Last week we attended the Financial Services Information Sharing and Analysis Center (FS-ISAC) cybersecurity summit in Orlando, Florida. The event was a first for a few on our team but certainly not for many of the attendees we spoke to, some of whom have been faithful members since the group’s inception 20 years ago.
The event itself attracted a variety of financial organizations eager to swap security best practices, including banks, credit unions, insurance companies, publicly-held securities, brokerage firms, trade associations, pension funds, processors, and privately held investment firms. Despite differences in business initiatives, size, and budget, attendees were united by a few key pain points addressed throughout the show.
With 313,000 open roles across industries, the cybersecurity skills shortage affects every vertical. Unsurprisingly, at FS-ISAC, there were no sessions on how to address this issue. However, it was still the root cause for many talks on how to do more with less.
With an average 18-month tenure for security professionals in any organization, it’s clear that it’s not only tough to find talent, it’s also tough to keep them. To address this issue, vendors like Secure Code Warrior were on tap to share how investing in developer education can reduce the volume of vulnerabilities, and thus workload, burnout, and churn. Crowdsourced solutions like Bugcrowd also contribute to this narrative with the ability to provide more output (collective continuous testing, high priority vulnerabilities, triage services, etc.) from less input (cost, time, effort), to fill gaps and better enable existing resource.
Financial services ranks in the short list of the most heavily-regulated industries. Much of that is due to both the risk to the consumer without proper precautions, as well as the likelihood of something going wrong in the first place.
Unfortunately, malicious actors are heavily incentivized by the data held by financial services organizations, making likelihood of attack far greater than in other industries. In fact, the typical American business faces cyber attacks around 4 million times per year. In comparison, the typical American financial services firm is attacked a staggering 1 billion times per year, according to Bugcrowd’s 2019 State of Financial Services Report. It’s no wonder that regulators are cracking down on data security for this vertical.
Interestingly, this topic was most prevalent outside scheduled sessions, and on the showroom floor. Perhaps because most compliance chat is generally dull at best, and mildly triggering at worst. But it’s undeniably front of mind for every financial services CISO.
There were a few mentions of PCI compliance, but most conversations were focused on Gramm-Leach-Bliley Act (GBLA) and the Federal Financial Institutions Examination Council’s (FFIEC) information security handbook that facilitates compliance with GLBA. While there still seemed to be notable polarity with regard to the Compliance Assessment Tool (CAT) developed by the FFIEC to help banks, insurers, and others evaluate their cybersecurity preparedness, this was likely due to the question of whether it diverges too much from other best practices like National Institute of Standards and Technology (NIST).
Considering this, many of Bugcrowd’s own conversations culminated in the assurance that our Next Gen Pen Test solution helps financial services organizations meet NIST 800-53 and section IV.A.2(b) of the the FFIEC information security booklet, as well as relevant elements of GBLA.
Elevating Security to the C-Level
During its launch in 1999, FS-ISAC was far ahead of its time in formalizing a method for sharing intelligence and best practices amongst industry peers. So it should come as no surprise that one of the overriding themes of the event was not about baseline education but about pushing the boundaries of what’s possible. Less “what,” more “how.”
Keeping with that theme, several vendors dropped the “what is X?” style session in favor of “how to find budget for X” tutorial. While presented by solutions well worn in other industries like SIEM and SOAR, the fact that sessions like these were so well attended indicates that forward-thinking security leaders have bought in, but still have some work to do to help their boards do the same (literally).
One of the most popular sessions was titled, “Budgets, Boards, and Benchmarks.” All about reporting metrics and methods to fuel executive conversations, this session was aimed at a third obstacle faced by most attendees — measuring the value of existing solutions against a slew of competing priorities, as well as carving out budget for those that have advanced beyond outdated compliance initiatives.
FS-ISAC Orlando was a fantastic peek at both the frustrations and opportunities for forward-thinking financial services entities today. The attendees were engaged, the conversations were enlightening… and Epcot was epic.
To read more about security amongst the financial services industry, read Bugcrowd’s 2019 State of Financial Services Report.
For more information on how our Next Gen Pen Test solution can help you better utilize existing resource, ease your compliance woes, and promote the importance of security with your partners, customers, and the board, check out Next Gen Pen Test.