Throughout the last 12-18 months, the news has been filled with crisis after crisis. Of course, the COVID-19 pandemic has been the biggest story until very recently. The pandemic drove digitization across the economy, which has led to an increasing number of cyberattacks by cyber criminals for economic gain.
It has also been a factor in isolating people globally; slowing down trade, supply chains, and travel; and triggering the most domestic inflation the U.S. has seen since the early 1980s.
Tensions From Q to Z
Additionally, the pandemic has contributed to a radicalization of a portion of the U.S. population. The obvious example of domestic political radicalization is QAnon and the storming of the U.S. Capitol on January 6, 2021. Certain media companies, social media outlets, and public figures like Senators or Congresspeople have reinforced or spoken to the beliefs of this group of people. “Q” has many facets, as you can see here.
As we moved into 2022, the tensions in the ongoing Russo-Ukraine war got worse and worse, erupting in the Russian invasion of Ukraine in February 2022. You may have noticed on the news that the Russian tanks and buildings have the letter “Z” on them. “Z” stands for “Za Pobedy” (Russian for “for Victory”). The symbol is pro-war, and it may even be seen as anti-NATO.
Both Q and Z propagate misinformation. In some cases, they have started reinforcing each other, with the help of other countries, as this article from France 24 outlines.
What’s a CIO, CTO, or CISO to Do?
The things I described above may seem far away from the day-to-day cybersecurity threats that CIOs, CTOs, and CISOs need to address. But they are not.
Radicalized U.S. citizens or foreign state actors could do real damage to financial institutions’ infrastructure using ransomware, viruses, or other forms of malware. Money could be stolen from banks using cyberattacks. Network and cloud infrastructures could be shut down by a state actor. Data can be stolen or altered.
These types of attacks have happened before, as when personal information of Sony Pictures employees was leaked as a revenge attack by North Korea for making the movie The Interview in 2014 or when Iran was charged with attacking U.S. banks back in 2012 and 2013.
CIOs, CTOs, and CISOs need to take another look at their security programs and overall reference architectures in order to deploy best practices to protect their firms. Research that Tari Schreider and I collaborated on, CISO Guidance for Zero-Trust Architecture: A NIST-Based Approach, lays out minimum security architecture requirements moving forward for protecting financial institutions.
However, that’s not good enough. The whole security program and reference architecture blueprint needs to be reevaluated in light of the new and more dangerous threat environment. This includes:
- Security governance—policy development and support
- Security engineering, including access management
- Maintenance, monitoring, and testing
- Security incident response
- Risk analysis and scoring
- Providing advice and support
- Application security
- Data security
- Computer forensics and investigations
- Security awareness
- Communicating the state of security
I know, it’s a lot to look at. People would like to assume that all is well—but all is well until it isn’t. If a breach is going on for months, and you don’t know about it, all could appear well.
Communicating Within the Field
It has become clear that CIOs, CTOs, and CISOs need to speak with their peers to see how they are responding to the threat environment and new attack vectors. In response to this need, Aite-Novarica has established a Financial Services CIO/CTO Advisory practice, which includes CIOs, CTOs, and Heads of Architecture. We have also established a Research Council of charter advisors, who are guiding our practice on the challenges we should be focusing our proprietary research and C-level networking forums on.
We will be covering numerous topics, such as best practices for developing a data and digital strategy; open banking standards; the war for technology talent; distributed ledger; managing the architecture of multi-cloud environments; and ensuring an always-secure, always-compliant, always-on environment.
If you are a CIO, CTO, or Head of Architecture in a financial institution such as a bank, wealth management firm, or broker-dealer, I’d like to invite you to take a seat among your fellow financial institution senior IT leaders responsible for technology as a member of the Aite-Novarica Group Financial Services CIO/CTO Research Council. Members are invited to participate in our surveys; private, vendor-free meetings; and Special Interest Group meetings.
Research Council members get free access to a subset of the new research we will deliver to executives who join our new Financial Services CIO/CTO Advisory Practice. Membership is anonymous, and participation in any particular survey or meeting is completely optional.
Join the conversation on May 24 at our next Financial Services CIO/CTO Research Council meeting for Charter Advisors.