Documente Academic
Documente Profesional
Documente Cultură
The Deloitte Center for Financial Services, part of the firm’s US financial services practice, is a
source of up-to-the-minute insights on the most important issues facing senior-level decision
makers within banks, capital markets firms, mutual fund companies, investment management
firms, insurance carriers, and real estate organizations.
We offer an integrated view of financial services issues, delivered through a mix of research, in-
dustry events, roundtables, and provocative thought leadership—all tailored to specific organiza-
tional roles and functions.
CONTENTS
Endnotes | 27
Taking cyber risk management to the next level
B
ANKS, investment companies, and insurers incurred by companies in a particular industry,
are prime targets for cybercriminals look- counting both internal activities and external
ing to steal money or information, disrupt consequences. That figure reached $28.3 million
operations, destroy critical infrastructure, or in 2015—which is significantly higher than the
otherwise compromise data-rich financial ser- six-year average for FSIs of $19.4 million annual-
vices institutions (FSIs). Indeed, FSIs lead the ly (see figure 1).1
pack in terms of the average cost of cybercrime
$28.3
Financial services
$19.4
$27.6
Energy and utilities
$21.7
$16.5
Technology
$10.4
Source: Ponemon Institute and Hewlett Packard Enterprise, 2015 Cost of cyber crime study—United States, October 2015.
2
Lessons learned from the front lines at financial institutions
3
Taking cyber risk management to the next level
efforts with the business, operational, and organizations to make cybersecurity a core
technology strategies of their companies. consideration enterprise-wide.
• CISOs are striving to innovate in a multitude • FSIs are starving for cybersecurity talent,
of ways, but often have a hard time assess- with staffing challenges the biggest prob-
ing and integrating a flood of new security lem faced by many of those we interviewed.
tools at their disposal, while reinventing their While companies may have more than enough
For example, when asked about the most important challenge they feel their organizations are facing,
the responses largely reflect the main points covered in the body of this report, with some interesting
exceptions, as shown in figure 2.
Figure 2. There appears to be a lack of consensus on the most important cyber risk manage-
ment issues in financial services today
When it comes to return on investment (ROI) and future initiatives, our interviewees once again
expressed a range of priorities. Banking CISOs maintained that improving their firm’s resilience in the
event of an attack is a future investment priority. In contrast, insurance CISOs cited network monitoring
and identity management as priorities. Similarly, investment in “basic blocking and tackling” to remediate
legacy systems was identified as an area that has paid off for bankers in particular, while other sectors
were less consistent, mentioning talent, application consolidation, or data protection as high-return areas
for their specific institution.
Clearly, the diversity of responses reflects the fact that even though financial services has been a main
target of threat actors for many years, companies within the industry are still focusing on their own “next
challenge”—building capabilities they hadn’t prioritized before.
4
Lessons learned from the front lines at financial institutions
funding, they often complained about the countries, while most yearn for ways to bet-
lack of “triple threats”—those with the tech- ter automate intelligence to make it more rel-
nical skills, business know-how, and strategic evant, actionable, and available in real time.
thinking capabilities to implement cyber risk
management initiatives quickly and effectively. Overall, we found that while some FSIs have
become leaders in cyber risk management, there
• Cyber risk metrics remain a veritable Tow-
is a wide variance on the cybersecurity maturity
er of Babel as reporting responsibilities
curve. The bar needs to be raised for many indi-
overwhelm CISOs, thanks to a lack of wide-
vidual companies and the industry as a whole. Our
ly accepted, impactful measurements and
interviews with leading players and experience in
industry-wide standards to meet increasingly
serving clients across financial services provide a
redundant oversight demands.
number of key insights into how these challenges
might be overcome, whether by sharing leading
• CISOs need help connecting the dots. Many
practices or through continuous innovation, just
cite legal ambiguity or regulatory hurdles as
as the threat actors themselves have done.
obstacles to information sharing within and
beyond the industry and even their home
5
Taking cyber risk management to the next level
Money is no object:
An embarrassment of riches
for cyber risk management
Where are FSIs now? to regret its decision not to do something that,
in retrospect, might have prevented or contained
All of those we spoke with said their companies the breach, just to save money in the short run.
had dramatically increased cybersecurity
budgets over the past few years, a trend they
believe is likely to continue in the near term. Where might FSIs go
For the time being, money appears to literally from here?
be the least of their concerns. One respondent
said his cybersecurity budget had gone up 75 The bottom line is that by whatever measurement,
percent over the last three years, adding, “Money cybersecurity is not being shortchanged by FSIs,
is simply not an issue.” Some noted they’re often and the vast majority of those we spoke with
asked by superiors whether they don’t need to don’t foresee a significant slowdown in spending
spend more to combat cyber risk. anytime soon. One respondent said trends in
cybersecurity spending are the “new normal,”
In addition, those we interviewed pointed out noting that his budget will likely have to keep
that an FSI’s overall investment in cybersecurity increasing to stay ahead of evolving threat actors.
