For Cybersecurity Best Practice, Look to the Finance Industry3rd May 2019
Originally published in Regulation Asia.
With cyberattacks on the rise – affecting every type of organisation in every vertical – the threat of expensive, embarrassing and bottom-line-affecting data breaches is very real. The problem is not getting smaller, it’s growing like a tumour.
I’m often asked to provide examples of which organisations are combatting this problem, navigating the ‘wild west’ of cybersecurity and AppSec best practice with particular finesse and mastery. I am finding myself coming back to one answer more often than others: it’s the finance industry that is doing it better than most.
Regulation: A driving factor in the finance industry’s cybersecurity leadership
One of the reasons the finance sector plays in the AppSec space so well is that they (at least in part) are driven by global, regional and national regulators’ concerns for the universal – not to mention catastrophic – impacts that could result from a successful cybersecurity attack or data theft.
The BCBS (Basel Committee on Banking Supervision) published a report in December that details the range of observed bank, regulatory and supervisory cyber-resilience practices across multiple jurisdictions. Among its key findings was a cybersecurity skills shortage challenge, a factor that only a slim few jurisdictions have worked to confront by implementing specific cyber certifications.
“Some jurisdictions have IT-specific standards that address the responsibilities of the IT workforce and information security functions, with particular attention to cybersecurity workforce training and competencies,” the report said. But most jurisdictions are in the “early stages” of implementing supervisory practices to monitor a bank’s cyber-workforce skills and resources.
For the most part, regulatory schemes require regulated entities to manage risks, but there is rarely a clear pathway to successfully mitigating this risk. They do not set specific requirements (or indeed, benchmarks) to address cybersecurity workforce skills and resources. Most regulators assess the cybersecurity workforce of institutions through onsite inspections, where self-assessment questionnaires are common practice, and training processes are particularly scrutinised, but only in a few jurisdictions do regulations specifically address IT staff’s roles and responsibilities. Put simply, the margin for error is great and the emphasis on the right training and subsequent assessment of skills is rather small.
In Japan and South Korea, public authorities have set guidelines on appropriate cybersecurity workforce management. In most other jurisdictions, however, regulatory requirements for cyber-workforce management are limited to supervisory expectations, where there is often no assessment by supervisors of cybersecurity skills and staff training at regulated organisations.
Only Hong Kong, Singapore and the UK have issued dedicated frameworks to certify cyber-workforce skills and competencies. While words like “compliance” and “certification” tend to send a cold shiver down the spine of your average creative, problem-solving developer tasked with building great software features (with them, security is often seen as someone else’s problem, namely the security team), the massive amounts of sensitive data many regulated entities hold is simply too valuable to leave in the hands of those where skills are ‘assumed’ rather than properly verified.
Fortunately, many banking and financial institutions recognise this without necessarily relying upon an obvious regulatory pathway. The regulations certainly provide an overview of the end-result expectations (i.e. secure software), but they have identified that achieving this requires circumventing the cybersecurity skills shortage by training developers, nurturing their relationship with existing AppSec professionals and building a positive security culture that breeds responsibility and ownership.
Why does the financial industry have the cybersecurity ‘X-factor’?
There are a few elements at play for firms in the banking, financial services and insurance industries, which come together as pillars of strength on which their leadership position in the cybersecurity landscape is based.
Naturally, as the gatekeepers of the world’s finances (not to mention millions of highly sensitive data records), they are typically very compliance-driven and regulated organisations – updated guidelines, regulations and requirements are expected and planned for in a meaningful way. As a result, they took like ducks to water with the evolving needs of mitigating cyber risk, boasting some of the most stringent cybersecurity best practice policies, as well as end-to-end processes for reducing their exposure to potential attack.
So, what are financial institutions doing differently to others? In my experience, they have laid the groundwork to be more security-aware than others, identifying a need for and dedicating resources to holistic training programmes for not just AppSec professionals and penetration testers, but also their (typically very large and globally scattered) development teams.
With cybersecurity relatively new in most organisations, it is refreshing that financial institutions are truly open-minded and innovative in their quest to provide safe, secure software. Many have seen the benefit of upskilling the development cohort with engaging training that takes them out of the classroom and into a hands-on, relevant learning experience that helps them not just fix problems, but understand the importance of secure coding in general.
After all, secure coding is a key ingredient in forging a robust, functional relationship between developers and the AppSec team, as well as maintaining a robust security culture within the business. Another key factor that drives a successful security programme is ensuring key stakeholders are on-board and seeing the benefit, even if they are not security professionals themselves.
Financial institutions tend to communicate well with executive management, ensuring that top-level decision-makers understand that security processes are not ‘set and forget’ measures; they must evolve as rapidly as the technology being used and adapt to variable risks.
It may cost time and money now, but with vulnerabilities thirty times more expensive to fix in committed code, a well-rounded security programme — that includes training from the ground-up – is a long-term money saver: it is far cheaper when security issues are fixed as they are written by security-aware developers.
Security standards are starting to keep pace with growing risk
A significant driver of cyber compliance for the finance industry comes from the PCI Security Standards Council, which remains committed to helping financial organisations implement viable security policies and uphold guidelines in all areas. They have been a force for good in helping this vertical achieve among the highest standards of security in payments software.
However, it has to be said that many of our financial industry clients have actually outdone even the current PCI Security Standards Council guidelines. While these guidelines recommend training for developers, (as mentioned earlier with other examples of regulatory information) they don’t specify a particular type or a certain benchmark to meet to indicate the training has been effective.
With many vulnerabilities like SQL injection and cross-site scripting (XSS) having hung around for more than twenty years (and are still causing problems in 2019), it is clear that not all training is equal or effective. By adopting hands-on, gamified secure training, banks and other financial services firms are seeing far better results and real reduction in the vulnerabilities that can wreak havoc if exploited.
A great example is how US banking institution, Capital One, has utilised gamified training techniques as part of its innovative Tech College and certification system. According to Russell Wolfe, their Director of Cybersecurity & Cloud Computing Education in a recent webinar, the voluntary training programmes and coding tournaments gained traction very quickly, with unprecedented demand and organic motivation from peers to get certified and assist in upskilling others.
What can regulators do to ensure cybersecurity workforces are adequately trained?
Regulators around the world can really ‘go one better’ on their existing cyber regulation policies and guidelines, simply by outlining accepted training methodologies and standards that those in control of protecting our data must meet. At the moment, it appears there is a general reference to a training requirement in most regulatory policies, but there is little follow-up to ensure those moving through any prescribed training are absorbing the content and techniques required to really assist in the fight against cyber threats.
The recent move by the MAS (Monetary Authority of Singapore) to include the adoption of security awareness training programmes and secure software development best practices in the latest iteration of its Technology Risk Guidelines, however, is encouraging. Once the guidelines enter into force, they will require financial institutions to ensure their software developers are trained to apply secure coding, source code review and AppSec testing standards when developing software, which should go a long way towards minimising bugs and vulnerabilities.
For me, training the development cohort with hands-on, real-world techniques is by far the most engaging and relevant to their jobs, while laying the foundations for the robust security culture each and every organisation must create before it’s too late.