Cybersecurity has an image somewhere between astrophysics and black magic. Wrongly. Financial institutions in particular must not leave the issue to cyber experts alone. The broad workforce must have a minimum level of understanding of cybersecurity.
We all know it in one way or another, the typical cyber awareness film: young man in black hoodie, windowless, dark room, deep, ominous music. The message is always the same: evil lurks everywhere, cyberspace is dark, comrades. All of this is of course clichéd and, by the way, completely unrealistic (hacking is also very good in daylight). But the underlying misunderstanding goes much further.
The mysterious image of cybersecurity, which places this subject somewhere between astrophysics and black magic, reinforces a massive problem that many banks suffer from culturally: the fear of contact between top and middle management when dealing with cyber issues.
If the general impression is that cybersecurity is a world in which only crazy tech freaks can find their way anyway, it is not surprising that at some point some managers start to delegate the problem in principle instead of dealing with the content. This in turn can at some point lead to frustration among the experts who get the feeling that they are being left alone.
Cybersecurity expertise as a banker’s standard skillset
In the meantime, it has at least been recognized that employee awareness is at least as important as tools and technology. The next step must be the self-image that a minimum level of substantive understanding of cybersecurity will be part of a banker’s standard skill set in the future. Just as it would be anachronistic for a banker these days to declare money-laundering prevention as a specialty that, as a generalist, he does not need to understand anything, in ten years it will no longer be time for a banker not to know what an SQL injection is or what is dealing with a Level 7 DDOS attack.
A particularly striking example from IT itself illustrates why this self-image is so important: the involvement of cyber experts in IT architecture issues.
It is already difficult enough to design a bank’s IT in an architecturally clean manner; Often the bank IT consists of a collection of crudely assembled legacy systems, into which one gradually tries to bring some order into it. If the moment comes to be able to tidy up the IT landscape a little more extensively, the sentence is often: “In the end, we still have to coordinate this plan with cybersecurity.” It’s a bit like building a house with the architect In the end, he has to send a burglar-proof expert who tells him that houses should have lockable doors and that burglars find it very attractive if one side of the house on the ground floor has open passages to the outside. And this is exactly where the problem lies: an architect who designs houses knows this even without expert input.
Know-how about cybersecurity belongs in the workforce
Some companies have started to involve the cyber team as early as possible so that the architect and the cyber expert work closely together. This is not wrong per se, but if you transfer it to the above example of house construction, it still seems bizarre: the burglar expert sits next to the architect from the start and checks whether he draws entrances with or without doors. The only effective solution is to anchor the most in-depth know-how about cybersecurity among the workforce so that every employee automatically takes into account the implications for cybersecurity in everything they do.
When that stage was reached, there would still be enough for the cyber experts to do, as there will still be particularly complex problems that need a specialist to deal with, just like the money laundering prevention mentioned above. Only that the specialists can then be deployed much more effectively. A final acceptance of the architecture, for example, would still take place, but the design would not change so seriously because more would be done right from the start.
Aside from the question of effectiveness, there is another reason to pursue this model: the motivation of cyber experts, which is increasingly becoming a bottleneck in this important key resource. If you study computer science, have worked in cybersecurity for several years, have completed various certifications, and have received regular further training, you do not want to spend most of your time avoiding problems that can be attributed to a degree of ignorance that is difficult for experts to understand.
Three measures for more cybersecurity
First of all, it must be recognized that the basics of cybersecurity are not rocket science and that laypeople can learn a lot about them in a short time. If you have your CISO, the
Chief Information Security Officer, asks you to compile a small list of links to YouTube videos, blogs, and technical articles for a little education, you will usually meet with excitement. This simple step can already have a huge impact.
Next, you have to relieve your employees of the fear of the topic – here it is especially important that you, as a non-IT director, speak openly about the fact that you have gone through this learning curve yourself, ideally also admit that you are big at the beginning Was afraid of it.
Thirdly, it is necessary to regularly talk about the new developments in the cybersecurity environment in the risk committees, so that cybersecurity takes on the status of a “completely normal risk topic”.
Also Read: Basic Cyber Security Concepts