Senior security leaders within financial services companies are challenged by a lack of trusted data to make effective security decisions and reduce their risk from cyber threats, according to Panaseer’s 2020 Financial Services Security Metrics Report. Results from a global external survey of over 400 security leaders* that work in large financial services companies reveal concerns on security measurement and metrics that include data confidence, manual processes, resource wastage and request overload.
The results demonstrate myriad issues with the processes, people and technologies required to have a full understanding of the organisations cyber posture and the preventative measures required to stop a security control failure from becoming a security incident. The vast majority (96.77%) of respondents claimed they use metrics to measure their cyber posture, with the primary use for security metrics being risk management (41.69%), demonstrating success of security initiatives (28.04%), supporting security investment business cases (19.11%) and Board/ executive reporting (10.17%).
Over a third (36.72%) of security leaders said that their biggest challenge is ‘trust in the data’ when creating metrics to measure and report on risk, followed by the resources required to produce them (21.34%), the frequency of requests (14.64%) and confusion over knowing what metric to use (15.3%). Less than half of respondents (47.75%) could claim to be ‘very confident’ that they are using the right security metrics to measure cyber risk.
Request overload and resource requirements are cited as key issues fueling the metrics mayhem. Auditors demand data most frequently at every 10.4 days per month, followed by the regulators at every 11.4 days. On average, risk teams request updated metrics every 16 days. This means that virtually every day there is someone in the security team working on metrics for a stakeholder group.
Manual processes are also cited as fueling data mistrust. Over half (59.8%) of security leaders said that they are still relying on spreadsheets to produce metrics and 52.85% are using custom scripts. Nearly one in five (18.75%) admitted to relying exclusively on manual processes to develop their security metrics to report on risk.
Nik Whitfield, CEO, Panaseer: ‘Security teams often tell me that Security metrics are the bane of their lives. Not being confident in the accuracy, timeliness or the provenance of the data for a metric can render it useless – which is simply unacceptable against a backdrop of tightening regulation. Our security teams are using manual processes to create security metrics in a world of automation. And the risks of getting the security risk assessment wrong, with an increasing attack surface cannot be understated: The President of the European Central Bank recently went on record to warn that a cyber-attack on a major financial institution could trigger a liquidity crisis.
‘So, we’ve got to move on from an era of out-of-date, inaccurate metrics, to one where they are automated, consistent, validated and measured on a continuous basis. Financial service organisations in particular need trusted and timely metrics into their technology risk, segmented where possible to critical operations. With this information, the Board can then have better understanding into what risks it is and isn’t accepting to keep customer data safe.’
To read Panaseer’s full 2020 Security Metrics Report, please visit: https://panaseer.com/reports-papers/report/2020-security-metrics-report/
Survey information
*400+ security decision-makers, manager level and above (including CISO/ senior security/ risk officers), working in companies within the financial services industry with 5,000 – 25,000 employees in the UK and US, were surveyed by Censuswide in 2020.