Financial services companies lack trusted data to make security decisions
May 19, 2020
19 May 2020, London and New York: Manual processes, lack of resources and request overload fuel security metrics (and measurement) mayhem, according to Panaseer’s 2020 Financial Services Security Metrics Report.
Senior security leaders within financial services companies are being challenged with a lack of trusted data to make effective security decisions and reduce their risk from cyber.
Results from a global external survey of over 400 security leaders* that work in large financial services companies reveal concerns on security measurement and metrics that include data confidence, manual processes, resource wastage and request overload.
The results demonstrate myriad issues with the processes, people and technologies required to have a full understanding of the organisation’s cyber posture and the preventative measures required to stop a security control failure from becoming a security incident. The vast majority (96.77%) of respondents claimed they use metrics to measure their cyber posture, with the primary use for security metrics being risk management (41.69%), demonstrating success of security initiatives (28.04%), supporting security investment business cases (19.11%) and Board/ executive reporting (10.17%).
Over a third (36.72%) of security leaders said that their biggest challenge in creating metrics to measure and report on risk is ‘trust in the data,’ followed by the resources required to produce them (21.34%), the frequency of requests (14.64%) and confusion over knowing what metric to use (15.3%). Less than half of respondents (47.75%) could claim to be ‘very confident’ that they are using the right security metrics to measure cyber risk.
Resource requirements and request overload are cited as other issues fueling the metrics mayhem. On average, security teams are spending 5.34 days a month compiling metrics for managing risk – and that doesn’t include the time the team spending compiling metrics for other stakeholders, including regulators, auditors and the Board. Security leaders also claim they must refresh these security metrics for risk teams every 16 days.
Manual processes are also cited as fuelling data mistrust. Over half (59.8%) of security leaders said that they are still relying on spreadsheets to produce metrics and 52.85% are using custom scripts. Nearly one in five (18.75%) admitted to relying exclusively on manual processes to develop their security metrics for risk.
Nik Whitfield, CEO, Panaseer: ‘Security metrics are frequently cited as the bane of the security teams’ lives. Not knowing the accuracy, timeliness or even limitations of a metric can render it useless – which is simply unacceptable against a backdrop of tightening regulation and an increasing attack surface. The President of the European Central Bank recently went on record to warn that a cyber-attack on a major financial institution could trigger a liquidity crisis.
‘We must move on from the era of out-of-date inaccurate metrics, to one where they are automated and measured on a continuous basis. Financial service organisations in particular need trusted and timely metrics into an organisation’s technology risk, segmented where possible to critical operations. With this information, the Board can then have better understanding into what risks it is and isn’t accepting to keep customer data safe.’
Read Panaseer’s full 2020 Financial Services Security Metrics Report.
*400+ security decision makers, manager level and above (including CISO/ senior security/ risk officers), working in companies within the financial services industry with 5,000 – 25,000 employees in the UK and US, were surveyed by Censuswide in 2020.