is always higher than what’s allocated in
the CISO’s budget, since spending is spread But a number of interviewees acknowledged
out among numerous departments. There the pace of cybersecurity budget increases is
are “hidden” cyber costs to consider, such as unlikely to be sustainable over the long term.
security-related expenses borne by application One respondent said outlays for security are
development teams, employee risk management “definitely on the rise, but not limitless.” Another
training programs, the legal department, as well predicted that he won’t be able to justify higher
as related expenditures across the enterprise. and higher budgets “in perpetuity.” A third
pointed out that while spending will continue
This enviable “money is no object” attitude at most going up for quite some time, he wants to at least
FSIs reflects a recognition on the part of senior bring down the rate of increase, and level it off, if
management and board members that cyber risks possible.
pose an existential threat to the organization, not
only in terms of potentially huge financial and But for now, the biggest budget issue is not
legal liabilities, but also considering the long- the amount of money available, but the ability
term damage that could be done to a company’s of CISOs to execute their strategies and
reputation and market share. One executive said communicate the ROI of their risk management
their budget had doubled since a competitor programs. CISOs need to be able to have a
suffered a major breach, which served as “a dialogue with business leaders around ROI and
real wake-up call” for his company. “That was a demonstrate material risk reduction and/or risk
game changer for us.” As one CISO explained, if a avoidance. Communicating in simple terms the
substantial event occurs, a company doesn’t want quantitative and qualitative benefits of cyber
6
Lessons learned from the front lines at financial institutions
investments will be more important than ever as simultaneously, CISOs should triage among
scrutiny increases. competing calls for investments. One interviewee
advises his staff to be “disciplined” about product
CISOs will need to pay particular attention to
choices as new solutions emerge. CISO teams
managing a solution’s lifecycle. Hindering this
should see what works and what doesn’t before
is the complaint by many that while they have
adding or substituting new security technologies
the budget to deploy new tools and systems as
as they are introduced.
needed, they often lack enough people with the
necessary skill sets and capabilities for ongoing Beyond talent and technology, key areas that
care and feeding of solutions to enhance their shouldn’t be neglected at budget time include
effectiveness. Execution speed is also greatly investments to create a cyber risk-aware culture.
impacted by the inability to find and retain the Many of those we interviewed have already
necessary personnel in a highly competitive initiated extensive and ongoing employee training
marketplace. Talent development and sourcing programs to keep workers on their toes, such as
strategies are therefore going to require much virtual training and phishing tests, for example.
more highly focused attention—a topic dealt with However, we received consistent feedback that
in more detail later in this paper. pure web-based instruction is not enough, with
leading organizations using cyber war-gaming,
Longer term, at some point CISOs will have
red-teaming, and other table-top techniques
to start making hard choices on spending
to increase human, hands-on participation in
priorities, based on a true cybersecurity game
training exercises. This process should also be
plan that is aligned with the company’s business
extended to include education of third parties,
and technology strategies. Since it is probably
including business partners, vendors, and
unlikely, even for the largest institutions, to allot
customers—all of whom could be compromised
funds to build capabilities in all areas of security
to penetrate an FSI’s systems.
• Ensure lifecycle coverage. Budget money not just for deployment but to keep solutions alive and
effective for a number of years.
• Don’t neglect cyber talent development. Invest to recruit, retain, and train the next generation
of cyber warriors.
• Don’t shortchange cyber awareness programs and protocols. Keep spreading the word
beyond employees to vendors, business partners, and customers.
7
Taking cyber risk management to the next level
functioning primarily for a balance between the two, so that security prin-
ciples are built into new products, applications,
now as “first responders,” and the like from the start, saving time, money,
and effort to keep them safe from intruders later.
putting out a never-ending A big consideration is where a particular FSI is
series of brush fires while located on the cyber risk management matu-
rity curve. Some we spoke with remain in the
trying to head off a cyber very early stages, spurred to ramp up quickly by
a breach of their system or spooked by a major
“inferno” that could take industry event. Others were facing challenges
addressing security vulnerabilities in the after-
down the enterprise. math of recent mergers and acquisitions. A hand-
ful were much further along the curve, having
8
Lessons learned from the front lines at financial institutions
The time it took attackers to The time it took victims to The time it took victims to
compromise the system from discover the incident: contain the incident
the start of the attack: Incidents took weeks or more Incidents took weeks or more
Incidents* within minutes or less
98%
69%
61%
51% 50%
25%
*“Incidents” are cyber events that actually or could potentially compromise the integrity of a system’s data or operations.
Source: Verizon, Data breach investigations report (financial services), 2012 and 2016.
