In case you haven’t noticed the rules regarding cybersecurity and who gets blamed and who gets credit have changed rather drastically in a very brief period of time. The old rule for a CEO or executive management was that if a concern was raised about computer security a memo was sent to IT to “fix it” and management continued to focus on other problems of the day. The new rules say a CEO and senior management will be thrust before cameras and interrogated by the press about any failure in financial services cybersecurity. The impact to the bottom line is now beyond imagination for most. When it comes to cyber, CEOs and executive management are now on the chopping block and the IT scapegoat no longer exists. Leadership from the very top is required to put cybersecurity benchmarks alongside financial, operational and organizational goals.
In your next staff meeting perform a word association test. Perhaps just a brief run through of some common words, such as; office, financial, balance, deposit, to get started. Then say “cyber”. My guess would be that the common association would be “security”. As we all know, cybersecurity has been a hot topic for some time now and its prioritization with legislators and regulators (including the NCUA) is increasing rapidly. So as credit union managers and leaders, what does this really mean? First let’s get very basic about the concepts involved:
Definition of Cyber: Of, relating to, or involving computers or computer networks (as the Internet), information technology and virtual reality*
Definition of Security: The state of being protected or safe from harm*
As I mentioned, cybersecurity commonly falls under the purview of IT departments often supplemented, or even managed by, third party network and security vendors. However, look again at the primary definition of cyber, “of, relating to, or involving computers”. This means that cyber, or cybersecurity touches every operational component of an organization in a meaningful way. As an manager and leader it is important to address cybersecurity not just through a solution focused lens, but as a core strategic issue that may even require of an organization or operation change.
In February of 2013 the White House released Executive Order 13636 which tasked the National Institute of Standards and Technology (NIST) to:“lead the development of a framework to reduce cyber risks to critical infrastructure (the “Cybersecurity Framework”). The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” NIST subsequently released its Preliminary Cybersecurity Framework for public comment the following October.
The framework places a significant burden on executive management to lead their organizations in dealing with cybersecurity, tasking them to develop and communicate “mission priorities, available resources and overall risk tolerance” down to those responsible for business/process and implementation of established policies and guidelines.
Another point to consider is that cyber threats are unlike other threats to safety and soundness in that the smallest breach to a seemingly unrelated entity can have instant, widespread ramifications. The sophistication of current threats is tremendous and there is certainly no lack of malicious intent in the cyber arena. Because of this ability to use small portals to open doors to larger targets, the responsibility that executives and managers face is exponentially more broad than protecting their information, their member’s information and their brand. A breach in security could very quickly and easily become a burden and liability to a large segment of credit union information and even be detrimental to the public perception of credit unions in general.
Taken all together, and in the shadow of the recent Target breach and other high profile breaches, it seems that credit unions, as a part of the financial services critical infrastructure are being presented with a grand opportunity. Cyber regulation and legislation are still works in progress. Credit unions have been rock solid in protecting their members from much of the financial turmoil of the past five years. Now we can see the cybersecurity bubble growing and growing. Hopefully we can look back five years from today having served and protected our members through prudence, forward thinking and innovative solutions to meet any and all cybersecurity challenges.