By David Higgins, EMEA Technical Director at CyberArk

The finance industry spends 40% more on combatting cybercrime than any other sector, with the direct cost of incidents – not including the long-term cost of remediation – amounting to £18.5 million annually per firm, on average. These statistics may seem high, but they’re not surprising when you consider attacks on the industry grew by 238% during the first few months of the pandemic.

Cybersecurity is clearly a high priority for those in the financial services industry. However, despite most organisations agreeing they need to guard against threat actors, and vast amounts of money being spent to help them do so, there is a lack of clarity on whose job it is within these organisations to fight cybercrime.

Time to change outdated thinking

Part of the problem stems from the idea that cybersecurity is just one job, and that the CISO is entirely accountable for it. While it seems a natural fit for the CISO, it’s vital for the whole c-suite and each team within an organisation to ‘buy-in’ to the fact that cybersecurity is a shared responsibility across the whole business. Without this ‘buy-in’ it’s possible to create unintended weaknesses within an organisation, diminishing its overall security posture – something finance firms can ill-afford.

Ensuring the adoption of a shared responsibility mindset across the sector can be a challenge. Many financial services organisations have to battle against competing cultural perspectives on technology, as well as differing ideas about how to implement it. For CISOs left to shoulder the burden of cybersecurity alone, these issues mean it won’t be long before they find themselves struggling in their journey to enhance security practices and keep their organisation safe.

Alongside this, when a technology project does go ahead in the finance industry, firms can struggle when their employees aren’t willing to embrace changes to the extent that is desirable. For example, many fail to understand the significance of the programme, aren’t clear on its alignment with the corporate strategy, or don’t have a clear grasp of how it affects their priorities, all of which can create barriers to successful implementation.

With all this in mind, change must be driven by senior executives across the firm, both through clear communication across all levels, and emphasis being placed on shared accountability for the project’s outcome.

Strategies to boost ‘buy-in’

Many don’t understand that a bank can’t strengthen its security posture with just one technology solution. Cybersecurity is, in fact, a journey, and change management needs to be led by people, specifically those in the c-suite. If security programmes such as privileged access management aren’t prioritised by those in more senior positions, or are seen as optional, banks will continue to face challenges to adoption all the way down the corporate hierarchy.

The finance industry is naturally risk-adverse. CISOs that have the backing of the c-suite, and oblige employees across the business to understand and be engaged with these projects, will not only succeed in implementing operational change, but also in letting it take hold, grown and thrive. There are a few strategies finance organisations should enforce to help achieve this: 

• Make it urgent, not optional – Senior executives need to understand their banks are in a vulnerable state and that these vulnerabilities have consequences. The mass shift to remote working in the last year has stretched resources, accelerating the urgency of strong security protocols. With attacks such as the recent SolarWinds breach becoming more common, there is now a need for banks to adopt and drive a crisis mindset, before the crisis occurs – a job that belongs to everyone.
• Build your case – Aligning security with clear business goals will help CISOs ensure security is not just seen as an add-on by those in senior positions. Building a business-level narrative to show stakeholders that an attack has the power to completely disrupt an organisation can help make this a reality.
• Don’t go it alone – To gain recognition of the role of security, and buy-in for the implementation of robust cybersecurity practices, business decision makers need to bring the people with influence at every level, for example HR, into the fold. Ensuring employees at every level understand the importance of security initiatives means they can escalate to leadership and drive urgency amongst business decision makers where needed.

Security can only become part of an organisation’s DNA when a mindset is adopted in which responsibility is shared equally. Work needs to be done to get to this point however, and the c-suite must push employees across the wider business to realise cybersecurity isn’t a job, it’s an integral part of everything they do and something that will only become more important and more integral to the business in the coming years.