Treat cybersecurity as a business decision – Part II
So, if you read my column in last’s month’s magazine, the company did not go out and purchase a faraday cage to protect our data center against electromagnetic fields. I’ll file that report under “cost avoidance.” It sounds so much better than cost savings, doesn’t it?
It just didn’t make sense to invest more money in an infrastructure that was going away very soon. That was the real business decision and one that many organizations have tackled. Do we go to the cloud? Is it secure? How much money will we save? How much money will it cost?
An old boss of mine, who was the CIO of a large wholesale lending bank, coined the phrase, “safe, secure and functional,” meaning that in every business decision made, the Technology and Security Department would ensure that we remained in compliance with regulations (safe), addressed all risks (secure) and enabled the business to remain operational (functional).
Most organizations struggle with just being secure and functional, but the financial services industry has the bonus plan by including compliance.
“Banks have the highest level of security among critical U.S. industries — and the most stringent regulatory requirements.” (American Bankers Association)
“To remain competitive, banks need to invest in technology, marketing, automation and self-service capabilities, and also must optimize their legacy investments in branches and traditional systems.” (Six strategies for Improving Banks’ Operating Efficiency, Crowe)
What I’m trying to say is these are all huge decision points for an organization, and they need to be treated as business decisions at the highest level because each one of them can have negative or positive consequences. How’s that for riding the fence?
Seriously, though, as community bankers, we all want to be in compliance with the regulations. We certainly want to be secure, so we don’t lose the trust of our customers. And to remain competitive, we constantly have to look for ways to be operationally innovative and efficient. Piece of cake, right?
The same CIO I mentioned earlier coined another phrase, “If you can’t do it, we’ll get someone that can.” Now, the first time I heard that I looked around the room at my team and we all had this look of, did he just say that? So, I bit my lip and didn’t initially respond. I even tried to sleep on it but just had to clear the air with him, so I went into his office the next day and ask him if I was being replaced.
He said not at all. What he was trying to do was let me know that we all need help making decisions at some point, no matter how long we’ve been in our careers. It did make sense, although I did ask him next time to just go right to the point.
There is a growing business sector in consulting that is really encouraging and filling a much-needed gap. The trend that I’m starting to see is more and more organizations engaging with virtual CIOs and virtual CISOs to help make these key business decisions and help address our risks.
I recently spoke on a podcast about the CISO revelation and was asked by the host if I had any words of advice to bankers. My advice is that after 26 years of experience doing this, I still reach out and ask for help. I never thought I knew everything about technology and cybersecurity and I’m not sure that is obtainable, but I certainly feel more knowledgeable and more confident making key business decisions because of the relationships I’ve formed with my peers and strategic business partners.
When hiring a vCIO or vCISO, always ask key questions that will lead you to someone that has been there, done that. You want someone who has experience making key business decisions: not someone who can help you check the compliance box, but someone who has addressed risks in banking and/or has experienced leading technology teams in banking.