In this Help Net Security interview, Mike Calvi, CISO at Arvest Bank, discusses building a strong cybersecurity culture within the banking sector. He explains how leadership, effective reporting, and proactive engagement with associates are key in strengthening security. Calvi also touches on how banks can measure success and balance accountability while fostering a collaborative environment.
Can you describe what “a culture of cybersecurity” means in banking? How is it different from just implementing security technologies and protocols?
It differs significantly from other industries because of the additional regulatory and fraud aspects that stretch beyond cyber and require an overall increased level of reporting.
To simplify reporting for associates, prevent the need for them to make an ‘in the moment’ decision, and avoid possible delays caused by issues sent to the wrong department, we enabled a singular common interface for associates to report. Based on their chosen topic, such as cybersecurity, social engineering, fraud, money laundering, physical security, etc., the reporting mechanism auto-routes the submission to the correct team.
The reporting loop from the associates to analysts and back for potential security events – whether phishing attempts, USB drives left in the printers by support personnel, or something malicious – is imperative for mitigation and as an educational point. Successful incident reporting is a metric by which we gauge our success.
Additionally, our human risk management (HRM) team does a great job keeping cybersecurity front and center with the associates through internal news articles, intranet banners, and internal chat spaces for cybersecurity collaboration. The chat space is a huge win for us. When we see associates sharing articles on new scams or cybersecurity issues within the chat space, unprompted by our team, we can literally see the security culture growing member by member.
These interactions are staples in our security culture that we extend beyond ‘cybersecurity’. The awareness, shared by all associates in the bank, that protecting the organization is everyone’s responsibility, not just the Security and IT teams, is becoming the norm. Our HRM team’s goal of influencing the everyday behavior of our associates and providing them the knowledge needed to securely implement business processes or make business decisions, and the associates using this knowledge to tell us about potential events, is the culture at work.
How important is the role of leadership in building a cybersecurity culture in banking? Can you share examples of how leaders can set the tone for this effort?
Leadership buy-in across the bank is essential. One of our regulators’ key requirements speaks to the importance of leadership commitment to cybersecurity training and its enablement. Our leadership has provided ample support to implement required training and the next steps for those lagging in training.
Security training ranges from general awareness for everyone to targeted access-based and event-triggered remedial training (for example, persistent phish testing clickers). Each October, during Cybersecurity Awareness Month, different leaders are selected to create a promotional video with our HRM team, motivating associates to get involved and know their responsibilities.
How can banks balance accountability for cybersecurity practices across all departments without fostering a culture of blame?
The key here is to make it a positive experience for the associate to practice good cybersecurity hygiene. We routinely bring associates who report potential cybersecurity events to our Fusion Center for a tour and to talk with the team. This fosters a sense of shared responsibility between the security team and the rest of the bank associates.
Additionally, we work to thank the associates who report phishing with a positive message, even publishing articles about them and the impact they made. Our mantra is that we would rather the associates over-report versus under-report suspected phishing links.
We are currently in the process of developing two reporting awards. The Awesome Angler Award is for associates who report phishing routinely. The Successful Prevention of Threat Award, or SPOT Award, will be given to those who reported something suspicious that led to the true mitigation of an event.
As cybersecurity deficiencies are found, one thing to be aware of is some people may try to assign blame as an emotional reaction when you report on events or incidents. You must steer the conversation away from motive unless explicitly known and remain focused on what happened, how it has been remediated, and how it can be prevented from occurring again.
What metrics or indicators can banks use to measure the effectiveness of their cybersecurity initiatives?
Cybersecurity is so broad that I think it varies by domain. For example, the metrics set for identity wouldn’t work well with App Sec. Work with your business partners and leadership to develop metrics that make sense to them. What will spur your product or support teams to remediate the findings? What is most important to your C-Suite?
Framing the message in terms that resonate with your audience and tell a story can be challenging but worthwhile when you get the necessary traction. Then, it is not just information security asking IT to be secure; the business starts to see the risk and potential monetary costs and begin asking as well.
Another key tenet is to make the risk visible to the business, so they understand not just the risk, but the potential impact from lack of action or delayed security implementations. Be sure not to cry wolf by over-exaggerating the risks to the business, as your information technology counterparts can dispel the FUD if the risks are considered disproportionate, so always lead with the data.
What strategies would you recommend for integrating cybersecurity into innovation efforts, such as digital banking services and fintech partnerships?
The first step is to have a well-articulated risk appetite and cyber GRC program. These two items and the company’s commitment to innovation can give you a sense of the risk level the business is willing to accept. Your cyber GRC program is instrumental in monitoring and reporting the risk level by the innovation efforts, so you and your board can make appropriate risk mitigation decisions.
Second, internally developing something like OWASP’s Threat and Safeguard Matrix (TaSM), helps identify the non-negotiable safeguards, as you and the board define the risk tolerance levels. Frameworks like CISA’s Secure by Design have been a great step forward in discussions around software development security.
Remember, many fintechs don’t know how to sell to a regulated industry like banking, or all the steps involved, so some assistance is needed if you are an early adopter of a fintech product.