Thirty-five percent of CISOs in the financial sector consider staff training to be the top priority for cyber defense. Twenty-five percent prioritize infrastructure upgrades and network defense.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) polled more than 100 of its 7,000 global members to produce the first of its planned annual CISO Cybersecurity Trends Study. ISACs are non-profit organizations, usually relevant to individual critical infrastructure sectors, designed to share threat information among their members and with relevant government agencies. They were born from Bill Clinton’s 1998 Presidential Decision Directive PDD 63.
The FS-ISAC’s 2018 Cybersecurity Trends Report (PDF) notes a distinction in priorities based on the individual organization’s reporting structure. Where CISOs report into a technical structure, such as the CIO, the priority is for infrastructure upgrades, network defense and breach prevention. Where they report into a non-technical function, such as the COO or Legal, the priority is for staff training.
This could be as simple as CISOs prioritizing areas for which they are most likely to get funding. However, that staff training is considered the overall priority does not surprise Dr. Bret Fund, founder and CEO at SecureSet.
Learn More at SecurityWeek’s CISO Forum
“I think that speaks to CISOs seeing first-hand how their largest risks of breach rest in the people component vs. the product or process components,” he suggests. “Executives and Boards cannot underestimate the need for a robust security culture inside their organizations; and the way that you achieve that is through proper education and training.”
Dan Lohrmann, chief security officer at Security Mentor, agrees. “The mission-essential business aspects that end user security awareness training is now playing in global financial organizations must be front and center surrounding around all data handling and incident response.” He recommends metrics-based training so that progress can be monitored.
The report finds no common reporting structure within financial organizations. Only 8% of CISOs report directly to the CEO. Sixty-six percent report to the CIO (39%), the CRO (14%) or the COO (13%). Despite these differences, there appears to be no impact on the frequency of reporting to the board of directors on cybersecurity.
Reporting most frequently occurs every three months (54% of CISOs). Eighteen percent report every six months, and 16% report annually. Only 6% report monthly.
There is no indication within the report on structural trends, which could provide an insight into the evolving role of the CISO. Greg Reber, CEO at AsTech, thinks this is an omission. “At AsTech, we see moves away from CISOs reporting to CIOs, as the incentives can be at odds,” he explains. “CIOs may need to get things done quickly to realize financial goals — moving processing to the cloud environments for example — while CISOs are chiefly concerned with risk management.”
He also notes a failure to comment on cyber risk insurance. “This falls into an ‘event response’ category, which we see as a top priority. However, it didn’t appear in the top three responses in this survey.” Reber equates ‘cyber defense’ with a Maginot Line philosophy, and believes resources should be balanced between defense and response.
“This report from FS-ISAC highlights the continued need for cyber awareness and vigilance from staff,” comments Stephen Burke, founder and CEO at Cyber Risk Aware. “Hackers are great at exploiting human nature, using social engineering tactics to gain their victims’ trust. Once they can get through defense and onto a user’s machine they may use sophisticated methods to stealthily move laterally across a network stealing data or credentials.”
FS-ISAC’s recommendations to its members based on its survey findings is that staff training should be prioritized regardless of the reporting structure. “People can be the solution to these growing online risks, or they can be contributors to the growing level of security problems,” says Lohrmann. “Effective security awareness training will enable the enterprise to successfully stop cyberattacks.”
Venture and M&A
Security awareness firms have been the subject of significant funding and M&A transactions in recent months.
Earlier this month, security awareness training firm Wombat Security agreed to be acquired by Proofpoint for $225 million in cash. In August 2017, Webroot acquired Securecast, an Oregon-based company that specializes in security awareness training. In October 2017, security awareness training and simulated phishing firm KnowBe4 secured $30 million in Series B financing, which brought the total amounbt raised by KnowBe4 to $44 million. Security awareness training firm PhishMe has raised nearly $58 million in funding, including a $42.5 million series C funding round in July 2016.
*Additional reporting by Mike Lennon
Related: FS-ISAC Launches Financial Systemic Analysis & Resilience Center
Related: Your Own Private Cyber ISAC: How To Get Up and Running
Related: Getting Employee Security Awareness Training Right
Related: Chief Information Security Officers Should be Reporting to Chief Risk Officers

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- Threat Actor Abuses SuperMailer for Large-scale Phishing Campaign
- Quantum Decryption Brought Closer by Topological Qubits
- IBM Delivers Roadmap for Transition to Quantum-safe Cryptography
- CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief
- Court Rules in Favor of Merck in $1.4 Billion Insurance Claim Over NotPetya Cyberattack
- Open Banking: A Perfect Storm for Security and Privacy?
- Apiiro Launches Application Attack Surface Exploration Tool
- Phylum Adds Open Policy Agent to Open Source Analysis Engine
Latest News
- Chrome 114 Released With 18 Security Fixes
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Breaking Enterprise Silos and Improving Protection
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
- Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack
