As regulatory scrutiny and requirements mount, financial firms need to evolve how they think about cybersecurity to become more strategic than tactical.
Instead of cyber protection, firms should focus on cyber resilience, which includes plans for response and recovery.
The tides are shifting on how financial firms think about cybersecurity, thanks to a combination of heightened threats, sophisticated hacking tools, and increasing compliance requirements, including incoming US regulation to get corporate boards more involved.
One way that will manifest itself is through the shift from cyber protection to cyber resilience, according to the CEO of security firm Immersive Labs, an Insight Partners portfolio company. Companies need to take the position that they’re inevitably going to be attacked and form a plan for continuity and recovery that avoids significant damage.
“Cybersecurity is a means to an end, but really, what you need is your business to keep going following a cyber incident,” CEO James Hadley told Insights Distilled. “That’s a huge change: It’s much more strategic versus tactical.”
Building resiliency in an organization requires a clear-eyed understanding of gaps, with comprehensive benchmarking to demonstrate improvement, both internally and for regulators.
“It’s a business-wide issue and a one-size-fits-all approach doesn’t work,” Hadley said. “Organizations need to turn what a lot of people used to call the greatest threat – your insiders – into your greatest asset, in terms of how you protect yourselves.”
That means training all workers – both technical and non-technical – to boost their judgement, skills, and speed in dealing with security risks and attacks.
“Companies are just becoming more aware now that cyber isn’t this stand-alone thing,” he said, “It’s everywhere.”