Authored by: Jeffrey Kok, Vice President Solution Engineers for Asia Pacific and Japan at CyberArk
Hong Kong Monetary Authority has updated the version of its framework in the Cybersecurity Fortification Initiative 2.0. It is designed to strengthen cyber resilience in the banking and financial sector. The framework, Intelligence-led Cyber Attack Simulation Testing (iCAST), encourages banks to deploy network security devices, implement anti-malware measures and strengthen user authentication.
However, despite these new measures, IDC’s latest COVID-19 Impact on IT Spending Survey indicates increasing challenges across enterprises due to expected decrease in employee productivity, difficulty in addressing business issues, cyber security and privacy.
A recent identity security report also indicated that 79 per cent of enterprises have had an identity-related breach within the past two years.
It is unfortunate that many businesses do not realise that strong cyber security protection requires support from the top down. Everyone agrees that cybercrime needs to be guarded against, yet they are not always on the same page as to whose job that actually is. Part of the problem stems from the idea that it is just one job. Making it the Chief Information Security Officer's (CISO’s) responsibility to go department by department to get “buy-in” on cyber security may be an outward show of taking the issue seriously, but in practice, it could actually create unintended weaknesses.
Those attempting to implement new ways of approaching cyber security are faced with competing cultural perspectives on technology and competing ideas about how to implement that technology. Left to shoulder the burden of responsibility alone, CISOs find themselves unable to get smoothly from point A to point B and beyond.
Leaders need to understand what it takes to change outmoded thinking and implement lasting change.
Shared responsibility across the organisation
Many organisations struggle with technology implementation, with employees not fully embracing change. This happens for various reasons; from not understanding the significance of the programme, to misalignment to corporate strategy, to not having clear directions on priorities.
For successful implementation to take hold, it has to be something driven from senior executives across the firm with clear communications across all levels, and a shared accountability for the outcome.
C-suite Support is an A-Level Priority
If such programmes are not prioritised, organisations will continue to face challenges to their acceptance and complete adoption all the way down the corporate hierarchy. It is critical for CISOs to have the ear of CEOs and board members. Their understanding of, and appreciation for, the types of risks the firm is exposed to and the security programmes necessary to protect the organisation sends a clear message from the top: This is the new way of doing things.
The one true way for operational change to not only get implemented thoroughly - but take hold, grow and thrive – is through transparency from the top down. Individuals need to ensure they've got the people at the table that will successfully see the project through its evolution.
To ensure that security is seen as a shared responsibility throughout a financial organisation rather than one person or group’s “job,” Here are a few key strategies:
Security can only become part of an organisation’s DNA when there is a sense of accountability across the organisation, so that everyone is responsible for security and for the firm’s performance when it comes to privileged access. Financial institutions must remain vigilant by having effective technology risk management practices and robust business continuity plans to ensure prompt and effective response and recovery. Identity security is one of the best ways which helps organisations secure individual identities throughout the cycle of accessing critical assets. This means that CISOs and security teams can authenticate that identity accurately, authorising that identity with the proper permissions, and providing access for that identity to privileged assets in a structured manner – all in a way that can be audited (or accounted for) to ensure the entire process is sound.