Other parts of this series:
- Financial services need new security mindset to support strategic growth initiatives
- What new technology developments offer opportunities to enhance security?
- Cyber risks and company stakeholders – a key to financial firms’ security
- Helping financial firms to transform security for “New IT” landscape
- Identity management and threat intelligence are key security spends for financial firms
- Planning for security failure is critical for success
Over the past few weeks, we have examined the importance of the security function at financial services institutions shifting away from its historical focus on compliance in the “New IT” landscape. But how can firms now go about transforming security?
First, let’s examine what the security function should look like after it makes this pivot.
We believe that security could be far more effective by aligning its approach with the organization’s business strategy, evolving cyber threats and the emerging technology trends. Indeed, Accenture envisions security playing more of a strategic role within organizations and becoming an innovator that supports the business vision.
To that end, security should focus on professional and customer-oriented cyber security with a proactive approach toward protection, detection, response and recovery. This is more than theory. According to the 2015 study The Security Leap: From Laggard to Leader, published by Accenture and the Ponemon Institute, proactive companies have been able to reduce the probability of disruption or theft/loss of records by around 50%.
As Accenture discusses in its report, Security in the Financial Services Sector–Ready for the “New”? a respective transformation process should be planned and supported by change management specialists, with a clear signal and a clear start. Often, this involves a reorganization of the security function. We suggest this five-step 100-day plan:
- Define the role of the security function.
- Define the general setup. To drive a substantial transformation, a centralized function should be considered. From an organizational perspective, security is typically divided into three strictly separated lines of defense. However, to satisfy a fast-moving business, some organizations combine their first and second lines of defense. Those organizations consolidate policies, governance, architecture, internal consulting, physical security, safety, and even reporting under a chief information security officer (CISO). Others allocate responsibility between the business CISOs and the technology security infrastructure group.
- Define the function of the CISO.
- Define the CISO’s reporting line. A firm should look to its CISO to participate in driving strategy. That means the CISO needs decision-making authority and the power to act within the organization.
- Define key guiding principles, such as:
- How security helps drive innovation.
- How security is a value-add for the business.
- Always assuming the company has been compromised and that an attacker already is in the company’s network.
Once these steps have been taken, firms should maintain a level of flexibility so they can respond with agility and confidence to unexpected outcomes and situations.
To learn more, read: