ACS19: Bank execs need cybersecurity safe space
“Banks and financial services firms need to create an atmosphere in which executives can be free to ask stupid questions about cybersecurity,” says Standard Chartered’s global head of cyber partnerships and government strategy, Nina Paine.
“Or risk forever leaving the subject matter in the hands of technologists,” she adds. Paine tells an audience at the ATMs and Cyber Security 2019 in London that security needs to be a “business-wide discussion, not just some technology people in a room.”
“Set up a safe space where senior executives can talk about cybersecurity where there are no stupid questions,” she adds.
“It may not be a governance committee but it can allow executives to raise questions, hear about trends, increase their understanding and ensure their business priorities drive the cyber resilience agenda.”
Paine added that in an era of increasing digitisation it’s crucial that firms have governance principals that are constantly updated to address new technologies. “Today its cloud and APIs, but what will be in the near future – maybe blockchain or AI? The rate of technological advance right now is such that you have to bring it back to core principles.”
Many firms in the industry are still struggling to get the basics right. “It might be legacy infrastructures which make security difficult to implement,” says Paine, “or it might be that cybersecurity is still seen as the realm of the technical CISO and they remain in their domain and don’t get out to the business leaders.”
“There needs to be senior leadership intent, and that intent needs to be shared across the leadership board,” she adds.
Paine also mentions that 90% of breaches at firms are still attributed to employees clicking on phishing emails. “People pose the highest risk in our organisations and we just cannot simply rely on a small group of technical experts to keep our business safe. Yet with proper training, people can also be the greatest asset.”
To underline her point, Paine points to the example of the Bangladesh Bank hack from 2016, in which a vigilant employ noticed that outgoing funds were being moved to a firm with the incorrect English version of a French word.
“It sounds very pink and fluffy when you talk about employee awareness, but you can make it a very hard skillset and discipline,” Paine concludes.