As a financial services cybersecurity professional who has worked on three continents for large multinational institutions, I understand the advantages and challenges for security departments at banks both large and small. Faced with increasingly sophisticated cyber attacks, small banks can use their size to their advantage. Small and mid-sized banks often have the agility that a large institution could never achieve. The ability to quickly adapt tactics and implement advanced technologies (with the support of partners) can help small banks provide strong cybersecurity.It is clear that large global financial institutions have unique capabilities and opportunities, but this does not always mean stronger security. Large banks have the budgets to buy any tool the security team could ever need. Teams of hundreds or thousands usually include highly specialized talent with expertise in emerging technologies like quantum computing or blockchain. It is fun and interesting to manage a globally integrated organization and have colleagues around the world working on global issues. When it comes to suppliers, large institutions also often receive better pricing and support.
Instead of measuring security capability by team size or number of tools, smaller organizations must focus on delivering value in the form of risk reduction. At First Hawaiian Bank, our small team communicates quickly and easily, without layers of bureaucracy or extra process to get in the way. We may be a small customer for our vendors, but we adopt tools to meet our specific needs and we make sure that every tool adds real operational value.
Our focus on efficiency is also an opportunity to be future-focused. We cannot replace tools every year; we need to future-proof our strategies and look three to five years out to get the most value from every tool. Startup companies with cutting edge technologies that want to break into financial services see us as valuable customers who can become a use case for them. These small but advanced vendors are often willing to work with us to ensure their tools are fully optimized to meet our needs. We have the opportunity to grow with these vendors as their technology advances. While larger firms cannot afford to take these kinds of chances, we can be (careful) early adopters.
Financial institutions have many security tools; this creates a significant amount of complexity. In addition, security teams must report the bank’s security posture to many different internal and external stakeholders. This includes regulators, the board, auditors, insurance carriers, internal executives, and other third parties. Considering that half of a security team’s time may be spent on reporting, First Hawaiian Bank realized that we needed an efficient and effective approach. To that end, we developed a continuous monitoring strategy that provides an efficient and accurate view of critical security controls that is equal to or better than the oversight capability of many larger organizations.
Continuous Controls Monitoring (CCM) aggregates data from all relevant bank sources into a single, trustworthy platform that gives us a complete, real-time picture of our security posture. Tools that would never normally interact can be combined to create trusted inventories, enriched with business context from multiple sources. This automated security measurement allows cybersecurity teams to understand which controls and safeguards are working and continuously compares our current state with our standards. CCM also highlights gaps in controls coverage and allows us to track changes in effectiveness over time. With CCM, improvements in efficiency and security optimization occur at the same time. This reduces operational costs and maximizes the security team’s productivity. CCM was only recognized as a security category by Gartner in 2020. However, at First Hawaiian Bank we are already working to build this capability.
For many CISOs, it is challenging to demonstrate the effectiveness and benefits their cybersecurity programs generate in ways that senior business leaders understand. The qualitative risk assessments done by many large organizations (Red – Amber – Green or RAG scores) do not effectively communicate the level of a potential risk or value of a particular control. It is hard to prioritize remediation efforts without using a unifying business-focused language. At First Hawaiian Bank, we are working to address this with a cyber risk quantification program designed to improve risk analysis and to describe cyber risk in quantifiable terms that help business executives make decisions. We are implementing capabilities to enable the bank to optimize security investments towards the most impactful mitigation efforts. Once completed, our security team will be able to make informed decisions regarding operational tasks (e.g., which control provides the most value), and business leaders can make better informed strategic decisions about the cybersecurity program (e.g., buy vs. build a security capability).
Quantifying cyber risk and implementing Continuous Controls Monitoring are advanced approaches that are improving our bank’s security posture. In my experience, it would be challenging to implement advanced and integrated approaches this quickly across a large institution. However, the size and agility of First Hawaiian Bank allows us to quickly adopt them.
CISOs of small or mid-size financial firms can move faster and be more agile than larger organizations. This is an advantage in a cyber threat landscape characterized by constant change and a need to adapt. While smaller firms do not have infinite resources, they also do not face as many constraints. CISOs can use budget pressure to focus on value and look for future-forward tools and strategies. Lastly, it is clear that this is a competitive market for cybersecurity talent. Banks like First Hawaiian offer advanced work and the ability for each person to make a big impact. Highlighting these opportunities is a great way to attract and retain security talent.
© 2022 FS-ISAC, Inc. All rights reserved.
Adam Palmer, (MBA, JD, CISSP), is the CISO at First Hawaiian Bank where he leads all cybersecurity operations. Adam is a former U.S. Navy Officer with 20 years of cybersecurity experience. Adam...Read More
lived for 10 years in the European Union (EU) where he worked for large multi-national organizations. He has also worked extensively in the Asia-Pacific region. Adam is currently based in Honolulu, Hawaii.