Graphic: Deloitte University Press | DUPress.com
created strong programs that continue to evolve enterprise. This starts with having a cybersecu-
with the threat landscape. However, while FSIs rity strategy and roadmap that are aligned with
are improving their resilience in terms of how those of business, operations, and information
long it takes, on average, to contain an incident technology. It also means having an accountabil-
once an intrusion is discovered, there remains ity model where multiple departments play a key
plenty of room for improvement when it comes role as part of the first line of cyber defense, so
to detecting breaches and preventing intruders CISOs are not left fighting the battle on their own.
from compromising their systems (see figure 3).4
This effort could be facilitated by creating an
oversight committee that includes the chief
Where might FSIs go information officer, chief operating officer, chief
9
Taking cyber risk management to the next level
Second, proper pacing and monitoring are enablers of business, and as such should have a
crucial to keeping everyone on the same page key place at the innovation table. To accomplish
and moving forward together. One respondent’s this, security professionals cannot be perceived
company had adopted an “agile methodology” as merely putting up barriers, but instead should
to introduce changes in processes and systems be facilitating the drive toward digital banking,
at a rapid pace. Instead of announcing a three- fintech, regtech, cloud adoption, digital identity,
year project that may be difficult to digest, this and other innovations to follow. This involves
respondent concentrates on implementing a being part of the innovation councils at both the
series of security changes in “sprints” within enterprise and LOB level, as well as having skills
much shorter timelines that show continuous on the team to engineer next-generation solu-
value creation and ROI. tions. CISOs need to be seen as striking the right
balance between finding and asking for time for
Third, cybersecurity should move from being a
remediation vs. enabling the next frontier for the
“no” to a “yes, and” organization. They need to be
business.
• Establish an accountability model. Ensure business, operations, and CIO teams understand
their roles and have skin in the game.
• Get ahead of the curve on innovation. Build specific plans for cloud, fintech, regtech, and other
cutting-edge developments.
10
Lessons learned from the front lines at financial institutions
$2,500 250
$2,333
$2,000 200
$1,917
$1,500 150
$0 0
2012 2013 2014 2015 Q1 2016
Source: CB Insights.
Graphic: Deloitte University Press | DUPress.com
11
Taking cyber risk management to the next level
contracted with a vendor to create a new product Amidst what one referred to as all the “noise”
that would meet their specifications, which they being generated by the steady stream of new
could pilot together. “If it works, they can sell it to offerings, many respondents said it is becoming
the general market, but we have it first,” he noted. increasingly difficult to decide which products
A second respondent said his company is “men- they really need, as well as to distinguish who has
toring” a start-up in “the deep, dark web space” a better mousetrap among competing vendors.
to generate more innovative security options.
FSIs are also struggling to integrate multiple
However, the fact that almost all of our respon- solutions into their legacy systems and recon-
dents rely mainly on vendors for cybersecurity cile them with other security products already
technology innovation doesn’t mean the indus- installed (see figure 5).6 Such integration efforts
try is satisfied with the products or services on can cost many multiples more than the product
the market today. Indeed, we found quite the itself. They also noted that rather than becoming
contrary. CISOs frequently complained about fixated on the “next shiny object” hitting the mar-
what some called a “flood” of new cybersecu- ket, getting basic foundational capabilities right
rity solutions being pitched to them as start-ups (such as asset and configuration management,
proliferate. What’s worse, many said vendors secure development practices, etc.) can go a long
are pushing products that are either redundant way to address core issues at many institutions.
to what they already have, or are simply nones-
Balance between external threat intelligence and
sential to their core security efforts. This may
internal, organizational intelligence was one par-
portend a broader shakeout sometime soon in
ticular area that generated a lot of dialogue. Many
the security start-up space.
Figure 5. Integration and complexity issues present remediation challenges for CISOs*
Threat intelligence
activities/processes are 64%
difficult to manage
INTEGRATION
CHALLENGES ON INTEL Does not integrate easily with
The problems with current various security technologies 16.5 59%
cyber threat intelligence
*Multiple industries, with financial services forming largest segment of the respondent base at 22%.
Sources: Lockheed Martin and Ponemon Institute, Intelligence-driven cyber defense, February 2015; Lockheed Martin and
Ponemon Institute, Risk and innovation in cybersecurity investments, April 2015.
12
Lessons learned from the front lines at financial institutions
felt that while some keep chasing intel from When it comes to specific cyber innovations,
outside sources (described by one as “death by cloud technology generated the most buzz
feeds”), there is not enough accountability and among those we interviewed. Some CISOs hope
resources spent on operationalizing available cloud solutions could be a cybersecurity pana-
threat intelligence and also being smart about cea, believing it is unlikely their company could
internal intelligence—what one called “the orga- do a better job protecting data and systems on
nizational footprint.” its own. On the other extreme were those who
worry that the cloud, whatever its business
advantages, might create new cyber vulnerabil-
Where might FSIs go ities such as concentration risk, issues during
from here? incident response, and other problems.
Most FSIs conceded there are no easy answers to The rest fell somewhere in between hope and
the dilemma of product proliferation. There has fear. However, one CISO emphasized that regard-
been a round of consolidation among cyberse- less of the path a company chooses, the primary
curity vendors, with 133 merger and acquisition security burden is still on the FSI, “even if you
deals totaling $10 billion in 2015, according to forklift all your existing applications to the cloud.”
