Das Financial Services Information Sharing and Analysis Center (FS-ISAC) hat die Ergebnisse seiner jüngsten Umfrage veröffentlicht [1]. Laut Angaben der Befragten ist das Thema Cybersicherheit endgültig auf den Vorstandsetagen der Unternehmen angekommen, und 80 % aller CISOs berichten vierteljährlich direkt an den Vorstand. Und auch die Prioritäten der CISOs haben sich verändert:
35 % der CISOs geben Mitarbeiterschulungen innerhalb des Finanzwesens als Top Priorität an, für 25 % der Befragten haben Infrastruktur-Upgrades und Verbesserungen der Netzwerksicherheit Vorrang. Weitere Informationen und Details zu den Ergebnissen finden Sie weiter unten in englischer Sprache.
Was aber heißt das für die alltägliche Realität in Unternehmen? Nehmen die Vorstände Cybersicherheit inzwischen ernster und setzen CISOs ihre eigenen Prioritäten, wenn es um individuelle Risiko-Assessments geht?
Dazu ein kurzer Kommentar von Susanne Haase, One Identity:
»Der vielleicht überraschendste Teil der Umfrage sind für mich die Fragen selbst. Beispielweise werden CISOs nach ihren Top-Prioritäten für das laufende Jahr 2018 befragt. Interessanterweise antworten nämlich die CISOs, die an jemanden in einer nichttechnischen Position berichten, wie den COO beispielsweise, dass Schulungen für sie den höchsten Stellenwert haben. Während die CISOs, die an einen technischen Vorstand berichten, wie den CIO, Verbesserungen der Infrastruktur und des Netzwerks den Vorrang geben. Was mich am meisten überrascht ist allerdings tatsächlich die Frage selbst. Sollten CISOs tatsächlich gezwungen sein zwischen diesen beiden Anforderungen zu priorisieren? Hoffentlich nicht!
Beide, Mitarbeiterschulungen und Verbesserungen von Infrastruktur und Netzwerk, sind unabdingbare Voraussetzungen für die Sicherheit eines Unternehmens. Benutzer sind die erste Verteidigungslinie was Cybersicherheit anbelangt. Ohne eine Richtlinie auf Basis eines ›Defense in depth‹-Konzepts wird heute aber kaum ein Unternehmen auskommen. Dazu gehören beispielsweise das Privileged Access Management, denn Konten mit erweiterten Zugriffsberechtigungen öffnen potenziellem Missbrauch Tür und Tor sowie eine starke Governance und Multi-Faktor-Authentifizierung.
Sich vorzustellen, dass ein CISO gezwungen sein könnte, nur einem Sicherheitsimperativ zu folgen, klingt nach einem zuverlässigen Rezept für ein sicherheitstechnisches Disaster.«
[1] https://www.fsisac.com/article/fs-isac-unveils-2018-cybersecurity-trends-according-top-financial-cisos.
FS-ISAC Unveils 2018 Cybersecurity Trends According to Top Financial CISOs
Monday, February 12, 2018
CISOs around the world prioritize employee training, reporting to boards quarterly to help improve cybersecurity practices
Cybersecurity continues to be a top concern for financial institutions globally. To help leaders and businesses understand cybersecurity trends across the globe, the Financial Services Information Sharing and Analysis Center (FS-ISAC) today unveiled results of its 2018 CISO Cybersecurity Trends.
Chief Information Security Officers (CISOs) weighed in on the most critical cyber-defense methods, frequency of cyber-preparedness reporting to their respective boards of directors as well as the current cyber chain of command within their respective financial organizations.
Most critical defense
CISOs surveyed were split on their top priorities for securing their organizations against cyberattacks. Most (35 percent) of CISOs surveyed said that employee training is a top priority for improving security posture in the financial sector. Infrastructure upgrades and network defense are also prioritized by (25 percent) CISOs; and breach prevention by 17 percent. CISOs reporting into a technical function like Chief Information Officer (CIO) prioritize infrastructure upgrades, network defense and breach prevention. CISOs reporting into a non-technical function like the Chief Operations Officer (COO) or the General Counsel prioritize employee training.
Frequency of reporting
While cybersecurity used to be handled in the server room, it is now a board room topic. The study found that quarterly reports to the board of directors were most common (53 percent) with some CISOs (eight percent) reporting more than four times a year or even on a monthly basis. In the era of increasing security threats and vulnerabilities, CISOs know that keeping top leadership and boards updated regularly on these security risks and effective defenses is a top priority.
Most CISOs report to CIO, not CEO
As security has increasingly become a concern for financial institutions, the role of the CISO has been thrust into the organizational spotlight. The study found that the majority of CISOs don’t report to the CEO; the top cyber chain of command is more likely to be the CIO; followed by Chief Risk Officer (CRO) and then COO. Sixty-six percent of CISOs report into the CIO, CRO and COO. Only eight percent of CISOs report into the CEO. The study found that the reporting relationship did not impact frequency of reporting to the board of directors on cybersecurity.
Recommendations for 2018
FS-ISAC recommends training employees should be prioritized for all CISOs, regardless of reporting structure because employees serve as the first line of defense. Employee training should include awareness about downloading and executing unknown applications on company assets, and in accordance with corporate policies and relevant regulations, and training employees on how to report suspicious E-Mails and attachments.
FS-ISAC encourages more frequent and timely reporting to the board of directors to ensure businesses maintain an ‘at the ready’ risk posture and that cyberpractices are transparent to board members.
As the threat landscape shifts, FS-ISAC recomends CISOs having expanded reporting responsibilities or dual-reporting responsibilities within the corporate structure to ensure critical information flows freely. Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision making.
All participants in the FS-ISAC CISO survey are FS-ISAC members, serving as current CISOs for their respective financial institutions around the world. This is the first year FS-ISAC conducted the CISO Cybersecurity Trends Study.
About the Financial Services Information Sharing and Analysis Center:
The FS-ISAC is a non-profit corporation that was established in 1999 and is funded by its member firms. With about 7,000 members worldwide, FSISAC is a member-driven organization whose mission is to help assure the resilience and continuity of the global financial services infrastructure and individual firms against acts that could significantly impact the sector’s ability to provide services critical to the orderly function of the global economy. FS-ISAC shares threat and vulnerability information, conducts coordinated contingency planning exercises, manages rapid response communications for both cyber and physical events, conducts education and training programs, and fosters collaborations with and among other key sectors and government agencies. For more about FS-ISAC, follow us on Twitter @FSISAC and join the discussion on LinkedIn or visit www.fsisac.com.
Cybersecurity beginnt schon im IT Service Management: Vier Schritte für mehr Schutz vor Ransomware
Cybersicherheit 2018 – Unternehmen müssen Datenintegrität besser verstehen
2018: Führungskräfte nur unter Zwang bereit, sich mit Cybersicherheit zu befassen
Cybersecurity-Profis händeringend gesucht: Fachkräftemangel in der IT-Sicherheit