Employee training is a top priority for improving security, according to 35% of CISOs polled by the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Infrastructure upgrades and network defence were also named as top priorities by 25% of respondents, followed by breach prevention (17%).
Infrastructure upgrades, network defence and breach prevention are prioritised mostly by CISOs reporting into a technical function like chief information officer (CIO), according to the first FS-ISAC CISO cyber security trends report.
Employee training is a priority mainly for CISOs reporting into a non-technical function like the chief operations officer (COO) or the General Counsel.
The report, which is aimed at helping leaders and businesses understand cyber security trends across the globe, said while cyber security used to be handled in the server room, it is now a board room topic.
The survey found that quarterly reports to the board of directors were most common (53%), with some CISOs (8%) reporting more than four times a year or even on a monthly basis.
In the era of increasing security threats and vulnerabilities, the report said CISOs know that keeping top leadership and boards updated regularly on these security risks and effective defences are a priority.
As security has increasingly become a concern for financial institutions, the role of the CISO has been thrust into the organisational spotlight, the report said.
However, the study found that that two-thirds of CISOs do not report to the CEO, and that the top cyber chain of command is more likely to be the CIO, followed by chief risk officer (CRO) and then COO. Only 8% said they report to the CEO.
FS-ISAC recommends training employees should be prioritised for all CISOs, regardless of reporting structure because employees serve as the first line of defence.
Employee training should include awareness about downloading and executing unknown applications on company assets, also in accordance with corporate policies and relevant regulations, and training employees on how to report suspicious emails and attachments, the report said.
FS-ISAC also encourages more frequent and timely reporting to the board of directors to ensure businesses maintain an “at the ready” risk posture and that cyber practices are clear to board members.
As the threat landscape shifts, FS-ISAC recommends that CISOs have expanded reporting responsibilities or dual-reporting responsibilities in the corporate structure to ensure critical information flows freely.
Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision making, the report said