451 Research. That trend is likely to continue, as He explained that the cloud does not relieve
a 451 Research survey of tech investment bank- companies of responsibility for putting basic
ers last December found that for the first time in security processes in place, as well as keeping
five years, mobility was displaced by enterprise them well-maintained and regularly upgraded.
security as the top target of M&A spending for Some companies have or may choose to build
the year ahead.7 their own private clouds to retain direct control
over cybersecurity. But the question is whether
However, that trend is likely to be more than that fallback option would be less expensive,
offset by ongoing launches of start-ups in the more agile, or any more reliable from a security
space, with 104 new companies financed in the standpoint than the risk management protocols
first quarter of 2016 alone,8 offering the promise of a third-party cloud provider.
of greater innovation from new players, but also
perpetuating the fragmentation that is frustrat- Another area where we may soon see innova-
ing many CISOs. In the end, the need for more tion is the adaptation of blockchain technology
integrated solutions will remain high on the to enhance cyber risk management. In addition
agendas of most we interviewed.
13
Taking cyber risk management to the next level
14
Lessons learned from the front lines at financial institutions
think about these things while you’re having a to be better prepared to anticipate potential
crisis,” one CISO warned. breaches by using advanced data analytics. Their
mission would go beyond looking for indicators;
Better leveraging of data and analytics was also
their marching orders would be to get ahead of
cited as a major source of potential innovation
the threat actors and anticipate attacks rather
by those interviewed. One company is exploring
than remediate after the fact. They would accom-
ways to utilize big data technology that’s already
plish this, in part, by injecting themselves into the
available on the customer side of the business to
ecosystem and using counterintelligence tech-
improve cybersecurity as well. It has data scien-
niques to see where hackers and disruptors are
tists helping IT security assess threat scenarios,
trying to operate.
evaluate available data points, and develop cyber
risk models. A word of caution, however. When dealing with
analytics, it’s usually a good practice to start
Another respondent cited the importance of ana-
off small. Rather than collect sweeping sets of
lytics when it comes to detecting and thwarting
data from the entire organization and then fig-
non-malware-based compromises. Behavioral
ure out what to make of it all, CISOs need to do
analyses are crucial in determining whether a
more critical thinking at the front end to deter-
user or system is behaving the same as the day,
mine exactly what they want to accomplish and
week, month, or year before. “The analytics
which data they’ll need to fulfill their goals. It was
pieces have the ability to open up visibility into
suggested they follow the example set by those
the sort of softer things that you simply can’t
using analytics to generate machine learning in
write a rule about,” this CISO said, adding that
basic fraud detection and anti-money launder-
the only way to really deal with that effectively is
ing efforts, where the problems and solutions are
“statistically and probabilistically.”
tightly defined.
Another CISO said his organization is looking to
develop “cyber warriors” who would be trained
• Innovate process and structure, not just technology. Consider the 10 dimensions of innovation
and apply them to security, including non-tech elements such as business model, channel, and
core processes.9
• Learn from the business side. Leverage analytics lessons and expertise to innovate for cyber.
• Collaborate at all levels. War-gaming, intelligence sharing, and fusion centers generate threat
awareness and insights across the enterprise.
15
Taking cyber risk management to the next level
Where are FSIs now? sary skill sets at your disposal to formulate and
execute strategies for security, vigilance, and
While funding for cybersecurity may be abundant, resilience, it won’t matter what solutions a
a survey by ISACA found that qualified talent is in company buys or builds because projects won’t
extremely short supply (see figure 6),10 so it’s not get the level of execution they need.
surprising that many of those we spoke with cited
the inability to bridge the talent gap as their top One stated that, “There are many pretenders, but
challenge. The resulting lack of ample in-house not enough real talent.” While a number of new
expertise makes it difficult for companies to university cyber risk management programs have
innovate, deploy new security technologies, and been launched of late, it will likely take five years
launch intelligence-driven cyber defenses (see or more before businesses start seeing the full
figure 7).11 benefit of that investment, leaving a significant,
lingering talent gap to fill in the interim.
Our interviewees certainly were in agreement
with these findings. Most were vehement that if Complicating matters is that many companies
you don’t have the right people with the neces- are looking for “triple threats”—not merely data
*Multiple industries, with financial services forming largest segment of the respondent base.
**Percentages do not add up to 100% due to rounding.
Source: State of Cybersecurity: Implications for 2016, ISACA and RSA Conference Survey, March 2016.
Graphic: Deloitte University Press | DUPress.com
16
Lessons learned from the front lines at financial institutions
*Multiple industries, with financial services forming largest segment of the respondent base.
