As Chief Information Security Officers (CISOs) at financial services organizations embrace digital transformation and cloud adoption, they face several challenges. Challenges for CISOs include safeguarding critical assets, managing an expanding attack surface, and navigating a complex regulatory landscape. CISOs across the sector must deliver on a broad array of imperatives while operating in a world of reduced visibility and heightened noise due to the proliferation and resulting complexity of data. The capability to focus at once on vulnerabilities, critical assets and incidents has become critical.
While budgets are not necessarily shrinking, they are also not growing in proportion to increasing demands. CISOs must continuously justify their current spending while struggling to secure additional funding for essentials such as automation and cloud security. The bigger challenge is the tension between focusing budgets on innovative solutions that incorporate artificial intelligence (AI) and machine learning (ML) versus ongoing regulatory remediation given the global uptick in new cyber rules and standards.
In addition, financial services CISOs must also navigate an onslaught of multi-regional regulations that are becoming increasingly rigorous and complex. In the US, the Office of the Comptroller of the Currency (OCC) and the Federal Reserve have intensified their oversight of Tier 1 global banks, issuing matters requiring attention (MRAs), formal communications from regulators offered during an examination or review that require an institution to address specific issues. Similarly, in the European Union, regulations such as the Digital Operational Resilience Act (DORA), which requires specific tactical security requirements, are increasing in intensity and priority.
To get ahead of these challenges, CISOs are turning to advanced technologies such as AI and ML to automate security operations, reduce false positives, and streamline incident response. However, technology alone is not enough. CISOs need to promote collaboration and ensure their programs align with the objectives of the business by maintaining open communication with senior leaders. Change is already underway. According to KPMG research, 74 percent of financial services organizations say cybersecurity is typically involved from the earliest planning stages of technology investment planning and has a high influence on the decision-making process.1
In the aftermath of the pandemic, many organizations found themselves with bloated second lines of defense. This eventually led to reassessing existing roles and responsibilities. We encourage CISOs to work closely with the second line of defense — which manages oversight of controls — to focus on operational key performance indicators (KPIs) as proxies of the overall health of the digital environment and align those KPIs with the relevant key risk indicators (KRIs). As always, CISOs must be proactive and adaptable, continuously assessing cybersecurity, identifying gaps, and implementing strong yet flexible controls to mitigate risks.
In this report, we will explore some key cybersecurity considerations for financial services organizations with actionable insights and recommendations for CISOs.