The Chief Information Security Officer in Financial Services

According to analysis of more than 15 billion financial transactions, one cyber specialist identified a 40% increase in criminal cyber activity targeting the financial sector in 2015 alone. Threats associated with such a worrying statistic have been realised more than once in recent years: in 2014, JP Morgan Chase fell to a massive data breach compromising 83 million accounts; in 2015, the Carbanak gang stole $1 billion from 100 banks across 30 countries; and, this year, the Bangladesh central bank lost $101 million of the nation’s reserves to hackers. Quite rightly, financial institutions (FIs) have moved cyber security towards the top of their agendas, as have regulators as they continue to tighten compliance requirements across the sector. But whilst cyber-crime poses a significant threat, accounting for a large proportion of economic crime, this is just one dimension of the broader necessity that is information security – a regular item on the agenda of every FI’s board. As they accumulate and process increasing amounts of data, whilst undergoing technology transformation initiatives and enterprise-wide digitisation, FIs are faced with increasingly complex and high-level challenges to information security. Herein is the need for the Chief Information Security Officer (CISO).

In a state of business-as-usual, a CISO must be able to define and deliver comprehensive security architecture and communicate this clearly to the board and all other key stakeholders. In the event of an information security incident, they should be able to respond through the effective coordination of communications among the C-suite, general counsel, media relations and other necessary parties. Whilst a CISO must know what data is important to protect, they do not necessarily need to be the most tech-savvy leader on staff. Current technologies, from the latest detection analytics to other emerging capabilities, are likely to be sufficiently adequate to deliver the necessary technical requirements. More important is the need for a CISO who has the ability to influence key strategic leaders in the business and surround themselves with technical experts who know what tools to apply and how. As with any role, cultural fit is a fundamental consideration. The industry has identified two CISO archetypes, which can be a helpful polarisation when considering the characteristics of a CISO: those who run to the fires and those who run from the fires. Some CISOs prefer to work tactically, building cyber security programmes from scratch and then move on; others work reactively, by responding to breaches because they will be more likely to enjoy an increased appetite for sponsorship.

The financial crisis of 2008 led to an increased respect for Chief Risk Officers (CROs) across FIs. Indeed, a number of FIs dramatically increased their risk management budgets, raised CRO compensation and elevated the role to that of senior management. The CISO role has the potential to follow suit. Black swan events relating to information security are inevitable and will, no doubt, lead to an increased respect for the role. Some find it conceivable that it will be commonplace for CISOs to report to CEOs. At present, however, this is not commonplace. On the whole, within FIs in particular, CISOs tend to report to CIOs and, in some instances, to COOs. Standard Chartered, for example, recently hired Cheri McGuire as CISO to report to the CIO, Michael Gorriz whereas Barclays hired Troels Oerting as such to report to the COO. There is a conflict of interest in having a CISO report to their CIO. Essentially, the individual responsible for ensuring organisational information security should not be subordinate to the person responsible for technology selection and implementation. Rather, the two should operate as a team, driving information security up the boardroom agenda. An effective CIO/CISO team should translate board-level strategy into technical requirements for the organisation. The CIO should ensure that best of breed technologies are selected and architected in the most operationally beneficial manner; the CISO should ensure that these meet the security requirements of the business on an ongoing basis.

A challenging global economy and underwhelming results amongst FIs has led to underinvestment in many areas, not least information security. Whilst tightening budgets to reduce costs and improve margins, FIs still try to innovate and do more with less, which is not an effective strategy to employ when addressing information security. CISOs are also faced with the challenge of gaining non-financial sponsorship. For the tactical CISO, whose modus operandi is proactivity, sponsorship is fundamental in order to define and deliver effectively – before it is too late. For the reactive CISO, there is significant risk associated with responding to information security incidents, not least the possibility of reduced trust and an uphill battle to regain it. In an age of digitisation and technological advancement, FIs are faced with an increasing number of challenges to information security – too great to list here comprehensively. To ensure CISOs are effective in addressing these, it would be beneficial to minimise the burdens of investment and sponsorship. Of course, this may be easier said than done, but awareness is a good starting point.

Compensating CISOs is a challenge. A major factor exacerbating this is regular movement of talent in the function. As CISOs move from one company to the next, they tend to see an increase in compensation, which in turn raises the market rate for equivalent talent. Performance measurement is another factor exacerbating the challenge. Whereas CIO compensation can be influenced by tangible metrics indicating performance, such as cost savings and other KPIs, few metrics exist to evaluate CISO performance. To measure a CISO on the reduction of security breaches, for example, would be inherently flawed as some such occurrences can go undetected. The difficulty in assessing CISO performance, combined with the regular movement of such talent, has resulted in significant discrepancies across the industry. That is to say, some CISOs working for large FIs with a great deal of responsibility are earning less than some with fewer responsibilities at smaller FIs. Such discrepancies can be the reason for CISOs moving organisation, as they seek better compensation packages. And so the cycle continues. Across FIs today, CISO compensation packages can range dramatically, from anywhere between £250,000 and well over £1 million. Roles based in non-core locations, in the UK but outside London for example, may see a regional differential, although larger FIs tend to be guided by corporate bandings and the wider demand for top talent.

The necessity of a CISO will remain a constant. The role itself, however, is in a state of evolution. Meanwhile, FIs are in a continual state of change as they seek to address internal and external challenges to information security. Despite the fluidity of today’s talent, FIs should look to retain top talent. It is incumbent on them to ensure the creation and development of internal expertise. To do so, it is vital that FIs are aware of the characteristics necessary for a CISO to be successful, whilst providing them with the right organisational position, sponsorship and reward.