The survey was conducted in January of 2016 by BankDirector.com where they asked executives and board members at 161 different financial institutions of various sizes a wide range of questions regarding culture, preparedness, and concerns related to risk.
My key takeaways for banks under $1B (where most of my focus lies):
- 77% of respondents listed cybersecurity as a concern, compliance being a distant second at 46%
- 37% didn't have a full-time CISO, 75% of those stating the responsibility lies with IT staff, 7% with the Risk Officer, and 18% assigned it to "Other"
- Only 50% have completed the FFIEC CAT
- Only 41% of those completing the CAT have implemented a plan to attain their target maturity level
- The report did a break-down in most categories, comparing preparedness of those with a CISO and those without, and in almost every category, the banks with a CISO were more prepared than those who assigned the duties elsewhere
If this is your situation, there are ways to achieve the benefits of a full-time CISO at a fraction of the cost. It may be time to consider alternative approaches to strengthen and enhance your cybersecurity program.