Sources: Lockheed Martin and Ponemon Institute, Intelligence-driven cyber defense, February 2015; Lockheed Martin and
Ponemon Institute, Risk and innovation in cybersecurity investments, April 2015.
scientists and security technology specialists, but starting to test-drive, with some start-ups using
also those who understand strategic planning as that as a model to identify skilled resources.
well as how to integrate cyber risk management While interesting, crowdsourcing has also raised
without unreasonably inhibiting business devel- a number of questions about the inherent risks
opment or undermining customer experience. of giving critical tasks to an unknown person or
Most CISOs also cited a need for communication someone not vetted by the company.
as well as problem-solving skills. Changing talent
Exacerbating the problem is that companies
needs and expectations are being driven by the
frequently complained about turnover. In that
transition of cybersecurity from an IT-centric,
regard, FSIs have some blame to share, because
purely technical facilitator to a business risk
many poach talent from peer organizations,
function. One respondent quipped, “People like
prompting a continuous movement of people
this don’t grow on trees.”
among the institutions. One CISO estimated
Respondents also questioned the lack of a secu- his department spends 20 percent of the time
rity services strategy that exacerbates the talent seeking the right talent, particularly to back-fill
issue. Some organizations believe that they have those moving on to greener pastures. Many said
to build all security services internally, and very they had lost a significant number of key people
soon will find it extremely difficult to hire, train, to vendors, fueled in part by the proliferation of
grow, and retain talent across all disciplines. cybersecurity start-ups. A few pointed out their
Some organizations, as part of their overall vendors and service providers are having a hard
strategy, have undertaken a conscious and often time holding onto people as well, which could
painful debate about which services they should upset the continuity of projects. This calls atten-
retain internally and which they should cosource tion to the need to assess bench strength when
or outsource while managing the risks. Crowd- engaging an outside firm for products or advice.
sourcing is another phenomenon that FSIs are
17
Taking cyber risk management to the next level
18
Lessons learned from the front lines at financial institutions
names of the worst offenders among employees tive approach—perhaps backed with scholarship
repeatedly failing phishing tests, a development funding for technology students in college or
which soon started driving improved security graduate school, or recruitment drives to educate
behavior. non-traditional candidates with critical thinking
and analytical skills from the arts or humanities—
Meanwhile, FSIs might consider launching a
could help bolster the ranks of those choosing a
collective industry-wide talent development
career in FSI-related cyber risk management.
and recruitment campaign. Such a collabora-
• Define a focused human capital strategy. Partner with your talent team to develop next
generation “cyber ninjas.” Recruit inside and outside the company and industry.
• Rotate talent to expand capabilities. Draw expertise from tech, business, fraud, anti-money-
laundering, and physical security teams.
19
Taking cyber risk management to the next level
Where are FSIs now? cyber risk management. It’s come to the point
for many where reporting duties are beginning
Former New York City Mayor Ed Koch was to hinder operational efficiency. One cited a
famous for seeking feedback from constituents severe case of “audit fatigue,” while another said a
while riding the subways or standing on street “cottage industry” has arisen in their department
corners. His signature slogan during such jaunts to respond to reporting requests. Yet another
among the masses was, “How’m I doing?” He wearily characterized the “constant cycle of
usually got an earful. explanation” they must endure as “very déjà vu.”
Cyber risk executives are in much the same posi- A big part of this problem is what one respon-
tion, racing to keep up with mounting exposures dent described as “regulatory disharmonization,”
and responsibilities while struggling to meet expressing concern that the lack of standardiza-
the oversight demands of a growing number of tion in reporting expectations is “getting so out
internal and external stakeholders. Making these of hand it’s creating risks rather than preventing
challenges more difficult to overcome is a general them.”
dissatisfaction among CISOs we interviewed with
the metrics currently employed to measure their US Senator Dean Heller of Nevada spotlighted
progress, as well as a lack of standardization in this issue in a letter to US Treasury Secretary
terms of what they have to report to all those Jacob Lew and Federal Reserve System Governor
looking over their shoulders. Daniel Tarullo on March 4, 2016. Heller, a member
of the Senate Banking, Housing, and Urban Affairs
One respondent summed up the prevailing senti- Committee, wrote, “Much better coordination is
ment in calling for cyber risk metrics that are
“easy to understand, common across the industry,
and automatable, but that’s simply not the case Many indicated they are
today.” Many indicated they are operating in a
vacuum, without any industry-wide benchmarks operating in a vacuum,
against which to measure their organization’s
cybersecurity maturity level. Almost all cited without any industry-wide
considerable hardship in dealing with different,
yet often redundant reporting requirements. benchmarks against
This latter point is particularly significant, as which to measure their
many interviewees complained that they are
spending as much as half their time explaining organization’s cyber-
what they’re doing—to regulators and auditors, as
well as their CIOs, senior management teams, and security maturity level.
board members—rather than actually practicing
20
Lessons learned from the front lines at financial institutions
Where might FSIs go that one compromised device? Did the intrusion
spread beyond that user, department, or office?
from here?
