Financial institutions spend an average of around $2,300 per full-time employee on cybersecurity annually, reveals a survey released today by Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC).
According to the report, “Pursuing Cybersecurity Maturity at Financial Institutions,” respondents from banks, insurers, investment management firms and other financial services companies spend anywhere from six to 14 percent of their information technology budget on cybersecurity, averaging 10%. This number translates to a range of around 0.2% to 0.9% of company revenue and — breaking it down even further — between $1,300 to $3,000 on cybersecurity per full-time or equivalent employee in the survey, which was fielded in the fall of 2018.
Survey responses show that larger firms allocated nearly one-fifth of their cybersecurity budget to identity and access management — nearly twice the percentage of midsize and smaller companies, which tended to spend more heavily on endpoint and network security.
“Of course, money alone is not the answer — as we found in the study, higher cybersecurity spending doesn’t necessarily translate into a higher cybersecurity maturity level,” said Julie Bernard, a principal with Deloitte Risk and Financial Advisory’s cyber risk services, Deloitte & Touche LLP. “While everyone is looking for an efficiency ratio for their cyber costs, how a security program is planned, executed and governed is as important, if not more.”
The report — shared with executives at the FS-ISAC 2019 Annual Summit today — looked at various components of a financial institutions’s cybersecurity operation, including how it is organized and governed, who the chief information security officer (CISO) reports to, the level of board interest in the CISO’s work, as well as which cyber capability areas were prioritized in terms of spending.
The most successful programs exhibit several core traits, including:
• Setting a tone at the top of an organization, with both executives and the board. Lack of management support and/or inadequate funding was cited as a CISO’s top challenge in managing cyber by companies with a lower level of risk management maturity. Those boards and management committees viewed as the most successful were more interested in nearly all areas of cybersecurity; more CISOs reported to chief operating officers and chief risk officers than to chief information officers and chief technology officers in these firms as well.
• Raising cybersecurity’s profile beyond the IT department to give the security function higher-level attention and greater clout. The most mature institutions were more likely to elevate the cybersecurity function by completely segregating cybersecurity from IT. According to Bernard, to drive effective execution of a “cyber risk control” program, executive management needs to structure their cyber leadership team to drive communication and implementation of security across the enterprise — and have both the authority and expertise to do so.
• Aligning cybersecurity efforts with the company’s business strategy. The prolific impact of having cyber embedded in organizational strategy, planning and execution of operational or performance efforts should not be underestimated, according to Bernard. “Cyber deserves organizational alignment, prioritization and reporting structures,” she said. “Embedding cyber professionals into the businesses can enable the cyber organization, and its leaders, to be more strategic and better manage cyber risk across the enterprise.”
“Agile organizations are constantly adapting their cybersecurity program to deal with the evolving threat landscape,” noted Steven Silberstein, CEO of FS-ISAC. “Sharing of industry standard best practices in governance, intelligence, resiliency and prevention are integral to the protection of the sector.”
According to the report, business growth and expansion was identified as the second-biggest challenge in managing cybersecurity among CISOs surveyed at the most mature companies, trailing only the rapid IT changes and rising complexities — an issue that faces all CISOs, regardless of a company’s maturity level.
“As companies grow by adding new platforms, products, geographic regions, apps and web capabilities; cybersecurity considerations can multiply along with the introduction of each new element,” said Bernard. “The reality of ‘cyber everywhere’ is taking hold as organizations are working quickly to understand what that means for operations, innovation and beyond — and the stakes have never been higher for getting it right.”
In contrast, according to the survey, companies with less mature cybersecurity programs were often still contending with much more basic issues than how to cope with growth challenges. The second largest problem that less mature companies face, for instance, is prioritizing options for securing the enterprise.
The survey was fielded last fall by FS-ISAC, in conjunction with Deloitte’s cyber risk services practice. Ninety-seven companies participated, with 39% of those reporting revenue of more than $2 billion annually, while 23% were classified as midsized, with annual revenue between $500 million and $2 billion.