Cybersecurity for Financial Institutions—Part 2: Metrics

This is part two of our blog series that delves into cybersecurity for the financial services industry.

In part one, we discuss the current state of financial services cybersecurity, the challenges the industry faces, and opportunities for banks and other financial institutions to better protect their organizations.

In this part, we explore measurable and actionable metrics banks can track to craft a powerful cybersecurity story tailored to their regulators and leadership peers. We’ll also discuss opportunities to improve those metrics and address key challenges CISOs experience when building mature programs.

Let’s dive in.

Three Cybersecurity Metrics to Help Financial Institutions Tell Their Story to Regulators

The rise in cyberattacks against financial institutions means heightened scrutiny from bank regulators and more stringent compliance requirements. So, how can banks provide a thorough assessment of their security program to show regulators that they’re meeting regulatory requirements – and are keeping consumers and their data safe?

We can achieve that by identifying and keeping track of cybersecurity metrics that tell a powerful story.

These metrics are critical in two scenarios: to communicate your security program maturity and compliance to financial services industry regulators and to your leadership team/board to make the case for additional budget or resources.

When using metrics, keep in mind context over time is a key success factor for communication on trends. And consider the alignment with other metrics used to measure overall business success.

Cybersecurity metrics are historically challenging to determine as they don’t correlate directly to revenue or profit gain and are often proactive in nature. However, if you choose wisely they can help you benchmark your current cybersecurity program and show how your investments have impacted your organization over time.

To set a solid metric foundation, consider these three key cybersecurity metrics:

1. Asset footprint: Anything that gives an accurate depiction of all your assets may be considered your asset footprint. This includes ephemeral assets (e.g., auto scaling compute or containers) and the number of endpoints per dollar of assets under control. For example, in endpoint management, you’re managing the number of devices, servers, or systems that are trying to access your company’s network. Taking inventory of all endpoints provides you with a better view of your security posture and how much it costs to manage your assets. The caveat is that this method works now, but not ideal for measuring your assets moving forward.
2. Time to remediation: How long does it take to fix your critical vulnerabilities? What is the time it took to identify critical issues from discovery to vulnerability remediation? Being able to track this context over time provides an overall assessment of your risk profile. A scenario to consider: if your company doubles in size but the number of vulnerabilities remains the same or has increased, you need to investigate that.
3. Percentage of revenue that makes up your cybersecurity budget: What percentage of the overall organizational revenue is being spent on cybersecurity? Is that spend increasing, but the number of vulnerabilities, security incidents, fraud reports, etc. remaining the same? Keeping track of your budget relative to your security outcomes can indicate the health of your program and areas that may require reevaluation.

For metric number three, you’ll need to partner with your CFO and finance team to track your progress over time. But for metrics one and two, it will be critical to formulate a plan to capture and improve these metrics to prepare for your next audit or budget meeting. Here are three ways to accomplish this:

• To measure and improve your asset footprint, leverage Attack Surface Management (ASM): ASM identifies and detects all known, unknown, and potentially vulnerable assets across your attack surface whenever there is exposure – not just what’s internet facing but in B2B network connections or peered cloud services too. ASM enables a comprehensive view of your environment from the outside in.
• To measure and improve time to remediation, leverage Penetration Testing as a Service (PTaaS): PTaaS combines technology with human expertise to find critical vulnerabilities that tools and traditional pentesting processes miss. The key here will be to work with a partner that can orchestrate and manage your vulnerabilities in a dynamic platform that allows you to track your remediation progress over time (see: NetSPI Resolve).

Check out these case studies to learn how two banks leveraged penetration testing to address the unique challenges financial firms face:

• NetSPI Addressing Financial Services Security Challenges Head-On
• NetSPI Testing Highlights Security Flaws for Leading Financial Services Firm

How to Articulate the Need for Budget

One of the challenges that we personally experienced in our roles as in-house security leaders and CISOs is the need to articulate budgetary needs to the leadership team and the board.

You need money and resources to employ the right people and acquire the necessary tools to protect your organization, right? This is correct, but you also need to recognize that the metrics you’re currently sharing may not align with the priorities of the CEO or the board. This gets even more challenging when the CEO or board hasn’t funded these initiatives historically.

So, what are ways you can effectively approach this?

First, understand that it’s not about confronting the board or the CEO. It’s about empowering them to articulate the risks they’re willing to take (e.g., risk of a possible breach, exposing consumer PII, etc.)

It’s important to engage with your leadership team and spend the time building this relationship so you both are aligned with the security or control posture of the organization. Security leadership should never operate in a silo.

Second, don’t tell half the story, tell the whole story. Explain how your budget decisions align with the company’s priorities: generating revenue, achieving company goals, maintaining a positive public reputation, etc. Articulate your metrics in the terms and language they understand to effectively tell you cybersecurity maturity story and make the case for additional support.

For more on this topic, read How To Eliminate Friction Between Business and Cyber Security.

Strategic Cybersecurity for Financial Institutions

More than ever, it’s important to be strategic when improving cybersecurity in the financial industry. Here are two things to consider to set you on the right path toward security program maturity:

• Tool overload and alert fatigue. Be mindful of purchasing capabilities you can’t manage or extract the value from. Why? Because you’re going to have to find the people to address all the data you aggregate. This lack of alert coverage and response could result in hesitancy from your leadership team or regulators.
• Technical leaders vs. security leaders. When you hire, ensure that your technical team also understands security and why it matters to your business. Someone with a technical background may not truly grasp security concepts and strategy. Ensure you have a balanced team that can help you articulate your metrics as outlined above.

If there is one thing we want you to take away from this blog post, it is this: financial cybersecurity is an ongoing effort – it is a not a point-in-time commitment. Continuous improvement is essential to telling your cybersecurity story – and the metrics you choose to measure and the way you communicate them will be the backbone of that story.

Travis Hoyt

Norman Kromberg