One CISO goes this route by emphasizing “dwell
Given that measuring the impact of cybersecu- time,” measuring how long intruders linger once
rity is “still more art than science,” as one of our they penetrate a company’s system, with the goal
respondents put it, how might FSIs get a better being to limit their ability to move laterally and
handle on the state of cyber risk management at do serious damage once they’re inside. If detec-
their companies? How might well-intentioned tion and mitigation systems quickly respond and
yet increasingly burdensome reporting demands isolate an intrusion before any significant loss
become more manageable and productive? is sustained or disruption accomplished, that
should be considered a win, this respondent
In terms of settling on the most impactful metrics,
concluded. At least one company even chooses to
some respondents suggested that instead of
let intruders stay for a while to monitor them and
focusing just on the number of attacks or intru-
try to learn what they are after before blocking
sions, the key measure should be a company’s
them and kicking them out of their system.
response time and effectiveness in containing
threats. How soon are intrusions detected? How Qualitative analysis may also help communi-
quickly does a company respond? How seri- cate the effectiveness of cyber risk management
ously are systems compromised, and how much programs, a number of respondents noted. One
damage is done? How long does recovery take? FSI replaced its purely quantitative cyber risk
How is the impact on operations minimized? scorecard with scenario assessments, exam-
ining individual operations from an enterprise
Along those lines, a holistic view is much more
risk tolerance perspective. How prepared is the
relevant, with metrics based not on whether
company to counter a particular threat? How
individual controls are effective in isolation, but
close or far is it from being ready? What does it
whether a layered series of controls do the job
need to do to be ready to offset each risk?
in the aggregate. For example, when dealing with
malware, companies may be less concerned about Another respondent suggested that storytelling
the infection of an individual computer than is an important component in demonstrating the
whether there’s any wider adverse impact. Was value of cybersecurity in real terms, noting that
21
Taking cyber risk management to the next level
his company provides narratives in its reports respondent observed, “Everyone is modifying
on risks averted, disruptions avoided, and money them for their own purposes. There are very
saved to show tangible benefits. “If we can get a different views of what ‘good’ looks like.” These
great success story each week, that’s a win,” he frameworks need to continue evolving, offering
said. additional guidance around the metrics compo-
nent and what optimal reporting should involve.
Such an approach can be particularly effective
when presenting reports to board members. One CISOs will likely need outside help and broad
of those interviewed said boards generally have cooperation to achieve the desired state
three bottom-line qualitative questions: Are you of measurement and reporting nirvana. In
able to identify cyber risk and get the enterprise accounting, regulators drive standardization.
behind managing that exposure? Can you then Therefore, not having a centralized body—either
prioritize what’s most important? Do you have public or private—to set the bar for cyber risks
the resources you need to get the job done? is perhaps the main industry-wide problem that
needs to be overcome.
In terms of standardization, respondents indi-
cated that they crave leadership at both the Those we interviewed agreed that standardiza-
industry level as well as by the government to tion would go a long way toward making the
drive dialogues. CISOs are seeking certainty in reporting process not only more efficient and
assessing and reporting their status. Along those cost-effective, but more impactful as well. There-
lines, it would be ideal to have a widely accepted fore, getting everyone with skin in the cyber risk
“cyber risk balance sheet” at their disposal. Cyber- management game to rally behind standards
security frameworks have been developed and could be a key goal for the industry going forward.
are starting to gain wider adoption, but as one
• Coalesce reporting around the top 20 metrics. Among hundreds of data points that can be
collected, build consensus within the organization on what matters most.
• Integrate data into an overarching narrative. Include qualitative stories with statistics; provide
context and real-life results to engage stakeholders.
• Implement a rapid reaction force. Stay on top of industry events and how your company
is responding.
22
Lessons learned from the front lines at financial institutions
Where are FSIs now? a threat quicker and can respond more proac-
tively. One CISO observed that while there are
In 1776, Benjamin Franklin told his fellow members “tons” of providers for threat intelligence, tech-
of Congress at the signing of the US Declaration nology and processes are needed to make such
of Independence, “We must all hang together, information more consumable and actionable by
or assuredly we shall all hang separately.”13 That either humans or machines—described by this
sage piece of advice should resonate with cyber individual as the “secret sauce.”
risk managers because they, too, face a common
enemy. Those we interviewed seemed to agree
that information sharing among trusted parties Where might FSIs go
is critical. Such cooperation helps alert poten- from here?
tial targets about emerging threats, and forces
attackers to continue coming up with new ploys There is no shortage of opportunities to swap
and techniques. cyber war stories from the front lines. Beyond
attending conferences and other gatherings
Yet even though there are a number of formal and hosted by cyber risk organizations, industry
informal networks in place, intelligence sharing associations, and government agencies, many of
still leaves much to be desired for a variety of those we interviewed found the most value from
reasons. Many respondents cited conflicting the informal networks they’ve built over the years.
local and international regulatory boundaries One respondent said he depended upon “a circle
as a significant obstacle. Others lamented a lack of trust”: colleagues from other firms, both inside
of information specific to FSIs in general and and outside financial services, whom he can turn
their own industry sector in particular. Some to in a crisis and use as a sounding board. Some
noted there are legal and policy barriers within organizations are considering extending that
their environment hindering the free flow of circle to their strategic clients as well as vendors
information. and other partners in order to share intelligence.
