It’s no secret that the banking and finance sector is one of the most heavily targeted by cybercriminals. In addition to large-scale cyber heists (which, when successful, can result in millions of dollars in losses), it has to deal with high volumes of attempted fraudulent transactions, and of course, it has to protect its customers’ data.
On the positive side, because this sector faces such a high level of risk, it also tends to have the highest levels of commitment to cybersecurity. That doesn’t mean that banks are safe from cybercriminals – the past year alone has seen several successful attacks – but it does mean that the lessons they have to share are worth paying attention to, whether you operate in the financial sector yourself or not.
Our research project surveyed over 150 information security experts in the Middle East, predominantly from the UAE. A sizable portion of these responses (almost 25%) came from experts in the financial sector – which makes sense, given their investment in cybersecurity.
One of the major findings of the research project as a whole was that information security teams in the UAE (and indeed worldwide) tend to be understaffed. The most common size of information security team reported by participants overall was 1-2 members. Among participants not operating in the financial sector, almost 75% reported that their company’s information security team had five members or fewer. However, in the financial sector, almost half said that their team had more than five members.
The ‘IT skills gap’ is a global problem, but research shows that it particularly affects the UAE. As media coverage brings increasing awareness of cybercrime among non-technical management, budget has increased for some cybersecurity teams. But while technological solutions and externally-provided services such as training or consultancy are important, increased hiring is crucial in order for a team to be effective. The larger teams observed in the financial sector (and also notable in government organisations) demonstrate genuine senior-level investment in and commitment to cybersecurity.
Unsurprisingly, that’s also reflected in the levels of board support participants reported. Overall, participants were reasonably confident that they received a good amount of support, and that the CISO’s input regarding operational risk was appreciated by board-level executives. The statistics were still not entirely reassuring – only one in four participants said that the CISO’s knowledge of operational risk was fully appreciated by the board, and almost a third said that they do not have as much board support as they need to be effective.
However, they were broadly consistent with what we expected, and they were more positive than preliminary results from our European research, in which only 14% felt that the CISO’s risk knowledge was fully appreciated, and 2/5 said that they received inadequate board support. And participants from the UAE’s financial sector were particularly positive – 38% said that the CISO’s risk knowledge was fully appreciated, compared to 20% in other sectors.
Almost three quarters of finance sector participants said that they received mostly or completely sufficient support, compared with just over half of other participants.
These levels of board support are reflected in participants’ responses regarding the vendor ecosystem. Among participants overall, the most common complaint was that solutions and services were overpriced, and many of the top priorities (notably ‘quality of customer support’) seemed to be geared towards compensating for small information security teams.
Among participants from the financial sector, the top priorities were ‘ease of implementation’, ‘integration with existing systems’, and ‘reputation / client testimonials’. ‘Speed of response to new developments’ and ‘scalability’ were also a higher priority in this sector than they were among participants in general. Conversely, ‘affordability’ and ‘quality of customer support’ were less popular with participants in this sector than they were with others.
So who best fulfilled those priorities?
Among financial sector participants, Fortinet was the vendor most frequently named as fulfilling the priorities they had specified. Taking into account answers to all questions (including effectiveness in various areas of security), financial sector participants’ most frequently mentioned provider was Cisco. Looking at participants from all sectors, not just finance, Fortinet was named the best fit by those who had chosen ‘ease of implementation’, while Cisco was most frequently mentioned as fulfilling ‘integration with existing systems’ and ‘reputation / client testimonials’.
Cisco and Fortinet were also the two most frequently mentioned solution providers by participants overall. There were only a few industries (healthcare and oil/gas) in which a provider which was not in the top five overall was either named the best fit or the most mentioned overall. However, there were some more subtle variations based on industry – for example, though it did not receive enough votes to ‘beat out’ companies such as Cisco or Fortinet, Cofense (formerly PhishMe) was particularly popular with participants from the financial sector.
Even so, participants in this sector – as with participants overall – still seem to prefer to bank on big names than take chances with more niche providers.