Icebergs Ahead: Five Questions Every Board Should Ask the CISO

CISO-questions-5-30-16.pngPicture this: Your chief information security officer (CISO) has arrived at the board meeting to give a rundown on your bank’s latest efforts to mitigate cyber risk. You’d like to take an active role in data governance (kudos for that!), but what are you supposed to ask? You’re not a cyber security expert.

In fact, many board members may not understand everything that the CISO’s role entails or the specifics of how the CISO’s responsibilities differ from those of the CIO and CTO. Whereas CIOs and CTOs make the technology work, CISOs identify and manage technology-related threats to the bank’s operations or reputation. They must obtain a 360-degree view of the threats and how much they might end up costing the organization, as well as the costs of reducing the probability of a cyber-attack to an acceptable level.

Given the prevalence of security breaches and the scope and magnitude of the consequences, getting “up close and personal” with your CISO shouldn’t require a chance encounter in the elevator. You should demand direct access to the CISO on a formal—and regular—basis.

But that doesn’t mean you need to dig into the technical details about risks and mitigation plans. By asking a set of high-level questions, you can gather information that positions you to be an active participant in key strategic decisions relating to information security:

1. What are the top information-security threats facing your bank? These are the “icebergs” that have the potential to severely damage the bank’s viability. Theft of data often grabs the headlines, but cyber attacks are alarmingly diverse. Other potential threats include a “denial of service” attack that could stop your bank from operating its business, as well as malware injection and phishing, to name just a few.

2. For each of these major threats, what are your bank’s mitigation strategies and the costs for executing them? Find out how the information security team plans to reduce these threats to a tolerable level and ensure that the costs of mitigation don’t outweigh the expected benefits. The CISO should also be able to explain how the team monitors the performance of the mitigation actions.

3. How frequently does your company reevaluate previously identified risks and seek to identify new ones? The information security team should never assume that it knows all the major threats or is mitigating them effectively. Ensure that the team re-evaluates which icebergs are out there at least annually, and then examines whether its mitigation strategies are still effective.

4. What is the crisis response plan when risk management fails? It’s a question of when, not if, your bank will experience some form of a cyber attack. How it responds will make a huge difference in terms of both financial and reputational damage. The CISO should be able to present a few slides that summarize the response plan for the top-three threat scenarios. Make sure the information security team is applying lessons from previous incidents that occurred at your bank and as well as at other banks in their efforts to aggressively manage the potential fallout from attacks.

5. To what extent are the budgets for technology spending and security spending aligned and proportionately scaled? Security spending should grow proportionately with technology spending. You don’t want your technology infrastructure to grow faster than the information security team’s ability to mitigate the risks. Ensure that the team has the resources it needs to keep pace.

Remember, you don’t have to be a cybersecurity expert to talk to the CISO. If the discussion strays into the technical weeds, steer the CISO back to business issues. The same common sense principles and risk-versus-reward assessments that drive discussions when you’re planning a merger or acquisition are just as helpful if you’re talking about information security risks with your CISO.

Making the Right Investment in Cybersecurity

In a January interview with Bloomberg, Brian Moynihan revealed that Bank of America Corp. has an unlimited budget for cybersecurity. “I go to bed every night feeling comfortable that group has all the money, because they never have to ask,” said the Bank of America chairman and chief executive officer. “You’ve got to be willing to do what it takes at this point.”

The vast majority of banks can’t grant carte blanche to their organization’s information security team. Bank Director’s 2015 Risk Practices Survey found that most banks, at 60 percent, dedicated less than 1 percent of revenues to cybersecurity in 2014. Thirty-eight percent allocated from 1 percent to 5 percent of revenues on cybersecurity. Two percent dedicated 5 percent of revenues to cybersecurity.

Regulators don’t mandate a minimum cybersecurity spend; how much is the right amount is up to the bank. However, banks that are prepared to battle cybercrime typically aren’t hit as hard when the inevitable data breach or hack occurs. So bank boards face some difficult decisions when it comes to protecting their bank from cybercrime. How much should the bank invest? And on what? 

Tony Buffomante, principal in information protection and cybersecurity at KPMG, says bank boards want to know what the risks are, and whether their current programs are ready to mitigate cyberthreats. Identifying the areas of the business that the bank wants to protect from a potential cyberattack—where customer account data is housed, and what processes are involved—is key to determining how much to invest in cybersecurity, and where. “If they don’t really understand what the risks are, it’s difficult to figure out, ‘Am I investing enough?’” he says.

