Experts debate whether the financial industry has a leg up in terms of their cybersecurity strategy when compared to other industries.
FOR
Dave Aitel, CEO, Immunity
In spite of some of the breaches recently reported, the financial sector, particularly in the United States, remains one of the best in terms of cybersecurity – not necessarily because it's doing everything right, but because everyone else is doing it so terribly wrong. Most of all, the big banks have done a better job than other industries of prioritizing cybersecurity.We see this in their annual budgets, which actually earmark a significant portion to network defense (from security executives to third-party pen-tests, etc.). We also see it in their investments in the cloud and fraud detection. They've done this because they have to – banks live or die by their image. So for them, it's not just about protecting their data, it's almost equally about protecting their reputations too.
The financial industry has really led the way in a number of areas, including intra-industry coordination (FS-ISAC and Soltra Edge are two great examples), anomaly detection, the cloud, exfiltration filters and firewalls.
CON
Joe Loomis, CEO, CyberSponse
For a long time, the assumption has been that major financial institutions are the “crème de la crème” of the IT security world. But is this really true? Recent disclosures by JP Morgan, Nasdaq and even the string of DDoS attacks on banks starting in 2012 should cast doubt on this assertion. It is true that banks spend more money on IT security than most other organizations, and that's commendable, but it doesn't mean those expenditures translate into top-notch security. Instead, they're buying all the latest tools the market can offer while not managing security incident response properly.
Financial institutions remain plagued by a number of key security problems, such as long procurement phases, a fear of change that's deeply ingrained within the management structure, not enough key decision-makers who can make the tough calls on IT security, a reliance on outdated methods of email/ticket/manual management systems, little or few frameworks or controls in place around incident response, simulations and training, etc.