Cybersecurity has moved out of the server room and into the board room.
The chief information security officers at financial institutions are increasingly being thrust into the organizational spotlight as concerns with data security grow, according to a new report by the
Financial Services Information Sharing and Analytics Center.
The group, an organization of 7,000 chief information security officers at financial services firms, said CISOs now prioritize keeping top leadership updated on security risks and most provide boards of directors with quarterly or monthly reports.
(More: This is the No. 1 cybersecurity threat to financial advisers, experts say)
Most CISOs report directly to chief information officers, chief risk officers or chief operating officers and security experts say that how a CISO is placed in an organization's hierarchy impacts how firms invest in security.
Greg Reber, the CEO at security consulting company
AsTech, said many firms are changing this structure to avoid a conflicts in priorities.
"CIOs may need to get things done quickly to realize financial goals, moving processing to the cloud environments for example — while CISOs are chiefly concerned with risk management," Mr. Reber said.
Bret Fund, the founder and CEO of
SecureSet, a cybersecurity academy, said CISOs who report to CIOs tend to prioritize infrastructure upgrades and breach prevention, while those who report to COOs tend to prioritize employee training.
(More: Firms begin to heed cybersecurity, but have much to do)
"I think that speaks to CISOs seeing first-hand how their largest risks of breach rest in the people component versus the product or process components," Mr. Fund said. "Advisers cannot underestimate the need for a robust security culture inside their organizations and the way that you achieve that is through education and training."
The FS-ISAC said only 8% of CISOs report directly to firm CEOs, which could restrict information flow, decrease transparency and hamper decision making. The group recommended firms make training the top priority regardless of their organizational structure.
(More: Wall Street aims to protect 401(k)s from hacking nightmare)
"Advisers can no longer just 'check-the-box' when it comes to security awareness training," said Dan Lohrmann, the chief security officer at
Security Mentor. "Staff must see the relevance of what they are learning, and that happens by teaching them things they don't already know. As new people, processes and technology are introduced into workflows, the corresponding actions related to the business must adjust to the increasing cyberthreats that are facing global enterprises."
FS-ISAC was established in 1999 with the mission of helping the global financial services infrastructure and individual firms fight back against cybersecurity threats. Members share threat and vulnerability information, conduct coordinated contingency planning exercises, manage rapid response communications, offer education and training programs, and collaborate with government agencies.