2014 Cybersecurity Budget, By Bank Size
  All Banks >$10 Billion $5Bn to $10Bn $1Bn to $5Bn <$1Bn
Less than 1% of revenues 60% 38% 50% 59% 72%
From 1% – 5% of revenues 38% 62% 50% 38% 28%
More than 5% of revenues 2% 3%

Source: 2015 Risk Practices Survey

Cybersecurity Budget Increase for 2015, By Bank Size
  All Banks >$10 Billion $5Bn to $10Bn $1Bn to $5Bn <$1Bn
Less than 10% 52% 57% 50% 56% 42%
From 10%-25% 23% 43% 30% 23% 15%
No Increase 21% 20% 18% 35%
From 25%-50% 4% 3% 8%

Source: 2015 Risk Practices Survey

As a rule of thumb, Michael Bruemmer, vice president of the data breach resolution group at Experian, recommends that companies commit 5 percent of their revenues to cybersecurity. Two of the more technical areas that the bank’s cybersecurity budget should prioritize are intrusion detection, to detect hacks and breaches, and encryption of data to make it more secure. Bruemmer calls encryption a cybersecurity “Get Out of Jail Free Card.” Depending on state laws, companies that can prove that their data was encrypted may not have to report the breach to customers. Security breach notification laws in states such as Arizona, California and Illinois specifically reference unencrypted data.

According to a 2014 study by the Ponemon Institute, the typical data breach for the financial services industry cost $236 per record lost, but companies that followed certain practices had lower than average costs. For example, the appointment of a chief information security officer (CISO) reduces the cost of a breach by $10 per record. Sixty-four percent of respondents to Bank Director’s Risk Practices Survey say they employ a full-time CISO, a practice less common for banks with less than $1 billion in assets (44 percent).

Preventing, detecting and responding to cyberthreats is at the core of information security. Banks need expertise in understanding what the risks are, someone who can implement controls to protect customer information, as well as watch for a breach and then react to it, says Buffomante. The role may be held by multiple people within the organization, or, instead of hiring a CISO, the role can be outsourced for banks that lack that expertise on staff. 

An outsourced CISO can be just as effective, says Bruemmer. “It’s not as important who you have on staff…but that you cover all the bases, whether it is outsourced or internally.” 

The median salary for an information security officer is $75,662, according to Crowe Horwath LLP’s 2014 Financial Institutions Compensation Survey.

Bank boards should recognize that the CISO isn’t the sole guardian of the bank’s digital assets. “Executives, meaning boards and senior executives of companies, need to participate and be involved in improving their incident response,” says Bruemmer. 

Beyond technology investments, Bruemmer believes the biggest area of focus for banks should be on its employees. Training can make or break an organization’s cybersecurity efforts and investment, and Bruemmer says the root cause of most breaches is simple human error. Commonly, an employee makes a mistake and clicks a link in a phishing email, or doesn’t respond appropriately to an alert. “All of the budget expenditure in the world would not have stopped” these types of errors, he says. Employees should know not only how to prevent a breach, but how to respond to one as well. Banks need to have a plan.  

According to Ponemon, an incident response plan for cybersecurity can result in a reduction of $17 per record. These plans should be tested regularly, so the bank is prepared when a real cyberattack occurs. Seventy-six percent of respondents to the 2015 Risk Practices Survey report that their bank has a cyber incident management and response plan in place. Of these, three-quarters regularly test it.

Does your bank have a written cyber incident management and response plan?


Another investment boards should consider is cyber insurance, which can reduce the impact of a data breach by protecting the institution from customer lawsuits and covering costs like credit monitoring, customer notification and crisis management.

The Federal Financial Institutions Examination Council encourages banks to join the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit source for intelligence on cyberthreats, which gives banks access to information on the latest threats. The agency also plans to release a cybersecurity self-assessment tool, which will help institutions evaluate their ability to mitigate these risks. 

Bruemmer argues that the success and failure of a bank’s cybersecurity preparedness doesn’t come down to how much money is thrown at the problem. Instead, it’s more about the bank’s dedication to protecting the bank, and focusing resources on the issue. The board should play a strong role, though fewer than 20 percent regularly address cybersecurity within meetings, according to the 2015 Risk Practices Survey. Just 8 percent of respondents from banks with less than $1 billion in assets say their board addresses the issue at each board meeting. Although the board’s job isn’t to manage the bank’s security, it should provide effective oversight in terms of knowing about the bank’s security plans, staffing and resources, and making sure those are adequate.

Cybersecurity “needs to be part of the board-level strategy discussion, says Bruemmer. It “is so impactful to the organization’s ongoing reputation and viability, [and] it needs to be connected to the board level,” says Bruemmer.