New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an...
Transcript of New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an...
![Page 1: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/1.jpg)
Internal Audit, Risk, Business & Technology Consulting
Cybersecurity in the Financial Services Industry
New Cyber Challenges Require New StrategiesWhere we are now — and where we are going
![Page 2: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/2.jpg)
![Page 3: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/3.jpg)
Cybersecurity in the Financial Services Industry · 1protiviti.com
Over the last decade, the financial services industry has undergone a radical transformation
from trying to manage an aging and costly infrastructure to fully embracing digital transformation.
Companies are now investing in new technologies that will enable their businesses to respond
to new competitors and changing client needs. This shift, however, has put the industry’s
cybersecurity in the spotlight, given both the damage that can be inflicted by an intrusion
and heightened public and regulatory expectations regarding security and privacy.
In order to assess the current state and direction of
cybersecurity at organizations around the world,
Protiviti co-sponsored a global survey of 1,300
C-suite executives and their direct reports, which
was supplemented with in-depth interviews with 18
CISOs and cybersecurity experts and input from an
From this research, we have extracted the data for the
300 financial services executives who participated,
representing a wide range of institution types and
regions. In this paper, we focus on how financial
services firms are progressing in their implementation
of the NIST Cybersecurity Framework,2 trends and
advisory board of executives from a range of industries.
The survey, The Cybersecurity Imperative, paints a
detailed picture of how senior business leaders are
thinking about threats and implementing security
best practices.1
projections regarding threats and countertactics, and
ways in which cybersecurity is supported by policies,
organizational structure and interactions with other
functions. We conclude with recommendations firms
can use to help strengthen their cybersecurity practices.
Introduction
Institution Type Headquarters Location
Commerical/retail bank
Full-serviceinstitution
Investmentmanagement
Paymentsfirm/cardissuer
Insurance
US/Canada
Latin America
EU/UK
Asia Pacific
5%
25%31%
9%33%
27%
25%25%
20%
1 The Cybersecurity Imperative: Managing cyber risks in a world of rapid digital change, ESI ThoughtLab, October 2018. For more information, visit: www.protiviti.com/cyberstudy.2 For more information, visit: www.nist.gov/cyberframework.
![Page 4: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/4.jpg)
2 · Protiviti
20% 40% 60% 80% 100%
Implementation of the NIST Cybersecurity Framework
The NIST Cybersecurity Framework provides a standard checklist of 23 recommended activities grouped into five
categories which organizations can use to develop their cybersecurity strategy. In our survey, we asked respondents
to evaluate their progress in each of these activities according to the following scale:
CYBERSECURITY MATURITY LEVEL DESCRIPTION
No action
Beginning Starting to think about the activity
Developing Planning and support building
Maturing Seeing progress and benefits
Advanced Ahead of most peers and seeing significant benefits
As part of our analysis, we also aggregated the maturity
levels of each company across the 23 NIST cybersecurity
activities and categorized firms overall as Cybersecurity
“Beginners,” “Intermediates” or “Leaders” based on
the total of their maturity level scores. This analysis
shows that financial services organizations are
somewhat ahead of other companies in cybersecurity
maturity, with a larger percentage of leaders and a
smaller percentage of beginners.
Maturity of Cybersecurity Function
Non-financial services companies
Financial services companies
0%
32%
26%
49%
50%
19%
24%
Beginners Intermediates Leaders
![Page 5: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/5.jpg)
Cybersecurity in the Financial Services Industry · 3protiviti.com
Identification
The financial services industry is doing best in areas
involving risk, with one-third of survey respondents
characterizing their progress as maturing or advanced
for these activities. However, the fact that only one in six
financial services firms is “maturing” or “advanced” for
governance is concerning for two reasons: First, given the
level of regulation under which the industry operates, one
would expect more progress to have been made in this
area. Second, weak governance undermines confidence in
the cybersecurity function’s overall operations. (It should
be noted that enterprises outside of financial services
have even further to go, with only 10 percent having
maturing or advanced cybersecurity governance.)
