The financial services sector faces a growing imperative to fortify its cybersecurity defenses. Confronted with the dilemma of whether to manage security functions internally or engage with specialized service providers for their cybersecurity sourcing, many are opting for the latter – or at least considering it.
The article below examines why many financial services firms are choosing to let external vendors manage their cybersecurity and the downsides of taking this approach, without also making internal safeguards more robust. While a confluence of factors, from a scarcity of skilled IT security professionals to the high cost of retaining in-house talent and the escalating sophistication of cyber threats, may push financial services towards external cybersecurity support, internal defences remain crucial.
The importance of a retained security organization
While outsourcing security tasks can address some challenges, there remains a critical need for financial institutions to establish and maintain an in-house retained security organization. Having strong internal cybersecurity capabilities is essential for compliance, information processing, and several other reasons. Firstly, regarding regulatory compliance, supervisory bodies mandate that financial institutions retain ultimate responsibility for their cybersecurity posture. A retained organization ensures compliance by overseeing outsourced functions and maintaining accountability. Working with a third-party vendor is not an abdication of responsibility.
A retained cybersecurity team also acts as a crucial link between an organization and its chosen vendor, receiving security intelligence from service providers and processing it internally. This includes escalating critical issues and understanding their specific implications for the company’s unique operations and processes.
Oversight and control are other benefits. A robust retained organization is vital for effectively steering and controlling the cybersecurity strategy deployed by service providers. This involves setting clear requirements, validating their implementation, and ensuring the continued efficacy of outsourced security measures.
Finally, cybersecurity sourcing from a third-party does not mean that a financial services firm can forget about security completely. Service providers may identify security issues, but it’s the retained organization that can truly interpret what these issues mean for the company, given its intimate knowledge of internal systems and business processes. Internal cybersecurity capabilities will be needed, therefore, to translate third-party findings into impact.
The need for a clear cyber sourcing strategy
The current cybersecurity landscape underscores the critical need for financial services firms to develop a clear and comprehensive cyber sourcing strategy. For instance, evolving regulations, such as the Digital Operational Resilience Act (DORA) in the European Union, are imposing stringent demands on financial entities concerning their operational resilience, particularly concerning their reliance on third-party IT services. Just as the fast-evolving threat landscape necessitates that financial services regularly update their defenses (including who they partner with), the regulatory environment is also incredibly dynamic.
In addition, talent scarcity and cost remain significant challenges. A persistent shortage of skilled cybersecurity professionals and rising salary expectations make it increasingly difficult and expensive for companies to build and maintain in-house expertise. Research by the World Economic Forum indicates that four million professionals are urgently needed to plug the talent gap in the global cybersecurity industry. Although businesses can offer generous salaries to attract cybersecurity workers in this competitive market, outsourcing can also help alleviate some of the burden.
Finally, rising cyber threats are a constant concern. The increasing volume and sophistication of these threats, now exacerbated by advancements in AI that simplify attack execution, demand robust and adaptive security measures. Some 72% of cybersecurity professionals cited an increase in organizational cyber risks, with nearly 47% of organizations listing generative AI as their primary concern for evolving attack methodologies. This heightened threat landscape, influenced by geopolitical and societal factors, makes effective cybersecurity absolutely paramount.
Sourcing of security or building it in-house?
The current cybersecurity landscape underscores the critical need for financial services firms to develop a clear and comprehensive cyber sourcing strategy. Discover how Eraneos can help.
Beyond cyber sourcing: Strengthening security governance
While partnering with external service providers is a viable option, financial services firms can bolster their security governance through other means. This includes building their cybersecurity capabilities in-house. Developing internal technical capabilities, tools, processes, and a skilled workforce remains fundamental.
It’s also important to remember that strengthening cybersecurity, even in the highly technical world of financial services, is not purely about digital solutions. Human factors, such as cultivating a strong security culture, are essential too. Fostering pervasive security awareness and inculcating a mindset that puts security first throughout the entire organization is crucial. This involves educating employees on risks, establishing clear safeguards, and promoting a mindset where security is everyone’s responsibility. Another reason why financial services firms need to shore up their internal defenses is that relying on other vendors within their supply chain is a risky tactic. A recent report by Forrester on enterprise risk management, for instance, advised risk leaders to map their software supply chains to prioritize resilience. This will, of course require strong internal cybersecurity capabilities to adequately validate external parties. Recognizing that attackers often target supply chains as a weak link, financial institutions must prioritize the security of their third-party providers, not just for security aspects but for all IT-related services.
Key steps for resilient cybersecurity sourcing
To achieve more resilient cyber sourcing, financial services organizations should focus on several critical steps. Firstly, cloud security needs to be prioritized, with more than three-quarters of financial services firms already reporting they have implemented some of their services in the cloud. Given the prevalence of the technology, ensuring the security of cloud environments and any data hosted there is paramount.
Credential management and protecting digital identities are other important steps. Implementing robust measures here, both internally and from the perspective of a service provider, is essential for preventing unauthorized access. This isn’t the kind of concern that can be addressed and then forgotten about either. Continuous monitoring and auditing will be required for all systems, whether in-house or outsourced, helping to detect and respond to threats promptly.
Even with outsourced security, it’s vital to sustain a high level of cybersecurity awareness and a strong security culture within the organization. An over-reliance on external providers can inadvertently lead to a decline in internal vigilance. This reliance can also blind financial services firms to the vulnerabilities potentially hidden within the networks of their chosen cybersecurity partners. Comprehensive third-party risk management frameworks and detailed vendor resilience plans are indispensable for managing the risks associated with cybersecurity sourcing.
Picking the right cyber sourcing partner
At Eraneos, we understand why financial services firms look to cyber sourcing as a means of enhancing their cybersecurity posture. We appreciate its many benefits, while recognizing its risks. That’s why we believe that cyber sourcing needs to be carefully considered – especially in an industry where highly sensitive information is stored and transferred, like financial services.
We boast a proven track record and deep experience in security sourcing, having successfully guided numerous organizations through complex outsourcing initiatives. As an independent entity, we do not offer managed services, sell software, or have affiliations with specific vendors. This allows for unbiased recommendations and the selection of the most suitable service providers for each client’s unique needs.
Our expert team comprises highly experienced professionals who have navigated the intricacies of cybersecurity sourcing multiple times, bringing a broad understanding of the market and a proven methodology to every engagement.
Don’t just delegate your cybersecurity to any third-party vendor. Get in touch with Eraneos to ensure your cybersecurity sourcing meets the rigorous compliance demands and customer needs of the financial services industry.
