Building cyber resilience in banking: Expert insights on strategy, risk, and regulation

In this Help Net Security interview, Matthew Darlage, CISO at Citizens, discusses key strategies for strengthening cyber resilience in banks.

He underlines that adherence to frameworks like NIST is essential for continuous improvement and that data protection measures are critical to safeguarding bank operations. Darlage further argues that third-party risk management and adaptable security practices are necessary for maintaining resilience.

What are the core pillars of an effective cyber resilience strategy for banks?

My general view is that an effective cyber resilience and defense in-depth strategy relies on a fair amount of foundational pillars including, but not limited to, having a solid traditional GRC program and executing strong risk management practices, robust and fault-tolerant security infrastructure, strong incident response capabilities, regularly tested disaster recovery/resilience plans, strong vulnerability management practices, awareness and training campaigns, and a comprehensive third-party risk management program.

Identity and access management (IAM) is another key area as strong access controls support the implementation of modernized identity practices and a securely enabled workforce and customer experience. The new “firewall” is your identity, and this identity needs to be persistently bound to an adaptive security policy that can protect you in a layered manner and hopefully is configured to be as frictionless as possible. Another big part of it is fostering a culture of security and making everyone a human firewall.

How do global regulatory frameworks like the NIST Cybersecurity Framework influence how banks approach resilience?

The NIST Cyber Security Framework (CSF) and similar frameworks promote a continuous improvement approach to IT security and encourages organizations to regularly assess their security posture, identify gaps, and develop measures to enhance their cyber resilience. In summary, these frameworks can provide a valuable and customizable execution template using a common/standardize language for organizations to enhance their cyber programs and overall resilience. It assures that organizations understand their risks, instrument robust security controls or capabilities, and continuously improve their ability to deter, withstand, and recover from cyber incidents.

What are the most common pitfalls banks encounter when responding to cyber incidents?

My general experience is that a common pitfall related to responding to incidents, security or otherwise, is assuming that all your organizational platforms are operating the way you think they are or assuming that your playbooks have been updated to reflect current conditions. The most important part of incident response is the people. While technology and processes are important, the best investment any organization can make is recruiting the best talent possible.

Other areas I would see as pitfalls are lack of effective communication plans, not being adaptive, assuming you will never be impacted, and not having strong connectivity to other core functions of the organization (risk, legal, compliance, privacy, etc.,). Third-party risk is an area that requires a lot of consistent, comprehensive governance and proverbial care and feeding, especially when there are vulnerabilities and obvious attack surface implications.

Given the reliance on third-party vendors, how can banks ensure resilience against supply chain cyber threats?

I see this as a critical area you banks need to adapt quickly to and be laser-focused on continuous monitoring and improvement. Thinking about supply chain and third-party risks, contractual safeguards are key, including right to audit clauses, SLAs, shared responsibilities, etc., as well as having a joint understanding of all the foundational/core pillars we talked about earlier (data protection, strong access, risk management practices etc.,).

Banks should also conduct the required due diligence and security reviews contextualized to risk levels, previous incidents, threat intelligence, and monitoring confidence scores. An organization’s vendors are an extension of their network, which essential cause them to share an attack surface— requiring perpetual heightened awareness and governance.

If you could give one key recommendation to banking executives on cyber resilience, what would it be?

Banking executives should make data protection a core mission. The vast majority of what we do in cybersecurity should be directly bound to and revolve around protecting the organizations most critical asset—its data. This means doing everything you can to implement strong data protection safeguards across the entire data lifecycle.

Banks participate in a vast and hyper-connected technology ecosystem in an ever-innovating way, so for everything from payment processing systems to core enterprise infrastructure, you have to view data protection as a top priority. Security across the board should be seen as an enabler, so leaders must look at it as a strategic investment in the company’s future success.