The average data breach cost $4.24 million in 2022, an all-time high. The typical bill was even larger for financial services companies: victims of attacks lost business, paid regulatory fines, and had to implement costly new controls with the help of third parties.
Most financial organizations have a cybersecurity strategy, but these programs often miss key features. Leaders mistakenly believe that technology alone can solve the problem, overlooking the people and processes that make success possible. And cybersecurity initiatives too often hinder rather than support business objectives.
One-time solutions aren't sufficient. To create a resilient cybersecurity strategy, you need a system for proactively identifying vulnerabilities and effective yet evolving processes to address them. Below, we break down how to spot common risks and provide ideas for mitigation.
Spot vulnerabilities in 6 steps
In an economic downturn, your company might be hesitant to ramp up investments in cybersecurity initiatives. But even smaller projects can still fill the gaps and decrease risk factors.
Here’s a flexible, 6-step approach to assess your firm’s needs and cybersecurity vulnerabilities:
- IDENTIFY information systems that are susceptible to cybersecurity threats.
- ASSESS which information systems are most important to your organization—your “crown jewels"—such as those containing sensitive data or mission-critical functions.
- DEFINE the types of vulnerabilities that threaten your information systems
- REVIEW your current cybersecurity policies, standards, and procedures to ensure they appropriately address your risks.
- DETERMINE AND PRIORITIZE cybersecurity breaches that could impact your organization’s information systems.
- ESTABLISH processes to appropriately mitigate or eliminate known threats and vulnerabilities and identify new threats to ensure your cybersecurity program evolves alongside your business.
The risk landscape and your organization are constantly evolving. By repeating this assessment annually, your organization can modify its approach as needed to protect against emerging threats.
Aligning objectives and key results (OKRs)
Cybersecurity programs often get stuck in company bureaucracy because they aren't aligned with business objectives. Your company's OKRs should cascade into specific cybersecurity objectives, supporting its bottom line and reflecting its risk tolerance.
Aligning cybersecurity goals with business objectives requires an inter-departmental approach. While there are several ways to rally stakeholders, we recommend creating a cybersecurity project management organization (PMO).
For example, we worked with a large financial services firm that needed help managing a disorganized set of cybersecurity projects. We partnered with executives to create a strategy to prioritize these initiatives and implemented a PMO framework with processes for governance, organizational structure, and accountability. The result was a PMO that supported the business strategy with a predictable project intake process and strong governance, which improved the organization and execution of existing programs and projects.
Metrics that make a difference
Your organization needs a risk management framework and a way to measure cybersecurity risk. By tracking metrics listed below, your firm can take a proactive approach to identify the policies, standards, and controls that need attention.
Intrusion attempts vs. security incidents
Measures how effectively the cybersecurity program blocks unauthorized entities from accessing information systems.
Mean Time to Detect (MTTD):
How long it takes to respond to a security incident.
Mean Time to Respond (MTTR):
How long it takes to respond to a security incident.
Mean Time to Contain (MTTC):
How long it takes to contain a security incident.
Anti-malware
Percentage of information systems running up-to-date anti-malware.
Security Hardening
Percentage of information systems that comply with configuration standards.
Prioritizing people
Here's the problem with treating tech as the be-all and end-all of cybersecurity: Organizations wind up with inadequate governance and have to spend valuable time creating a step-by-step approach to policy, standards, and processes.
When assessing your current people-related processes, ask these questions:
- Awareness: Do your people know what changes they need to make to mitigate risks?
- Training: Do you take a one-and-done approach to employee training, or have you created a tailored approach that updates over time?
- Responsibility: Do your people know their cybersecurity roles and responsibilities?
The bottom line
Upfront investments in cybersecurity are almost always cheaper than paying for a breach. It's also less painful than the fire drills that often result when auditors find issues related to regulatory compliance.
Point B helps organizations establish processes to train people, assess weaknesses, and align cybersecurity goals with business objectives.
RELATED INDUSTRIES
RELATED SOLUTIONS