I have a sense that 100% of my business associates, and the entire online community of CTOvision.com and OODAloop.com are not the least bit surprised at what is in new cyber threat warnings from the Department of Treasury’s Office of Comptroller of the Currency (OCC) and the independent Federal Deposit Insurance Corporation (FDIC).
In fact, after reading their latest alert once and not finding anything new I read it a second time, slower, to see what is unique and new in this report. The answer: Nothing. The informed readers in our community are aware of everything mentioned.
So why do they do things like this? That is the newsworthy item.
Here is what I mean.
This warning from FDIC and OCC, titled Heightened Cybersecurity Risk Considerations, was issued because of current geo-political dynamics. It references previous alerts from DHS on the topic. It provides a high level overview of risks to the financial sector. And it strongly encourages banks to apply best practices to continue to mitigate risks.
The best practices in the full report are things that any cybersecurity professional would already be considering.
So what is the news here? FDIC and OCC have distributed this warning to every FDIC supervised institution. So this means all banks and credit unions. And they suggested this report be routed to the CEO, CIO and CISO in all institutions.
So the newsworthy topic to me is that FDIC and OCC both feel that CEOs, CIOs and CISOs of banks and credit unions are not already running basic cybersecurity programs and are not tracking geopolitical events.
We know that the financial sector invests greatly in cybersecurity and risk mitigation. But we also know from experience that not all institutions give security the same degree of attention. Could it be that this warning was sent as a message to CEOs that they should continue to support professionalization of cyber risk mitigation? Some organizations will not need a message like that at all. But some CEOs could probably use constant reminders from external organizations with compliance and oversight roles.
So, my assessment: Although I do not recommend you personally read the latest from FDIC and OCC on cyberthreats, since you no doubt already know what they are saying, I do urge all of us as a community to consider how we can help executives who are not paying enough attention to cyber risks to become more aware.
Some ways to help non technical/non security professionals improve security culture:
- Encourage all to stay informed. We would love to help. We provide the OODA Daily Pulse as a way to help keep decision-makers aware of key cyber threat, business risk and geopolitical risk topics. In minutes a day everyone in an organization can achieve a common baseline on key issues.
- When you see new information from organizations like FDIC, OCC, FFIEC or other regulatory or oversight organizations, help your firm by putting that information into actionable context. For example, on this current FDIC report, you may want to proactively get to your CEO and let him know that status of your security program and how it is going, including what you might need to improve your posture.
- Continually seek your own balance between staying focused on completion of current activities and staying agile in the face of dynamic threats. If you figure out how to do that let us all know. It is really easy to say and hard to do. But no matter what your function you need to deliver on your promises, but our adversaries in cyberspace are not as committed to that as you are and will be working to surprise you. So you need ways to build in agility in your daily actions and in what you are delivering.
- No matter what your function is in the organization, and no matter what your level is in the hierarchy, don’t be the skunk at the party, ever. The skunk at the party might get listened to a time or two, but eventually you stop getting invited back and lose your ability to offer actionable advice and input.
- Network with other action-oriented professionals. It takes a community to mitigate the big risks. You have many ways to do that of course, including connecting with peers via ISACs/ISAOs, coming to big community events like Blackhat, Defcon or RSA. Another one we would really love you to consider is our 19 March 2020 Future Proof event. This is where the CTOvision and OODAloop community will gather.
Those are some thoughts. Would welcome your ideas.
Latest posts by Bob Gourley
- RiskIQ: An OODAcon 2020 Future Proof Sponsor - February 28, 2020
- Percipient.ai: An OODAcon 2020 Future Proof Sponsor - February 28, 2020
- Centripetal Networks: An OODAcon 2020 Future Proof Sponsor - February 26, 2020