Why the financial sector needs to rethink its approach to IT security

Multi-cloud environments, cloud-native architectures, and open-source code libraries are being deployed to assist in the development of new services and products for customers. However, the moves are also resulting in challenges when it comes to managing enterprise risk.

The situation in the financial sector has been highlighted in the recently released 2022 CISO Research Report: Financial Services commissioned by Dynatrace. The report is based on the responses of 325 IT professionals within banks, insurers, and financial-service providers.

Overall, 75 per cent of chief information security officers (CISOs) within financial-service organisations confirmed that vulnerability management has become more difficult as the need to accelerate digital transformation has increased.

Traditional security strategies no longer sufficient

The pressures being placed on security teams by digital transformation projects show little sign of easing. While technologies such as microservices, Kubernetes, and serverless computing deliver significant benefits for digital banking, these architectures also make application security more complex.

As a result, the report found that 58 per cent of financial services organisations are taking a layered approach to IT security, supported by five or more different types of security solutions.

Yet, even with this robust, layered approach to security, the Dynatrace report found more than 75 per cent of CISOs in the sector believe their current security posture is not strong enough to keep vulnerabilities from entering production systems.

Clearly, layered security is no longer sufficient. Because IT infrastructures are now much more complex, security teams are unable to access all the context they need to prevent every vulnerability from escaping.

VIEW ALL

As a result, it is becoming increasingly difficult for them to manage the security of their applications, which could leave sensitive financial data and critical transactions at risk. Also, almost half (49 per cent) of CISOs surveyed confirmed that the speed of software delivery is making it easier for vulnerabilities to re-enter production.

Concerningly, just 6 per cent of financial services organisations believe they have real-time visibility into runtime vulnerabilities.

The benefits and challenges of open-source code

Additional security challenges are occurring within the sector as increasing use is made of open-source code in an effort to accelerate transformation projects. Vulnerabilities are regularly uncovered in third-party software libraries which can make their way into production systems.

Worryingly, the report found that just 31 per cent of security teams can access a fully accurate, continuously updated report of every application and code library running in production in real-time. Meanwhile, 29 per cent of CISOs said they do not always know which third-party code libraries they have in production at any given time.

In many cases, security teams report that the tools being used to detect vulnerabilities lack the runtime context needed to enable financial services teams to differentiate between minor flaws and significant risks.

As a result, many of the alerts they receive are low risk, and the sheer volume makes it difficult for security teams to distinguish the serious issues from the relatively harmless ones.

The growing level of frustration in the sector’s CISO community is clear, with 75 per cent of respondents confirming that most of their security alerts and vulnerabilities are false positives that don’t require action. This is a significant waste of resources and staff time.

A new approach is required

With the pace of digital transformation projects showing no sign of slowing down, a different approach to IT security is required.

Creating a development, security, and operations merged (DevSecOps) culture within an organisation is an important first step in achieving this. However, according to the Dynatrace report, only 37 per cent of financial services organisations have a mature DevSecOps culture in place.

Having a robust DevSecOps practice in place is key to converging observability. It provides development, operations, and security teams with the context needed to understand how their applications are connected and where any vulnerabilities may exist.

Encouragingly, the report found that 82 per cent of CISOs in the financial-services sector agree that IT security must be a shared responsibility across the software delivery lifecycle, from development to production.

This result is encouraging as it shows that the message is getting across. Work must now be done to make that shared responsibility a reality. By doing this, financial sector firms will be much better placed to securely deliver the services that their customers are seeking.

Hope Powers is ANZ vice president at Dynatrace.