The Bedel Security Blog

Five Questions You Should Be Asking About Your Cybersecurity Program

Written by Chris Bedel | May 6, 2022

Ahh, springtime. I love it. The birds, the flowers, the warm sunshine, the BankDirector.com Risk Survey Report.

Wait, what?

Yeah, call me a nerd. I always enjoy that report, and it usually releases in March/April of each year.

I did my first review of the results of the Risk Survey Report back in 2016 and it's been kind of interesting seeing the evolution of the opinions of bank executives around cyber risk through the years. (2021 has been my favorite one: https://www.bedelsecurity.com/blog/your-information-security-program-needs-focus)

The interesting thing about this report for me is that it generally spurs questions, rather than answers and so, today's blog post is about asking yourself the five questions that came to my mind as I read the report.

I'm going to walk through the report a little bit and call out some of the things that I thought were interesting and then share with you those questions that followed from each.

Okay, here we go.

The Risk Survey usually starts by asking respondents to rank their areas of risk in their bank or changes in risk to their bank. This year, 93% of those surveyed say their concerns about cybersecurity risks have increased in the last year. 50% say that it's increased significantly, while 43% say that it's increased somewhat.

The next 2 highest areas of concern from the survey were interest rate risk and regulatory requirements, both coming in at around 72%. That means that the increase in concern over cyber is 20% higher than the next highest concern. Cyber being a concern over the past 6 years has been consistent. But look at that one more time: Half the banks surveyed said that cybersecurity concerns have increased SIGNIFICANTLY – in 1 year.

So, a couple of questions come to mind when I see this:

If cyber concerns have increased for your financial institution, what is your plan to change how you are managing this risk?

Do you have the framework and leadership in place to manage cyber risk in a consistent, repeatable way as the landscape evolves?

The next question that caught my eye asked where the respondents saw room to improve their bank's cybersecurity program. The first thing that jumps out at me on this one was that 83% said that they need to improve training for bank staff.

While it's great, and I absolutely love the idea of increasing and improving training, there’s a part of me that hoped this number was lower. There are plenty of affordable resources out there to help with this; If you need a recommendation on a solution, send me an email and I will point you in the right direction.

The remaining responses to this question really fall into either technical controls or management and governance controls.

64% of the respondents said that they would like to implement technology to better detect and/or deter cyber threats and intrusions. Others said they would like to improve monitoring for remote staff.

The softer, management responses included things like

  • attracting and retaining security personnel,
  • internal and external communications,
  • board expertise and training, and
  • board governance and oversight.

So that brings up a couple more questions:

Where would you spend the next dollar to improve your cybersecurity program?

Is that decision based on the specific risk profile of your financial institution – as opposed to best practices or the latest trends?

The last question that I found interesting was centered around activities that the board is involved in regarding the oversight of the bank cybersecurity program.

Three stats jumped out to me:

  • 79% of bank boards participate in board-level training to understand cyber risks
  • 75% of bank boards ensure that management continually works to improve the cybersecurity program and
  • 71% of bank boards understand and are apprised of deficiencies in the bank cybersecurity risk program

At first glance, it might be easy to say those are decent percentages. The problem is that those three items are pretty much non-negotiable. It doesn't matter whether you're baseline or

bleeding edge, your bank board should at least be doing those three things.

What this question tells me is that about 30% of the banks out there have opportunities for improvement in board oversight, and it’s the source of my last question.

Do you have the pieces in place to ensure adequate levels of board involvement in your cybersecurity program? (if not, what is missing)

I hope you love these kinds of statistics like I do, and I hope you found this article helpful and that these five questions are thought-provoking for you.

If any of them spur questions on your end, please feel free to send me a note at chris@bedelsecurity.com

For a copy of the BankDirector.com Risk Survey Report: https://www.bankdirector.com/committees/risk-committees/2022-risk-survey-complete-results/

 

Additional Resources:

The 1 Thing You Can Do to Improve Your Cybersecurity Program
https://www.bedelsecurity.com/blog/the-1-thing-you-can-do-to-improve-your-cybersecurity-program

5 Secrets to Security Success
https://www.bedelsecurity.com/blog/5-secrets-to-security-success

Choosing a Cybersecurity Framework
https://www.bedelsecurity.com/blog/choosing-a-cybersecurity-framework

The CISO Assessment
https://www.bedelsecurity.com/services/the-ciso-assesment