But the biggest complaint was the inability to Yet despite good intentions, information sharing
make sense of all that’s shared so companies can can be problematic given the potential liabil-
better anticipate and head off potential cyber- ity and logistical hurdles that often must be
attacks. One CISO said the industry is still in cleared. Many said they are still not comfort-
its “infancy” in this regard, observing, “Our raw able pooling information, despite new legislation
mathematical capability is outpacing what we facilitating such collaboration, because they are
can actually do with all the data we’re collecting.” unclear about what they can share legally. And
High on the wish list of our respondents was a while greater clarity from lawmakers on this
way to automate threat assessment to help their front would be welcome, intelligence sharing will
human analysts “connect the dots” so they sense likely remain problematic if only because, as one
23
Taking cyber risk management to the next level
respondent put it, “You can’t legislate trust. It’s While there are a number of risk assessment
going to take years to develop.” tools and systems on the market, many respon-
dents called for greater automation of threat
Information overload becomes an even bigger
intelligence in a rules-based system that filters,
issue when you consider that FSIs are also
integrates, and analyzes available data without
purchasing intelligence from a number of private
human intervention. Such capabilities today
vendors, with mixed results. One particular
are “super immature right now,” according to
complaint was the amount of generic data being
one interviewee, who said, “Automation could
supplied, as opposed to intelligence specific to
potentially be game changing if we can get a
financial services, or even to one specific sector
groundswell on that.”
or company—given that threat actors are special-
izing down to the individual firm level. Others Respondents also called for organizations to
lament the necessity of having to piece together strike more of a balance between dependence on
data from a wide variety of sources to create external vs. internal intelligence, with the latter
relevant, useful information. focused on improving situational awareness and
monitoring anomalous user behavior. To that end,
The biggest challenge respondents cited in this
the use of big data analytics and machine learn-
area is improving their ability to leverage the
ing to solve cyber problems generated much
data collected from a wide variety of sources
discussion and debate. Some organizations said
to produce predictive analytics that more
they are struggling to justify ROI or prioritize
quickly expose and head off looming threats.
such efforts, described by one respondent as “a
Many expressed a desire to shift emphasis from
hammer looking for a nail.” Others continue to
volume-focused intelligence (trying to get more
invest through targeted pilots.
and more data) to action-focused. (How can they
maximize the use of all this information?)
• Turbocharge human analysis with automation. Pilot threat intelligence management platforms.
• Balance external and internal intelligence. Improve situational awareness with big data
analytics and machine learning.
• Promote regular threat briefings. Package with success stories for target audiences.
24
Lessons learned from the front lines at financial institutions
F
OR those on the front lines in cyber risk respondent put it, “The reality is, cybersecurity
management, the good news is that senior risk management is an ongoing journey, never
leadership and board members are well a destination.” Therefore, CISOs will need to be
aware of the seriousness of the exposures their continuously on guard and innovative to keep
companies face and have been very supportive up, let alone stay ahead of the bad guys trying to
of efforts to make FSIs more secure, vigilant, and break into their systems 24/7.
resilient. Indeed, the companies we interviewed
appear to be willing to invest whatever it takes To accomplish this, risk managers need to not
to enhance cyber risk management personnel, only hit moving targets as they arise; they need
processes, and technology in the short term and to do a better job proactively probing for weak-
long term. nesses in their environments. They also have to
manage expectations. While zero tolerance is
At the same time, however, many FSIs continue
an unrealistic goal when it comes to protecting
to feel underprepared to detect and ward off
their institutions, containment of the damage is
the ever-evolving threat of massive financial
doable. For example, one respondent echoed a
fraud or data loss, and are increasingly worried
number of his colleagues when he spoke about
about destructive attacks or coordinated assaults
looking to “compartmentalize” his network to
against the financial ecosystem.
“restrict the blast radius of an attack.”
Part of the problem is that FSIs are still often
They also must improve their talent development
flying blind, grappling with the particulars of how
and recruitment efforts. Attracting, training, and
to measure and report their progress in contain-
retaining the right people, as well as managing
ing cyber risk, as well as determine how they
the complexities of the job, takes far greater lead-
stack up against their peers. They are also having
ership and innovative thinking than it used to.
trouble deciding how much information they
are willing and able to share with others facing Beyond the CISO’s immediate circle, marshalling
a common enemy. Last but not least, figuring people power, not just technology solutions, is a
out how they can most effectively leverage the big part of the containment effort. Whereas FSIs
data they collect from a wide variety of sources may have covered most of the bases in terms of
to produce reliable, predictable, and actionable
intelligence remains a work in progress.
25
Taking cyber risk management to the next level
raising awareness of cyber risks, the next frontier theoretically handled in a laboratory setting.
is to influence actual behavior. Are stakeholders Some are running live exercises so they can keep
acting on their awareness, or merely “check- their businesses up and running the old-school
ing the box” when alerted about potential cyber way after a serious event. One went so far as to
vulnerabilities? note, “We are preparing to recover our services
from bare metal if necessary.”