ACTIVITY MATURING OR ADVANCED (%)
Risk assessmentIdentify the cybersecurity risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals. 33%
Risk management strategyEstablish priorities, constraints, risk tolerances and assumptions for managing operational risk. 33%
Supply chain risk managementEstablish priorities, constraints, risk tolerances and assumptions for managing supply chain risk, as well as establishing and implementing processes to identify, assess and manage these risks. 32%
Asset managementIdentify the data, data flows, devices, personnel and systems that could affect cybersecurity. 23%
Business environmentUnderstand and prioritize the organization’s objectives, stakeholders and activities. 23%
Organizational rolesSet roles and responsibilities for the entire workforce and third-party stakeholders. 23%
GovernanceUnderstand the policies, procedures and processes to manage and monitor the organization’s regulatory, legal, risk and operational requirements. 16%
![Page 6: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/6.jpg)
4 · Protiviti
Detection
Financial services firms are making solid progress in
establishing continuous security monitoring — and
compare favorably to non-financial services firms,
where only 35 percent of companies have reached
these levels. But there is still significant progress to
be made in the other three activities, which far few
organizations are performing. Each of these three
developing areas will be greatly affected by emerging
technologies (discussed in the Tools and Technologies
section below), suggesting the possibility that the
industry may see rapid gains here in the coming years.
Indeed, firms that are cybersecurity leaders have already
begun. For example, 40 percent of leaders have maturing
or advanced capabilities for detecting anomalies and
events (compared with 1 percent of beginners).
ACTIVITY MATURING OR ADVANCED (%)
Continuous security monitoringMonitor information systems and assets to identify cybersecurity events and verify the effectiveness of protective measures. 42%
Detection processesMaintain and test detection processes and procedures to ensure awareness of anomalous events. 27%
Predictive analyticsForecast future cyberattacks by analyzing high volumes of data using AI and other advanced technologies. 25%
Anomalies and eventsDetect anomalous activity and understand the potential impact of events. 17%
![Page 7: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/7.jpg)
Cybersecurity in the Financial Services Industry · 5protiviti.com
10% 20% 40%30% 50%
The cybersecurity paradox
Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial services firm’s cybersecurity efforts, the more cyber breaches it suffers. This is likely because firms with more mature cybersecurity functions have better detection measure in place, with those in the earlier stages simply unaware of intrusions that are taking place. While 42 percent of financial services firms overall have maturing or advanced continuous security monitoring, only 3 percent of firms categorized as cybersecurity beginners do, compared with 86 percent of cybersecurity leaders.
More than 1,000 customer records with personally identifiable
information lost or stolen 31%22%6%
Three or more breaches requiring emergency response plan deployment
42%36%21%
Beginners Intermediates Leaders
0%
Cybersecurity incidents in the last fiscal year
We’ve all seen breaches in recent years where companies got the response process wrong and seriously damaged their reputations. The GDPR 72-hour rule is also requiring firms to up their game in this area. – Scott Laliberte, Managing Director, Security and Privacy, Protiviti
![Page 8: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/8.jpg)
6 · Protiviti
Protection
Protection is the cybersecurity area where most
organizations, regardless of industry, initially focus
their cybersecurity efforts. In the financial services
industry, this is reflected in the significant percentage
of firms that are maturing or advanced in identity
management and access control, data security, and
information protection processes and procedures.
But the other three elements of protection need
strengthening, with the state of awareness and
training of particular concern given the cybersecurity
risk posed by untrained general staff (see sidebar on
following page).
ACTIVITY MATURING OR ADVANCED (%)
Identity management and access controlLimit access to physical and logical assets and associated facilities to authorized users, processes and devices. 40%
Data securityManage data in line with risk strategy to protect the confidentiality, integrity and availability of information, and the privacy rights of data subjects. 39%
Information protection processes and proceduresMaintain security policies, processes and procedures for protecting information systems and assets. 37%
Protective technologyManage technical security solutions according to policies, procedures and agreements to ensure the security and resilience of systems and assets. 25%
Awareness and training3
Train personnel and partners in cybersecurity awareness and to perform cybersecurity duties in line with policies, procedures and agreements. 20%
MaintenancePerform maintenance and repairs of industrial control and information system components according to policies and procedures. 18%
3 For more information, read “Highlighting Recent Cyber-Related Financial Losses, the SEC Urges Public Companies to Revisit Internal Accounting Controls,” The Protiviti View, Nov. 5, 2018, https://blog.protiviti.com/2018/11/05/highlighting-recent-cyber-related-financial-losses-the-sec-urges-public-companies-to-revisit-internal-accounting-controls/.
![Page 9: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/9.jpg)
Cybersecurity in the Financial Services Industry · 7protiviti.com
Increasingly, organizations are recognizing the people element in effecting change and the “make it or break it” significance of culture, collaboration and communication to the success of everything, from business innovation and digital initiatives to cybersecurity. A growing number of organizations are embarking on transformational efforts of some sort, leveraging new technologies to evolve their business and engage customers in new ways. The importance of maintaining security throughout these transformations has never been greater. By recognizing that security challenges are business challenges and engaging business users throughout the process – from planning and design through implementation – organizations can avoid the pain suffered by others and become citable examples of success instead. – Andrew Retrum, Managing Director, Security and Privacy, Protiviti
Employees are the weakest link
Cybersecurity professionals have long argued that cybersecurity needs to be seen as “everyone’s job” and an integral part of company culture. That message seems to have taken hold: When asked to name their greatest internal cybersecurity risk, financial services executives, like those in other industries, are more likely to name untrained general staff than any other source. However, while awareness of this problem is high, combatting the issue remains very much a work in progress, as just 20 percent of firms have maturing or advanced cybersecurity awareness and training activities in place. Accelerating investment in awareness and training in this area is likely to bring firms a noticeable return.
20% 40% 60% 80% 100%
20%
29%
Untrained general staff
Malicious insiders
Privileged insiders
Contractors
40%
81%
0%
Internal threats posing significant risk
![Page 10: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/10.jpg)
8 · Protiviti
Response
In analysis and ongoing improvements, the financial
services industry is faring significantly better than other
industries (which average 36 percent and 22 percent
at the maturing and advanced levels, respectively, for
these activities). The priority for the financial services
industry needs to be strengthening its response
planning, as improvement in this central function
is likely to lay the groundwork for improvement in
other response areas.
ACTIVITY MATURING OR ADVANCED (%)
AnalysisAnalyze incidents to ensure effective response and support recovery. 46%
Ongoing improvementsImprove organizational response by incorporating lessons learned from current and previous cybersecurity activities. 30%
CommunicationsCoordinate response with internal and external stakeholders, such as law enforcement agencies. 23%
Response planningMaintain and execute processes and procedures to ensure response detected cybersecurity incidents. 23%
MitigationAct to prevent expansion of an event, mitigate its effects and resolve the incident. 16%
![Page 11: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/11.jpg)
Cybersecurity in the Financial Services Industry · 9protiviti.com
Recovery
Among the five pillars of the NIST Framework, recovery
has the most room for improvement. Cybersecurity
leaders and others in the C-suite have long recognized
that in today’s environment, suffering a cybersecurity
breach is inevitable. A firm’s recovery capabilities will
be tested—and may well determine the long-term
impact of the breach on the business.
ACTIVITY MATURING OR ADVANCED (%)
CommunicationsCoordinate restoration efforts — including public relations and reputation management — both internally and externally with internet service providers (ISPs). 29%
Ongoing improvementsIncorporate lessons learned into future recovery planning and processes. 27%
Recovery planningMaintain and execute recovery plans — during or after a cybersecurity incident — to ensure restoration of affected systems or assets. 22%
An organization’s preparedness to reduce the impact and proliferation of an event is key. Accordingly, the company should focus on the adequacy of its playbook for responding, recovering and resuming normal business operations after an incident has occurred. The playbook should also include responses to customers and employees to minimize reputation damage that could occur in the wake of a breach. – Adam Hamm, Managing Director, Risk and Compliance, Protiviti
![Page 12: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/12.jpg)
10 · Protiviti
Emerging Threats and Countertactics
The evolving nature of cyberattacks
As the financial services industry’s digital transformation
continues, cyberattacks are expected to evolve accordingly.
Today, the threat of direct attacks on system endpoints,
such as malware, ransomware and Trojan horses —
dominates the cybersecurity landscape.
Over the next two years, however, as endpoint
protection continues to advance, financial services
organizations expect new vulnerabilities to emerge
from greater connectivity and system complexity.
From a cybersecurity perspective, technological advances
are a double-edged sword, providing greater capabilities
and control but also creating new channels for intrusion.
Reflecting this, when asked which internal and external
trends were affecting cybersecurity risks and how they
are managed, financial services executives emphasized
new technologies, such as artificial intelligence and
blockchain, and technologically driven factors like open
platforms and interconnectivity, over business factors
like M&A and expanded supply chain (see chart on
following page).
The emphasis on technological factors when assessing
the cybersecurity landscape is not surprising. But
financial services firms should remember that business
combinations, lengthening supply chains and global
operations significantly expand an organization’s attack
area while introducing an array of control challenges.
ATTACKS WITH THE LARGEST IMPACT
TODAY TOMORROW
1. Malware/spyware 1. Attacks through mobile apps
2. Phishing/spoofing/social engineering 2. Web application attacks
3. Attacks through mobile apps 3. Attacks through embedded systems
4. Ransomware 4. DoS/DDoS
5. Trojan horses/viruses/worms 5. Phishing/spoofing/social engineering
![Page 13: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/13.jpg)
Cybersecurity in the Financial Services Industry · 11protiviti.com
Tools and Technologies
If financial services firms have a heighted awareness of
the threats posed by technologies like blockchain and
sensors, it may be because the industry has increasingly
employed these tools in their cybersecurity arsenal;
only multi-factor authentication and biometrics — now
essentially table stakes — are more widely adopted (see
chart on following page).
