Is Your Fintech Cybersecurity Program on Track? Here’s How to Prioritize Your Needs

The financial sector is heavily regulated globally. Because of that, it’s highly unusual to come across a poor fintech cybersecurity program.

However, there are some pretty big differences between the spirit and the letter of regulation and compliance. While a fintech org may be able to check boxes on compliance, that doesn’t necessarily mean they’re safe from security incidents.

Although fintech is heavily regulated and their security orgs are making some good inroads, the metrics say that things are continuing to get worse for them. Both the frequency and cost of breaches in fintech have risen significantly in recent years.

Furthermore, sources such as the Fintech Times indicate there’s a struggle to hire talent. Firms have also heavily overinvested in tools and technology, which have failed to make a positive impact on their security.

Without the staff to maintain and operate a myriad of tools, organizations are quickly finding significant gaps in their security strategy.

In my opinion, the biggest problem in the sector is the overall ineffectiveness of the program, which is due to these poorly implemented, disparate tools. Organizations are throwing money and tools at the problem, but it’s not sufficient.

I’ve said it many times before, and I’m going to continue to say it: cohesive cybersecurity strategy looks at people, process, and technology. If just one of those is missing, the whole program is at risk.

Is the Finance Sector Aware of These Problems?

In general, the leaders at financial institutions and fintech orgs absolutely do understand the risks. The stakes in this industry are incredibly high. Consumers have a lot of choices in the financial sector and a high-profile breach can destroy consumer confidence, causing profits and revenue to plunge.

Additionally, there’s a lot of buzz right now about CISOs being charged and sent to jail as a result of their action — or inaction — regarding several high-profile breaches. No competent leader in any security organization, fintech or otherwise, can possibly be unaware of these high-profile cases that are going on.

It’s not that financial leaders aren’t aware of security concerns. On the contrary, these are the things that keep leaders up at night. In my opinion, this fear is a bit of an overreaction, and that’s part of what’s driving an increase in throwing money and tools at the problem.

Financial leaders should be taking more of a balanced, risk-based approach that focuses on process. And rather than adding more tools to their portfolio, they should actually consider reducing it to the vital few that are highly effective.

How Should Fintech Companies Prioritize Their Cybersecurity Needs?

Let me start off by saying that it’s not always about the amount of money that an organization throws at the problem. Many of Black Kilt’s engagements tend to be self-funded as cost-saving initiatives in the security space.

By integrating systems and tools, we can eliminate manual effort, and staff can focus on projects that add value to their company’s security program. This kind of effort also helps highlight any overlap in security tooling, so leaders can make informed decisions and properly evaluate their portfolios.

Certainly, cost is always part of the equation — but it should only be a part, not the entire strategy.

I caution leaders about making significant cuts to their infosec programs. Not only are the optics bad externally, but if an incident does happen after a significant cut, it opens the door for armchair quarterbacks. They’re going to be second-guessing those decisions, and that doesn’t bode well for the tenure of security leaders.

Broad cuts to security staff and technology can also have some pretty catastrophic consequences. If cuts aren’t made strategically, programs will be left shorthanded. The wrong tools may be decommissioned, leaving coverage or visibility gaps for attackers to exploit.

I highly recommend taking a balanced approach by reallocating resources more effectively through strategic tool consolidations and risk management. From there, you’ll be able to do more with less people and without additional investment.

After you’ve consolidated your portfolio, you’ll have to prioritize your security projects. During this process, I recommend taking a risk-based approach.

With risk, there’s really two strategies: you can accept the risk, or you can mitigate the risk. Both of those strategies have their own benefits and consequences.

As an example, if you have a robust backup and recovery program, then you may be willing to scale back on ransomware specific mitigation tools and rely on more general-purpose detection and response tooling.

Considering the backup solution in concert with ransomware mitigation provides options that might not be obvious when evaluating each solution individually. Ransomware may be a risk you choose to accept because you’re confident that your backup program can be used to adequately mitigate the risk.

However, if you choose to accept the risk of ransomware and you also choose not to implement a backup and recovery program, the consequences are sure to be pretty dire when you suffer an attack.

What Practices Should Be Avoided During This Process?

I hinted at this earlier, but throwing money at turnkey tools hasn’t really proven to be a great solution in the industry. The metrics highlighted earlier also support this claim. 

Companies are averaging more than 30 security tools in their portfolios, and over a dozen vendors. Despite that, statistics show that the number of incidents are continuing to rise.

I’ve also noticed a trend starting in 2023, where larger companies are cutting senior security staff and they’re replacing them with junior or general purpose IT workers with a promise of future training.

However, Security Today recently referenced a study from Stanford and Tessian that showed employee mistakes are a leading cause of cybersecurity security incidents, at about 88%.

Companies that replace highly skilled, well-trained, and capable employees with those that are not well-trained should only expect the likelihood of mistakes and security incidents to go up.

I get it — employers are desperate and security costs are continuing to rise to the point where they’re out of control. But reducing training and experience is not a responsible way to manage costs.

Can Companies Expect to Complete This Challenge on Their Own?

Without knowledgeable and experienced staff, it’s very unlikely that companies will be successful in restructuring their cybersecurity programs on their own.

As the security threat landscape is rapidly changing, it’s hard for us as insiders to keep up. Those that are attempting to do security as a part-time job are pretty much guaranteed to fall behind.

However, there is some hope for the employers seeking relief from the endless security nightmare that we’re in right now.

Those that are taking a thoughtful approach to security through portfolio consolidation and rigorous process improvements are actually having some success. Gartner is predicting a 65 percent improvement in risk management posture for companies that have already consolidated their portfolio.

Black Kilt Can Help Your Cybersecurity Program Get Back on Track

If you turn over your security to an army of consultants, chances are they’re going to eventually move on and leave you holding the bag. Why not choose a specialty firm that will partner with you to define a unique security strategy and meet your needs?

Black KIlt can identify which of your processes are currently struggling, explore what your future security landscape could look like, and eliminate pain points for your organization’s security with an engagement customized to address your biggest risks and priorities.

Call Black Kilt today for a free consultation, and to begin the journey to get control of your security costs. We aim to improve your security posture and readiness by leaps and bounds.

Related Posts