Still, despite all their best efforts, most FSIs are
likely to see their systems breached or compro- In the end, CISOs cannot defend their organiza-
mised at some point, so recovery and resiliency tions alone. They need collaboration, cooperation,
are two critical back-end considerations. A as well as shared responsibility and accountabil-
number of those we spoke with are running more ity to permeate a cybersecurity mentality across
than just table-top exercises or war-gaming, the entire enterprise.
where the consequences of a cyberattack are
But CISOs can and should be leading the charge to
spread the word about what’s at stake for every-
one involved, and what must be done to counter
and contain the threat. Their role in the organi-
zation should be enhanced to help FSIs meet this
existential challenge. With greater power will
come greater responsibility, but the elevation of
CISOs may be necessary to make cybersecurity,
vigilance, and resilience considerations second
nature in every facet of an FSI’s business opera-
tion. Only then can the risk management efforts
of informed employees, vendors, partners, and
customers be coordinated to serve as effective
antibodies against those threatening to do their
companies harm.
26
Lessons learned from the front lines at financial institutions
ENDNOTES
1. Ponemon Institute (sponsored by Hewlett Packard Enterprise), 2015 cost of cyber crime study (United States),
October 2015, http://www.ponemon.org/library/2015-cost-of-cyber-crime-united-states.
2. Deloitte Touche Tohmatsu Ltd., Global risk management survey, ninth edition, May 2015, http://www2.deloitte.
com/ru/en/pages/financial-services/articles/9th-global-risk-management-survey.html.
3. Ibid.
4. Verizon, Data breach investigations report (financial services industry reports), April 2016 and October 2012,
respectively, http://www.verizonenterprise.com/verizon-insights-lab/dbir/.
6. Ponemon Institute (sponsored by Lockheed Martin), Intelligence driven cyber defense, February 2015, http://
cyber.lockheedmartin.com/intelligence-driven-cyber-defense-survey-results, Ponemon Institute (sponsored by
Lockheed Martin), Risk and innovation in cybersecurity investments, April 2015.
7. 451 Research, “451 Research identifies nearly 300 M&A and IPO candidates in its annual 2016 tech M&A
outlook,” February 26, 2015, https://451research.com/images/Marketing/press_releases/02.25.16_MA_Out-
ook_2016_PR_Final.pdf.
9. Larry Keeley et al., Ten Types of Innovation: The Discipline of Building Breakthroughs (New York: Wiley, 2013).
10. ISACA and RSA conference survey, “State of cybersecurity: Implications for 2016,” March 2016, ©2016 ISACA. All
rights reserved. Used by permission.
11. Ponemon Institute, Intelligence driven cyber defense and Risk and innovation in cybersecurity investments.
12. Credit Union National Association, CUNA News, “Sen. seeks FSOC-FFIEC plan for coordinating cybersecurity
exams,” March 8, 2016.
27
Taking cyber risk management to the next level
SAM FRIEDMAN
Sam Friedman is the insurance research leader at the Deloitte Center for Financial Services in New
York. He joined Deloitte in 2010 after three decades as a business journalist, most prominently as the
longtime editor-in-chief of National Underwriter. At Deloitte, his research has explored consumer be-
havior and preferences in auto, home, life, annuities, and small-business insurance. Additional studies
have examined how auto carriers can leverage telematics to improve underwriting and marketing for
usage-based insurance, what the financial services industry might do to more effectively help consum-
ers achieve retirement security, as well as how insurers might apply strategic risk management concepts
to avoid disruption.
CONTACTS
28
ACKNOWLEDGEMENTS
The Center wishes to thank the CISOs and other cyber risk management professionals at financial ser-
vices institutions who agreed to share their experiences and insights for this report.
The Center would also like to thank the following Deloitte client service cybersecurity professionals for
their support and contributions:
The Center would also like to thank the following Deloitte professionals for their support and
contributions:
• Michelle Canaan, manager, Deloitte Center for Financial Services, Deloitte Services LP
• Michelle Chodosh, marketing manager, Deloitte Center for Financial Services, Deloitte Services LP
• Sallie Doerfler, senior market research analyst, Deloitte Center for Financial Services,
Deloitte Services LP
• Karen Edelman, manager, US Eminence, Deloitte Services LP
• Junko Kaji, senior manager, US Eminence, Deloitte Services LP
• Lisa DeGreif Lauterbach, Financial Services Industry marketing leader, Deloitte Services LP
• Seth Raskin, manager, Deloitte Services LP
• Lincy Therattil, manager, Deloitte Center for Financial Services, Deloitte Services India Pvt. Ltd.
Follow @DU_Press
Sign up for Deloitte University Press updates at DUPress.com.
About Deloitte University Press
Deloitte University Press publishes original articles, reports and periodicals that provide insights for businesses, the public sector and
NGOs. Our goal is to draw upon research and experience from throughout our professional services organization, and that of coauthors in
academia and business, to advance the conversation on a broad spectrum of topics of interest to executives and government leaders.
Deloitte University Press is an imprint of Deloitte Development LLC.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of
member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description
of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed
description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules
and regulations of public accounting.
Copyright © 2016 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited