybersecurity professionals say that their job requirements prevent them from improving their skills as much as they know they need to. Cybersecurity professionals need about 40 hours of continuing education annually — to maintain and increase their effectiveness.
Pitfall #8: Under-investing in adversarial testing
You may think you’re safe. But without a rigorous program of adversarial testing, you can’t actually know you’re safe. You also can’t empirically prove to executive management that you’re successfully making your organization safer over time — and making their investments in cybersecurity worthwhile. Key principles to consider when implementing an adversarial testing program include: Be iterative. Most organizations do poorly on their first pentest. The real proof of your leadership and your team’s skills will come as you continue testing and do progressively better each time. Use your results tactically and strategically. An example of a tactical response to an issue discovered during a test might be “we need to patch these vulnerabilities.” A strategic response to that same issue would be “we need a smarter, faster way to patch vulnerabilities.” Leverage testing for multiple purposes. A strong testing program should help you reduce your cyber insurance premiums and score points with regulators. You can also use test results to assess your tool vendors, improve your team’s skills, and prove value to upper management.
14
The financial sector frequently faces credential and ransomware attacks from external actors. However, 44% of the breaches in this industry were caused by internal actors with no intent to cause harm. For example, some send financial information to the wrong person accidentally. What visibility do you have of information falling into the wrong hands? How are you managing this?
Verizon Data Breach Investigations Report, 2022
Pitfall #9: Deferring XDR adoption
15
Extended detection and response (XDR) is a relatively new technology, but it’s an essential platform for efficiently reducing your organization’s exposure to the growing wave of threats that bypass traditional endpoint defenses, including EDR. Banks and other financial services have not traditionally been early adopters of such technologies. But that’s changing for several reasons. One is pure tactical necessity. You simply won’t be able to protect your organization against APTs with EDR alone. Another is growing recognition that slow technology adoption leaves financial services open to disruption by nimbler market disruptors. That’s why 45% of Financial Services executives say their institutions rely on outdated technology and cite cybersecurity as a top area requiring new capabilities. More specifically, with XDR you can:
By 2030, it is expected that there will be a shortage of 2.1 million* skilled jobs in manufacturing. Research by (ISC)² suggests the global cybersecurity workforce needs to grow 65%** to effectively defend organizations’ critical assets. How is the lack of skilled candidates for jobs impacting your operations?
* Deloitte’s 2022 Manufacturing Industry Outlook ** 2021 Cybersecurity Workforce Study
2.1M
More quickly detect and identify the “breadcrumbs” left by stealthy attackers anywhere across your endpoints, networks, cloud presences, and elsewhere. Reduce costs or completely eliminate other tools in your toolkit, including EDR, SIEM, and SOAR. Maximize the value of your existing security investments by choosing an open XDR platform that ingests telemetry from across your existing stack, also helping ease the burden on your staff. Empower the business to more nimbly expand and diversify its infrastructure without simultaneously adding excessive cybersecurity costs.
• • • •
Pitfall #10: Going At It Alone
16
Industry associations such as the Information Systems Security Association (ISSA) and Financial Services Information Sharing and Analysis Center (FS-ISAC) Industry standard models such as MITRE, FINRA, AND PCI DSS. Cybersecurity solution providers who can deliver XDR capabilities as a managed detection and response (MDR) service.
You’ve been hired to do an important job. And you have a lot of ideas about how to get it done. So it’s natural to focus on putting your ideas into action. Just know that there are lots of resources you can leverage to fully minimize your organization’s exposure to cybersecurity-related risk. Those resources include:
The right consulting partner can bring a broad range of experience in financial services to the table as you make critical decisions about how to allocate your budget, how to optimize your mitigation efficiency, and how to best align your SecOps practices with your organization’s specific needs and risk factors.
17
Superior Credit Union: Fast-tracking security maturity
Founded in 1954, Superior Credit Union is a not-for-profit, member-owned financial cooperative serving more than 90,000 members through 22 branches. It has grown into the fifth-largest credit union in Ohio with more than $1 billion in assets.
the company
the situation
the solution
the results
18
Growth presented Superior Credit Union with serious challenges. “As we continued to grow, we were outpacing our internal cybersecurity resources,” says CIO Brian Grime. “We needed to rapidly scale our cyber capabilities and gain access to much deeper, cross-disciplinary skillsets while doing so.”
19
Grime adopted Taegis™ ManagedXDR, an MDR solution on Secureworks’ open Taegis XDR platform. With Taegis™ ManagedXDR, Grime and Superior Credit Union received around-the-clock monitoring across endpoints, networks, and the cloud—complemented by both AI-driven analytics and the expertise of Secureworks analysts with decades of experience in financial services security.
20
Superior Credit Union can discover within minutes even the earliest hints that something unsafe is happening in their environment, whether it’s an all-out attack or an engineer running a PowerShell script that unintentionally disrupts operations. The company gets more value from its existing security investments — from its firewall to its antivirus — because they are all integrated into the Taegis environment. And Grime didn’t have to bring on a new employee with Linux expertise because Secureworks’ service includes administering security for his Linux servers. Just as important, Grime now gets regular reports that enable him to demonstrate value to his board.
“ManagedXDR is more cost-effective for us than building out an internal SOC. I’ve gained immediate access to a deep bench of very skilled, cross-disciplinary cybersecurity team members — and I lower my overall risk profile. This is a great win for us.”
Brian Grime, CIO, Superior Credit Union
Secureworks: We’re in your corner
21
Secureworks is the leading provider of threat prevention, detection and response solutions to financial services companies. In addition to being FDIC-certified, we are universally recognized as a leader in cybersecurity. We support 6 of the top 20 financial service organizations in the world helping them reduce their risk, maximize their existing investments, and fill their talent gaps. Our Taegis XDR platform delivers Extended Detection and Response with superior detection, unmatched response, and an architecture that is open without compromise. All to deliver customers higher security with highest ROI. We also offer a Managed Detection and Response (MDR) solution called Taegis ManagedXDR that offers 24x7 threat monitoring and response leveraging Secureworks team of experts. That’s why Forrester Consulting found that Taegis users achieve ROI of more than 400%, reduce their risk by 85%, and reduce overall costs by at least $1 million.
Learn more
22
If you’d like to learn more about what Secureworks can do you for you, call us at 877-838-7937 to speak to a security specialist — or visit us online at www.secureworks.com.
Learn About Taegis ManagedXDR
