As a financial services cybersecurity professional who has worked on three continents for large multinational institutions, I understand the advantages and challenges for security departments at banks both large and small. Faced with increasingly sophisticated cyber attacks, small banks can use their size to their advantage. Small and mid-sized banks often have the agility that a large institution could never achieve. The ability to quickly adapt tactics and implement advanced technologies (with the support of partners) can help small banks provide strong cybersecurity.

It is clear that large global financial institutions have unique capabilities and opportunities, but this does not always mean stronger security. Large banks have the budgets to buy any tool the security team could ever need. Teams of hundreds or thousands usually include highly specialized talent with expertise in emerging technologies like quantum computing or blockchain. It is fun and interesting to manage a globally integrated organization and have colleagues around the world working on global issues. When it comes to suppliers, large institutions also often receive better pricing and support.

While large banks may seem like they have all of the resources they need, the reality is that these highly specialized teams are often siloed within a bureaucratic maze that prevents the rapid flow of ideas and communication. This is especially harmful in the case of an incident where every minute counts and clear communication is critical. Large budgets, while helpful, may also lead to cycles of free spending, followed by budget cuts to rein in the spending. Free spending cycles may also result in generic capability building and purchasing of unnecessary tools, rather than a focus on real risk reduction value. Finally, large organizations seem to develop a resistance to change. This is a problem in a cybersecurity landscape defined by rapid change. Change is much harder, of course, at a bank with 100,000 staff than it is at a firm with only 2000. However, the challenge of organizational change often serves as an excuse to stay with an old approach or strategy, even if a better alternative is available.

Success is Measured by Risk Reduction, Not Capability Building

Instead of measuring security capability by team size or number of tools, smaller organizations must focus on delivering value in the form of risk reduction. At First Hawaiian Bank, our small team communicates quickly and easily, without layers of bureaucracy or extra process to get in the way. We may be a small customer for our vendors, but we adopt tools to meet our specific needs and we make sure that every tool adds real operational value.

Our focus on efficiency is also an opportunity to be future-focused. We cannot replace tools every year; we need to future-proof our strategies and look three to five years out to get the most value from every tool. Startup companies with cutting edge technologies that want to break into financial services see us as valuable customers who can become a use case for them. These small but advanced vendors are often willing to work with us to ensure their tools are fully optimized to meet our needs. We have the opportunity to grow with these vendors as their technology advances. While larger firms cannot afford to take these kinds of chances, we can be (careful) early adopters.

Continuous Monitoring is a Foundation for Strong Security

Financial institutions have many security tools; this creates a significant amount of complexity. In addition, security teams must report the bank’s security posture to many different internal and external stakeholders. This includes regulators, the board, auditors, insurance carriers, internal executives, and other third parties. Considering that half of a security team’s time may be spent on reporting, First Hawaiian Bank realized that we needed an efficient and effective approach. To that end, we developed a continuous monitoring strategy that provides an efficient and accurate view of critical security controls that is equal to or better than the oversight capability of many larger organizations.

Continuous Controls Monitoring (CCM) aggregates data from all relevant bank sources into a single, trustworthy platform that gives us a complete, real-time picture of our security posture. Tools that would never normally interact can be combined to create trusted inventories, enriched with business context from multiple sources. This automated security measurement allows cybersecurity teams to understand which controls and safeguards are working and continuously compares our current state with our standards. CCM also highlights gaps in controls coverage and allows us to track changes in effectiveness over time. With CCM, improvements in efficiency and security optimization occur at the same time. This reduces operational costs and maximizes the security team’s productivity. CCM was only recognized as a security category by Gartner in 2020. However, at First Hawaiian Bank we are already working to build this capability.

Effectively Presenting Cyber Risk

For many CISOs, it is challenging to demonstrate the effectiveness and benefits their cybersecurity programs generate in ways that senior business leaders understand. The qualitative risk assessments done by many large organizations (Red – Amber – Green or RAG scores) do not effectively communicate the level of a potential risk or value of a particular control. It is hard to prioritize remediation efforts without using a unifying business-focused language. At First Hawaiian Bank, we are working to address this with a cyber risk quantification program designed to improve risk analysis and to describe cyber risk in quantifiable terms that help business executives make decisions. We are implementing capabilities to enable the bank to optimize security investments towards the most impactful mitigation efforts. Once completed, our security team will be able to make informed decisions regarding operational tasks (e.g., which control provides the most value), and business leaders can make better informed strategic decisions about the cybersecurity program (e.g., buy vs. build a security capability).

Quantifying cyber risk and implementing Continuous Controls Monitoring are advanced approaches that are improving our bank’s security posture. In my experience, it would be challenging to implement advanced and integrated approaches this quickly across a large institution. However, the size and agility of First Hawaiian Bank allows us to quickly adopt them.

The Insight

CISOs of small or mid-size financial firms can move faster and be more agile than larger organizations. This is an advantage in a cyber threat landscape characterized by constant change and a need to adapt. While smaller firms do not have infinite resources, they also do not face as many constraints. CISOs can use budget pressure to focus on value and look for future-forward tools and strategies. Lastly, it is clear that this is a competitive market for cybersecurity talent. Banks like First Hawaiian offer advanced work and the ability for each person to make a big impact. Highlighting these opportunities is a great way to attract and retain security talent.

March 2022

© 2022 FS-ISAC, Inc. All rights reserved.

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More