Financial services firms that are cybersecurity
leaders, intermediates and beginners tend to employ
the most common technologies with the same level
of frequency. There is, however, another set of tools
that cybersecurity leaders and intermediates use but
that beginners have yet to adopt. Firms that are early
in their cybersecurity development should consider
expanding their cybersecurity arsenal accordingly.
10% 20% 30% 40% 60%50% 70%
17%M&A, joint ventures and partnerships
15%Third-party supply chains
Global operations 18%
Digital transformation 20%
28%Digitally-enabled products, services and interfaces
Interconnectivity/mobile technologies 44%
Use of open platforms/APIs/cloud 56%
Rise of new technologies 59%
0%
Trends affecting cybersecurity risks and management
Technological factors
Business factors
![Page 14: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/14.jpg)
12 · Protiviti
10% 20% 40%30% 50% 60% 70%
Third-party information security practices 9%
40%
Cloud access security brokers6%41%
Quantitative risk assessment models such as Factor Analysis
of Information Risk (FAIR) 22%40%
Leaders and Intermediates Beginners
…while others are favored by those with more experience
Network traffic analysis8%41%
16%46%
Endpoint protection software
26%51%Endpoint detection, response
or protection software
0%
20% 40% 60% 80% 100%
56%Internet of Things/sensors
41%Artificial intelligence/machine learning
Secured browsers 57%
Blockchain 76%
82%Multi-factor authentication/biometrics
0%
Some technologies are used by many…
![Page 15: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/15.jpg)
Cybersecurity in the Financial Services Industry · 13protiviti.com
Our survey findings suggest, however, that the financial
services industry is primed for a significant expansion
of the cybersecurity toolset: The three approaches that
are least used today — user behavior analytics, smart
grid technologies and deception technology — are
among those that financial services firms say they are
most likely to adopt over the next two years.
Financial services firms are challenged to simultaneously make their systems more nimble, more permeable (easily accessed and integrated), more customer-centric, more stable and more secure in response to rising consumer expectations and increased competition from fintech and insuretech firms. – Ed Page, Managing Director, Technology Consulting, Protiviti
10% 20% 40%30% 50% 60% 70%
Quantitative risk assessment models36%34%
Deception technology11%55%
Smart grid technologies6%31%
Quantum computing24%26%
Plan to adopt over the next two years
In use today
0%
New technologies on the horizon
4%62%
User behavior analytics
![Page 16: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/16.jpg)
14 · Protiviti
Quantitative methods bring far-reaching benefits
While other technologies and methods will see a larger jump in adoption over the next two years, the percentage of financial services firms now using quantitative methods for cybersecurity risk analysis, combined with those that plan to adopt them in the next two years, will make it a cybersecurity mainstay by 2020. This is likely to be a significant development in the maturation of the industry’s approach to cyber risk, because quantitative methods involve not just new technology but also a new mindset in how the cybersecurity challenge is approached. That mindset brings significant benefits across the cybersecurity function.
10% 20% 40%30% 50% 60% 70%0%
One or no security breaches last year requiring deployment of the
emergency response plan 14%12%35%
Five or fewer unpatched system or application vulnerabilities last year
12%24%36%
Five or fewer data loss prevention incidents last year
12%21%30%
Five or fewer critical open security vulnerabilities in
customer-facing products 19%31%44%
Less than 10 percent chance of suffering more than $1M in
cyberattack losses next year 23%48%66%
Discovered incidents in an average of less than one day last year
21%21%56%
Cybersecurity fines or penalties last year of less than $100K
29%24%49%
Using quantitative models today
Plan to use quantitative models by 2020
No plans to use quantitative models
Effects of quantitative risk measurement methods
![Page 17: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/17.jpg)
Cybersecurity in the Financial Services Industry · 15protiviti.com
Supporting Cybersecurity Across the Organization
An organization’s cybersecurity function, of course, does
not exist in a vacuum, but is affected by an organization’s
governance, controls and structure. At many of these
points, financial services firms are further ahead than
companies outside the sector — suggesting a stronger
“tone from the top” and coordination within the C-suite.
However, when looked at in absolute terms, financial
services firms still have room for improvement.
Financial services organizations lag significantly
behind firms outside the sector in one notable area:
having an independent audit function regularly
review the company’s risk appetite statement and
incorporate gaps into the audit strategy. Given that
most financial services firms have well-developed
audit functions, this should be a straightforward
shortcoming to address.
