The balance between operational efficiency and risk management is a story ultimately told in the bank’s efficiency ratio; the rising cost of cybersecurity tools and talent don’t take a break when the market indicates trouble on the horizon.

The ever-evolving threat landscape lays a finger on the scales, given that cybersecurity incidents are costing banks more than ever. But there five ways banks can maximize their cybersecurity maturity leading into this uncertain environment by focusing on the less glamorous half of the ratio: the cost of doing business.

1. Include Line-of-Business Training in Cybersecurity Personnel Development Plans
Employees drive the every bank’s digital transformation strategic initiatives. As bank technology stacks grow, so do the exposure to cybersecurity risk. This has ushered even the most mundane workflows carried out by cybersecurity professionals further and further into the bank’s service chain.

Simply put, cybersecurity analysts make risk-based decisions about whether to accept or reject communication from bank customers all day long. In many ways, these employees act as digital bank tellers who engage in Know Your Customers practices more intimately than anyone else – except without all the line-of-business training expected in these customer-facing roles. When the cybersecurity team’s objective changes from defending the bank to supporting growth goals through cybersecurity, each risk-based decision figures into the opportunity at hand.

2. Streamline the Tech Stack
Banks, particularly those that grow through mergers, often struggle with weaving together an integrated tapestry of IT infrastructure. This can be further complicated by a la carte shopping for best-in-show solutions for disparate use cases. As banks evaluate the most opportune areas to increase their efficiency, this is an excellent time to find overlapping features between tools. Consolidating the technology stack can reduce the overall spend for ongoing licensure, as well as the number of systems to learn, support and monitor. Simpler operations are more efficient operations; streamlining the tech stack allows the organization to take full advantage of this principle.

3. Focus on the Cybersecurity Culture
For too long, the banking industry has repeated the outdated cybersecurity mantra: Humans are the weakest link. The elements of the typical security awareness training program begins with sending fake phishing emails to employees and ends with corrective trainings and action plans. Often, phishing test failure is a key risk indicator that follows employees over time. This leaves employees with only two conclusions: The employee is powerless against cybersecurity attacks, because humans will always be the weakest link, or every email represents an opportunity to fail.

If the goal of a security awareness training is to reduce cyber risk, would the program be any less effective if departed from the “Gotcha!” approach? Humans are the greatest factor in detecting and responding to attacks. This approach empowers employees to be active participants in every phishing decision and serves as a more impactful means of professional development during a time when budgets are thin.

4. Strengthen Collaboration and Communication
While the pandemic certainly feels like a thing of the past, the impact it has made on every bank’s culture still prevails. Whether the strategy has been to fully embrace work from home, return to office or to find some compromise with hybrid work schedules, communication within the bank looks different today.

In times of economic uncertainty, collaboration and communication are even more critical – which makes this is the best time to focus on communication and collaboration. Include loan production and other front line employees in incident response tests to practice critical lines of communication before it’s necessary. Empower business continuity teams to place a greater emphasis on simple exercises like cross-training within a department to increase collaboration and resiliency during turnover, which might happen due to changes in the market.

5. Strategize the Way AI Will Shape the Bank
While some experts are predicting the impact that artificial intelligence will have on the workforce over the next 10 years, one thing is certain: Employees are already using AI in their workflows. This creates opportunities for design without focus – the enemy of efficiency – but the greater risk that loose AI adoption poses to banks is model risk. Without a foundational model risk governance framework, banks will repeat the mistakes of AI pioneers. Banks should make this a planning year and invest time in strategy rather than budget in new automation tools.

As banks navigate the delicate balance between operational efficiency and risk management, the rising cost of cybersecurity and the looming uncertainties in the economy place risk managers in the pivotal role of controlling the efficiency ratio. By focusing on the strategic measures of risk management instead of revenue operations alone, banks can maximize their resilience and efficiency leading into the second half of 2023. Whether a hot or cold economy greets the industry in 2024, it will be the efficient banks that have the most to gain.


Joshua Sitta