Other parts of this series:
In my previous blog I introduced you to the “Accenture Security Index”— research that assessed performance in information security at companies across multiple countries and industries.
With regard to the banking industry, results were mixed. Banks achieved high performance in 44 percent of the security capabilities surveyed—near the top in terms of industry rankings. But as I said in the earlier post, that means banks are NOT high performing in 56 percent of security capabilities. In addition, banking wasn’t clearly in the lead, but merely on par with the communications and high-tech industries.
Surprising results. So, let’s look at where banks excel and where they don’t when it comes to cybersecurity.
Banks participating in the study scored especially well in the following categories:
- Cybersecurity accountability
- Physical and safety risks
- Maintaining resilience readiness
- Cybersecurity architecture approach
- Risk analysis and budgeting
- Security-minded culture
We found accountability to be especially important. Leading banks have developed cybersecurity key performance indicators (KPIs) for M&As and other initiatives. They have defined roles and responsibilities for cybersecurity and are collaborating across business units and subsidiaries on security. They are also including cybersecurity in executive job descriptions across the organization and are regularly reviewing and improving the process.
Where are banks encountering challenges?
- Just 41 percent of senior security executives we surveyed from the banking industry said their enterprise is sufficiently competent at “business-relevant threat monitoring.”
- An especially worrying statistic involves the cybersecurity capability with the lowest rank of all (34 percent): the ability of a firm to identify its high-value assets and processes. This outcome appears to be about the relationships of the cybersecurity team to the business. If that team does not adequately understand the business, it cannot realistically assess the value of assets.
- Another weakness: designing for resilience and limiting impact. Resilient companies can quickly return to normal operations with minimal impact to customers and the bottom line. Organizations should be able to withstand cybersecurity attacks while maintaining operational and service levels. Resilience builds upon traditional cybersecurity with actions such as proactive controls, crisis response protocol testing, cybersecurity readiness assessments and hacking tests.
Banks also were lagging at third-party cybersecurity (44 percent) and third-party cybersecurity clauses (36 percent). Third-party risk is especially important as banks move some processes to the cloud, housing data on third-party servers. Partners’ risks become yours.
Additionally, as ecosystems grow to be the primary method of conducting business, risk is spread over a broader playing field. If all partners are not duly diligent, malicious parties that breach one node of an ecosystem can gain control over far more data than they did in years past. Despite this fact, other Accenture research found that only 31 percent of banking executives plan to invest significantly in improving unified cybersecurity strategies across the ecosystem.
Cybersecurity challenges will never be totally solved, but there are many things banks can do to improve their capabilities. I’ll talk about those in my third and final blog in this series.