Building a strong cybersecurity culture within the banking sector is a crucial task that requires a strategic approach. Mike Calvi, the Chief Information Security Officer at Arvest Bank, emphasizes the importance of leadership, effective reporting, and proactive engagement with associates in order to strengthen security measures. In a recent interview with Help Net Security, Calvi shared insights on how banks can measure success and maintain accountability while fostering a collaborative environment.
One key aspect of cultivating a cybersecurity culture in banking is the unique regulatory and fraud challenges that require a heightened level of reporting and vigilance. To streamline reporting processes for associates and ensure accurate routing of security-related issues, Arvest Bank implemented a common interface for reporting various topics such as cybersecurity, social engineering, fraud, and physical security. This seamless reporting loop from associates to analysts is vital for identifying potential security threats and serves as an educational tool for mitigation efforts.
Calvi also highlighted the role of the human risk management (HRM) team in keeping cybersecurity at the forefront of associates’ minds through internal communication channels. By leveraging internal news articles, intranet banners, and dedicated chat spaces for cybersecurity collaboration, Arvest Bank is able to promote a culture of security awareness and responsibility among all associates.
When it comes to leadership’s role in fostering a cybersecurity culture, Calvi emphasized the importance of leadership buy-in and support for training initiatives. By engaging leaders in creating promotional content and motivating associates to participate in cybersecurity awareness programs, Arvest Bank sets a tone of commitment to security practices across all levels of the organization.
Maintaining accountability for cybersecurity practices without fostering a culture of blame is a delicate balance that banks must strike. Arvest Bank incentivizes associates who report potential security events by offering tours of the Fusion Center and publicly acknowledging their contributions. By highlighting the positive impact of reporting and implementing recognition programs like the Awesome Angler Award and SPOT Award, the bank encourages a proactive approach to cybersecurity hygiene.
In terms of measuring the effectiveness of cybersecurity initiatives, Calvi emphasized the importance of collaborating with business partners to develop meaningful metrics that align with organizational goals. By making cybersecurity risks visible to the business and framing the message in a way that resonates with stakeholders, banks can effectively communicate the value of security investments and ensure alignment with business objectives.
Integrating cybersecurity into innovation efforts, such as digital banking services and fintech partnerships, requires a well-defined risk appetite and a robust cyber governance, risk, and compliance (GRC) program. By defining risk tolerance levels, identifying non-negotiable safeguards, and leveraging industry frameworks for secure development, banks can navigate the complexities of integrating cybersecurity into innovative initiatives effectively.
Overall, building a strong cybersecurity culture in the banking sector requires a multifaceted approach that involves leadership commitment, effective reporting mechanisms, proactive engagement with associates, and continuous measurement of cybersecurity effectiveness. By prioritizing security awareness and collaboration, banks can strengthen their defenses against evolving cyber threats and safeguard sensitive information.