According to the 2022 Verizon Data Breach Investigation Report (DBIR), data breaches caused by ransomware have almost quintupled, rising from 5% to over 25%. Additionally, the cost of data breaches has risen drastically in recent years. In 2021, the cost of a data breach rose to $4.24 million on average, an increase of over 10% according to IBM. Risk is not a foreign concept for anyone in the financial industry, yet in recent years cybersecurity risk has become an absolute priority among credit unions and community banks. Increased regulatory scrutiny, remote workers, and the steadfast presence of online banking has forced the industry to prioritize cybersecurity as a central pillar of its business calculus. This means credit unions, who generally have significantly fewer resources than the top commercial banks, are in a precarious position. With how heavily data breaches can harm a businesses’ reputation, and how important consumer trust is in banking decisions, it’s no surprise that the risk demands their utmost attention.
Under intense examination from regulators and shareholders, cybersecurity has very quickly become an issue for boards of directors everywhere. Gartner predicts that by 2025, “40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member,” and it’s easy to see why. With the fallout from a successful cyberattack only increasing every year, cybersecurity has become an issue that requires board oversight to ensure that security teams are properly managed. For credit unions, this pressure is even more palpable given the regulatory oversight already required, particularly as Securities and Exchange Commission mandates of their proposed rule for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure have the potential to implicitly flow down to the entire financial services industry.
Despite this pressure, credit unions don’t always have the resources to sufficiently protect themselves. In a report by Black Kite, 86% of credit unions have breached employee credentials available on the Dark Web within the past 90 days. With less resources available to invest in cybersecurity, credit unions face an uphill battle when it comes to combatting cyber threats. As a result, credit unions need to make every dollar of their budget spent count, meaning every budget item should have an appreciable impact on reducing cybersecurity risk.
Unfortunately, a common mistake we see amongst credit unions is a fundamental misunderstanding of cyber risk. Some businesses imagine cybersecurity as an immutable cost center, a vacuum that eats all of the budget an organization can stomach throwing into it for no perceived return on investment. This just isn’t the case; in just about every aspect that matters, cybersecurity risk is business risk. This means that cybersecurity risk can be quantified, mitigated, and documented like any other business risk. Instead of being a mysterious budgetary blackhole, cybersecurity risk can be quantified as part of an overall risk management strategy. It’s not easy, and the mitigations are different, but it’s an accomplishable task that should be implemented throughout the organizational structure. The answer, in this case, is cybersecurity performance management (CPM).
Cybersecurity Performance Management
Cybersecurity performance management, simply put, is the process of managing cybersecurity performance by relying on KPIs to track meaningful cybersecurity metrics that allow decision makers to strategically allocate budgetary resources to best mitigate cybersecurity risk. At present, businesses are dumping endless amounts of resources into the latest tools and software suites without considering the realistic return on their investment. CPM relies on visibility into continuous performance against goals, along with measures of consistency to create tremendous new understanding around risk, providing for data driven decision making that can truly improve security and curb excess spend.
The kind of insight that CPM provides revolutionizes the way organizations manage cybersecurity in support of the business. Incorporating cybersecurity risk into existing organizational risk management processes provides a structured and healthy way to identify and manage cybersecurity risk. CPM and risk management then provide a cyclical system; the risk management process identifies risk, and CPM provides the tools to target specific metrics that reduce risk.
This new visibility into cybersecurity performance against goals along with measures of consistency and coverage creates incredible new understanding around risk, providing for data driven decision making that can truly improve security and curb excess spend. Being able to make quantitative decisions based on real-world performance data is a powerful tool in increasing operational efficiency. This visibility allows an organization to effectively target its weakest performing metrics and dramatically strengthen its baseline cybersecurity performance without falling into the trap of ballooning cybersecurity budgets. Best of all, it becomes possible to see and measure the impact of cybersecurity improvement in real-time. Being able to prove to board members, executives, and stakeholders the tangible return on their investment in security is key to getting cybersecurity buy-in with all stakeholders.
How you can implement CPM
At its heart, performance management doesn’t tie you into any specific vendor or ecosystem. It’s a process, not a product. But there are tools that greatly increase the efficacy of any performance management program, and it all comes down to automation. Automation lies at the heart of CPM. The best way to kickstart any kind of performance management program is to automate the collection, aggregation, and reporting of relevant KPIs. That’s no different with CPM, where automating the gathering of cybersecurity performance indicators (CPIs) is crucial in making the best strategic decisions to reduce business risk. The goal is to tie together as many of your existing security tools as you can into one convenient place where you can run analytics against past and current data. This automation can be done by creating custom tools, yet it’s not always viable when all it takes is one or two updates to an API endpoint to break your reporting tools.
Managed Cybersecurity Performance Services for Credit Unions
This may seem like a daunting task, but it doesn’t have to be. Credit unions without the resources or expertise on-hand to create their own program can always rely on others to manage their cybersecurity performance. At the recent World Credit Union Conference (WCUC) in Glasgow, Scotland, cybersecurity firm TDI unveiled their Managed Cybersecurity Performance (MCP) offering, its pinnacle body of work, summing up over two decades of delivering cybersecurity solutions across the globe. TDI’s MCP platform offers a convenient solution for credit unions to outsource and better manage their cybersecurity performance, mitigate risk, reduce ransomware, provide continuous compliance, improve cyber-ROI, and slash cyber insurance premiums.
Credit Unions have struggled aligning the interests of both the security team and the board of directors, something critical in establishing a working cooperation between the two. TDI’s MCP solution allows for a much greater ability to prioritize imperative cybersecurity initiatives that reduce risk for the entire organization with a measurable ROI, understandable by all. TDI offers a unique perspective to commercial organizations with over 21 years of experience on the front lines of cybersecurity operations, engineering, and compliance supporting some of the most targeted commercial, military, and government organizations in the world. MCP leverages their experience in helping hundreds of customers navigate oceans of wasteful and inefficient cybersecurity initiatives.
Credit unions specifically are in a precarious position when it comes to managing cyber risk. They have fewer resources than the big central banks, yet they still have many of the same burdens in developing and providing online banking services that need to be protected. For smaller organizations, spinning up a thorough cybersecurity program is a challenging task at the best of times. Doing so while under regulatory scrutiny and relentless assault from cyber criminals only makes it harder. TDI’s MCP service simplifies this question, allowing you to hit the ground running with a cost-effective solution tailored for credit unions.
Paul Innella, TDI’s CEO, has over 25 years of executive and cybersecurity experience. He founded and built TDI which offers cybersecurity services to hundreds of government agencies and commercial clients. He is a recognized cybersecurity SME and corporate executive who has published articles, lectured, and conducted interviews (ABC, Fox News, Forbes, MSNBC). He established and chairs the charitable cyber-focused “White Hat USA” which raises money for Children’s Hospital. He is a Board Member in many private companies, JMU, Children’s Hospital, WashingtonExec’s Cyber Security Council, and Chair of Children’s Corporate Advisory Council. He graduated from JMU, attended graduate courses at Johns Hopkins, and Executive Programs at Cambridge, IMD, U. of Edinburgh, and U. College of Dublin.