In June, the European Central Bank (ECB) convened a high-level meeting on cyber resilience. The meeting was significant as it highlighted the need for a ‘paradigm shift’ in responding to cyberattacks not as a primarily technology issue but moreover encompassing governance, culture and increased cooperation between market participants.
The UK has taken significant steps in promoting increased cooperation amongst financial services. For example, the majority of High Street Banks already participate in the Bank of England-led ‘Cross Market Operational Resilience Group’ (CMORG) and ‘Cross Market Business Continuity Group’ (CMBCG).
The implications of the ECB’s call for a ‘paradigm shift’ should not be misunderstood, and indeed it reflects an international trend in relation to cyber resilience. Beyond increased sector participation, regulators and governments alike are expecting a higher standard of cybersecurity capability from financial services. This can be seen in recent international legislation:
- EC Directive on security of network and information systems (2016): The objective is to bring the cybersecurity capabilities of operators of essential services to the same level of development in all EU Member States and encourage greater cooperation. A core element of the legislation is the creation of a training standard which can be applied to individual organisations.
- G7 Fundamental Elements for Cybersecurity (2016): The objective is to provide financial services organisations with guidance on risk management and essentially serve as a benchmark for conducting business.
- New York State Department of Financial Services: ‘Cybersecurity Requirements for Financial Services Companies’ (2017). The law requires all personnel responsible for core cybersecurity functions to be qualified, and such personnel are provided with training sufficient to address cybersecurity risks, and key cybersecurity personnel participate in ongoing professional development to maintain current knowledge.
Both collectively and individually, governments and regulators are expecting to see not only an increased level of cooperation amongst financial services, but also an increased level of professional capability from the board level down to individuals who occupy operational cybersecurity roles.
Should a major incident occur, it is highly likely the regulator will place increased scrutiny on the experience and qualifications of individuals making key decisions related to cybersecurity, with any consequent sanction reflecting the level of expertise deployed within the organisation.
What should your organisation do to ensure readiness for this challenge? The obvious answer is training and qualifications. But what can ensure the best return on investment for your training budget?
With so many competing qualifications and standards, it is increasingly difficult to make the right choice for staff. To maximise the return on investment, an organisation should consider the following;
- Training mapped to the threat environment. The increasing move to an open banking environment dictates security architecture will be a core requirement in the short to medium term risk landscape. This change in architecture will inevitably lead to more vulnerabilities and an increased emphasis on malware analysis and incident response. New alternatives such as ISACA’s CSX Training Platform have been designed to reflect this evolving environment, with more emphasis on lab-based learning instead of traditional book-based examinations.
- Beyond security. To effectively secure the organisation, the security professional must understand the environment. This involves being aware of key organisational drivers such as privacy legislation, cloud adoption, and knowledge of the business itself. More security professionals are branching out and obtaining qualifications to banking, privacy and specific technology in an effort to more effectively shape the control suite to the risk environment.
- Training – a jigsaw piece, not the puzzle. Qualifications and training should be milestones in a defined career path shaped both by the individual and strategic objectives of the organisation and the individual. This approach shall ensure key people are retained and cascade both experience and knowledge to the next generation, thereby fostering a culture of security excellence.
The legislative push for greater cybersecurity accountability shall only increase as the threat landscape continues to evolve from an organisational to industry level impact. The challenge now is for organisations to prove they have the right people, at the right place, making the right cybersecurity decisions – not just for their organisation, but for the industry itself.