Chief Information Security Officers (CISOs) weighed in on the most critical cyber-defense methods, frequency of cyber-preparedness reporting to their respective boards of directors as well as the current cyber chain of command within their respective financial organizations.

Most critical defense
CISOs surveyed were split on their top priorities for securing their organizations against cyberattacks. Most (35 percent) of CISOs surveyed said that employee training is a top priority for improving security posture in the financial sector. Infrastructure upgrades and network defense are also prioritized by (25 percent) CISOs; and breach prevention by 17 percent. CISOs reporting into a technical function like Chief Information Officer (CIO) prioritize infrastructure upgrades, network defense and breach prevention. CISOs reporting into a non-technical function like the Chief Operations Officer (COO) or the General Counsel prioritize employee training.

Frequency of reporting
While cybersecurity used to be handled in the server room, it is now a board room topic. The study found that quarterly reports to the board of directors were most common (53 percent) with some CISOs (eight percent) reporting more than four times a year or even on a monthly basis. In the era of increasing security threats and vulnerabilities, CISOs know that keeping top leadership and boards updated regularly on these security risks and effective defenses is a top priority.

Most CISOs report to CIO, not CEO
As security has increasingly become a concern for financial institutions, the role of the CISO has been thrust into the organizational spotlight. The study found that the majority of CISOs don’t report to the CEO; the top cyber chain of command is more likely to be the CIO; followed by Chief Risk Officer (CRO) and then COO. Sixty-six percent of CISOs report into the CIO, CRO and COO. Only eight percent of CISOs report into the CEO. The study found that the reporting relationship did not impact frequency of reporting to the board of directors on cybersecurity.

Recommendations for 2018
FS-ISAC recommends training employees should be prioritized for all CISOs, regardless of reporting structure because employees serve as the first line of defense. Employee training should include awareness about downloading and executing unknown applications on company assets, and in accordance with corporate policies and relevant regulations, and training employees on how to report suspicious emails and attachments.

FS-ISAC encourages more frequent and timely reporting to the board of directors to ensure businesses maintain an ‘at the ready’ risk posture and that cyberpractices are transparent to board members.

As the threat landscape shifts, FS-ISAC recomends CISOs having expanded reporting responsibilities or dual-reporting responsibilities within the corporate structure to ensure critical information flows freely. Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision making.

All participants in the FS-ISAC CISO survey are FS-ISAC members, serving as current CISOs for their respective financial institutions around the world. This is the first year FS-ISAC conducted the CISO Cybersecurity Trends Study.