SUPPORT PROCESS FINANCIAL SERVICES
NON-FINANCIAL SERVICES
My company has appointed an executive with sole responsibility for ensuring information security. 46% 38%
Our HR department has a budget for recruiting, training and developing employees to improve cybersecurity. 39% 41%
The independent audit function regularly reviews our company’s risk appetite statement and incorporates gaps into the audit strategy. 34% 43%
My company has a cyber risk appetite statement approved by the board. 27% 18%
My company has appointed a data protection officer to oversee data privacy compliance. 24% 19%
The cyber risk appetite statement is part of our company’s enterprisewide risk statement. 18% 16%
The independent audit function regularly reviews our company’s risk appetite statement. 15% 12%
My company uses a third-party forensics provider. 13% 7%
![Page 18: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/18.jpg)
16 · Protiviti
Recommendations
The way in which digital technology has permeated the business of the financial services industry means that
firms must guard their cyber assets with the same level of sophistication and care that they employ with more
traditional assets. Our survey suggests that the industry has a solid foundation from which to do so. Nonetheless,
there are clear action steps that can be taken to strengthen the cybersecurity function. We suggest starting with
the following:
01Financial services firms are doing well leveraging their risk assessment and management capabilities when it comes to identification processes, but there is noticeable room for improvement in the areas of governance and integrating the audit and cybersecurity functions at key points.
02Firms earlier in their cybersecurity journey should consider adopting some of the wider range of technologies adopted by more mature firms. All firms should examine both their infrastructure and the capabilities of their personnel to ensure that they are able to adapt to the next generation of cybersecurity threats and to adopt emerging technologies and methods for countering those threats.
03Firms that are not yet using, or have not yet made plans to use, quantitative methods for cybersecurity risk assessment should consider doing so. Approaching cybersecurity with a quantitative mindset brings a range of benefits that extend beyond better prioritization and risk-based decision-making.
04When considering how various trends might affect cybersecurity strategy, firms should not underestimate business trends. While there are several reasons why technological developments may dominate the discussion, business factors may cause equally significant shifts in vulnerabilities given the role digital now plays as a business platform.
05Financial services firms need to ensure that they are balancing their cybersecurity efforts across all five pillars of the NIST framework. Every cybersecurity function must deal with limited budgets and workforce; the legacy impulse to emphasize protection can result in critical shortcomings elsewhere. Further, it is critical to closely examine all elements of each pillar so that strength in some areas does not obscure weaknesses in others.
![Page 19: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/19.jpg)
Cybersecurity in the Financial Services Industry · 17protiviti.com
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 75 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Scott [email protected]
Andrew [email protected]
Adam [email protected]
Thomas [email protected]
CONTACTS
![Page 20: New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial](https://reader034.fdocuments.in/reader034/viewer/2022042404/5f18f85c96e65f07b26702af/html5/thumbnails/20.jpg)
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-1118-103128 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
THE AMERICAS UNITED STATESAlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort Lauderdale
HoustonKansas CityLos AngelesMilwaukeeMinneapolisNew YorkOrlandoPhiladelphiaPhoenixPittsburghPortlandRichmond
SacramentoSalt Lake City San FranciscoSan JoseSeattleStamfordSt. LouisTampaWashington, D.C.WinchesterWoodbridge
ARGENTINA*Buenos Aires
BRAZIL*Rio de Janeiro Sao Paulo
CANADAKitchener-Waterloo Toronto
CHILE*Santiago
COLOMBIA*Bogota
MEXICO*Mexico City
PERU*Lima
VENEZUELA*Caracas
EUROPE & MIDDLE EAST
FRANCEParis
GERMANYFrankfurtMunich
ITALYMilanRomeTurin
NETHERLANDSAmsterdam
UNITED KINGDOMBirminghamBristolLeedsLondonManchesterMilton KeynesSwindon
BAHRAIN*Manama
KUWAIT*Kuwait City
OMAN*Muscat
QATAR*Doha
SAUDI ARABIA*Riyadh
UNITED ARAB EMIRATES*Abu DhabiDubai
ASIA-PACIFIC AUSTRALIABrisbaneCanberraMelbourneSydney
CHINABeijingHong KongShanghaiShenzhen
INDIA*BengaluruHyderabadKolkataMumbaiNew Delhi
JAPANOsaka Tokyo
SINGAPORESingapore
*MEMBER FIRM
© 2
018
Proti
viti
Inc.
An
Equa
l Opp
ortu
nity
Em
ploy
er M
/F/D
isab
ility
/Vet
eran
s. P
RO-0
918