It's no surprise that most bank chief information security officers say they are expanding their cybersecurity budgets this year. More interesting is their main motivator.
More than half (56%) of bank chief information security officers surveyed this summer by SourceMedia Research say their cybersecurity budgets are growing in 2016. Only 6% of those surveyed said they're decreasing security spending.
Reasons to increase spending abound, from the international multimillion-dollar bank heists that exploited the Swift messaging network to new malware strains and fraud rings to increased business email compromise fraud.
Yet ask bank CISOs why they're stepping up cybersecurity spending, and the most common answer is a familiar refrain: regulators' concerns – 62.5% cited that as their top driver for security spending. Next were protecting servers and databases from hackers (50%), protecting employees and customers from phishing attacks (47.9%), and protecting employees and customers from malware (47.9%).
Even with all the threats out there, compliance requirements may be necessary to light a fire under some banks.
"You can question how much regulation we have and maybe it's too much and it's counterproductive at some point, but that's the job of the government, to make sure we're protected," said Avivah Litan, vice president of Gartner. "Banks don't have a natural inclination to spend money on security. It's not something that drives revenue. So if it weren't for the regulators driving it, they probably wouldn't spend as much money."
This is all good news for vendors. Market Research, a firm based in Pune, India, predicted the global cybersecurity market will grow at a compounded annual rate of 8% to 11% from 2016 to 2021, and that it will surpass $150 billion by 2021.
Where the Money Is Going
Most banks (54%) are stepping up their spending on network security this year, according to the survey by SourceMedia Research, an affiliate of American Banker.
Network security always tends to be the top security category – after all, networks are the gateway that's supposed to keep hackers out, and cybercriminals are constantly scanning networks for opportunity. The Swift hacks this year made a lot of CISOs take a harder look at how they were securing their Swift operations and their networks at large.
Mobile banking security is the next most common area of growth – 44% of CISOs said they're increasing budgets for it. Online banking was a little farther down the list, with 38% reporting increased spending there.
"The way I interpret that is they've already spent a lot on online banking security," Litan said. "The primary channel of online banking is pretty well saturated and mature now, and the growth is at the edges."
About half of bank customers use mobile devices, the Federal Reserve said in a recent study (53% of smartphone owners with a bank account use mobile banking, the central bank said). Meanwhile, security vendor Lookout recently examined 100 million devices with one or more mobile banking apps installed, and found Trojans and other vulnerabilities in one out of ten.
"There's more mobile malware, more functionality and more users of mobile banking," Litan said. "It's time to tighten that up."
Almost half (42%) of the security chiefs said they're investing more in fraud detection this year.
Many bankers say that doing better fraud analytics behind the scenes, including behavioral analytics, is a far better way to catch fraud than stiffer authentication processes that can lock out legitimate customers.
"There's still a lot of room for growth in fraud analytics," Litan said.
Asked their top priorities, bank CISOs put data security first, then keeping up with threats and managing vendors.
"Data security refers to keeping the data on customers and intellectual property -- the customer list, M&A plans – safe so hackers can't get outside and steal it," Litan said. "That's a bigger concern than fraud."
Keeping up with the latest security threats is critical, Litan observes, because 75% of cybersecurity budgets are spent on prevention, according to Gartner's research, "and prevention is where we've failed. It doesn't mean you shouldn't have a lock on your door, but they've been getting through the locks so there is this move to spend more on detection at the end point and around data."
Physical security and cybersecurity incident sharing were at the bottom of the heap. This reflects the reduction in branch networks and the nascent nature of cybersecurity incident sharing – it's not being done in a timely enough way yet to make a big difference.
Cybersecurity vendor management and reporting to management and boards were high on the list, probably due to regulatory requirements.
In a recent bank CIO roundtable, everyone present vented about how hard it is to find good security people. For the SourceMedia Research survey, CISOs were asked about their recruitment efforts. The responses were the usual: 58% go by employee referrals, 40% use career web sites, 40% do internal job posting. A few mentioned partnering with higher education.
"The best solution is for them to get their own data scientists and data security experts to come in and customize solutions for them, but they're competing with Silicon Valley companies like Facebook, Google and Apple, and they can't offer them the kind of salary and benefits these high-tech firms can," Litan said. "Or they don't have the lure of the startup. So they find it almost impossible to compete. Some of them are going into colleges and trying to get kids who don't know better."
The dearth of in-house talent leads to a reliance on vendors and outsourcers.
Research by Moody's Investors Service has found banks increasingly turning to outsourcing. Banks use a median of 12 cybersecurity vendors and have a median of just 21 full-time equivalent employees.
This is a particular challenge for small banks, said Jason Grohotolski, vice president and senior credit officer at Moody's.
"If you lose a couple of people, given the low absolute number of internal employees you have, that's something you have to recover from," he said. "When you're using outsource vendors as well, they can smooth those situations."
A final takeaway for bank executives from our research is that your chief information security officers could use some love.
In answer to the question, "In just a few words, what is it like being a security executive at your institution?" 18 used the word "challenging" or "very challenging" in their answer. Three used the word "stressful," three "unappreciated," two said "exhausting," another two said "hectic." (There were also two "funs" and two "greats" – the misery is not universal.)
One wrote, "Challenging, thankless, need to seek self-rewards, anxious, just waiting for something bad to happen." Another said, "Interesting, but daunting. Front lines of war."
Editor at Large Penny Crosman welcomes feedback at email@example.com.