Financial services firms need to stop focusing on their staff’s cyber-risk skills and spend more time having conversations about their experiences, ANZ Bank chief information security officer Lynwen Connick said at a conference.
Speaking on a panel at the Sibos conference in Sydney, Connick said having inclusive conversations about staff’s interaction with things like phishing, for example, “make it real for everyone”.
“It’s not to me, so much, specific security skills that we need everyone to have, it’s about more integration,” she said.
She revealed that ANZ conducted regular cyber event drills to facilitate active discussion.
“Sometimes, we use mechanisms like our phishing fire drills to enable conversations,” she explained to the crowd. “People can say, ‘That happened to me, too…what else are we seeing?’ What I find is that when we run our phishing fire drills, it’s the conversations that we have afterwards – about what happened and what it means – that matter.”
Rather than putting staff through complicated training, therefore, Connick advocated bringing teams together to bring experiences to light.
“It’s really good to provide education across an organisation so everyone has some basic level of understanding of technology and information security but it’s also about how we explain the issues in business terms in ways that people can understand,” she said. “It doesn’t necessarily require any in-depth understanding about how a cyber-security attack would occur or how malicious software would be embedded in the system – that’s not what people need. It’s about knowing that it could happen to anyone and what we can do to prevent it.”
Connick revealed that even she would click on “a very well-crafted [phishing] email”, so it makes sense to have discussions around how an organisation would deal with the consequences.
Walk the walk
John Hibbs, managing director, global cyber-security at Bank of America Merrill Lynch, said financial services firms needed to “change the calculus” of how they engage their staff on cyber-risk.
“Think about it differently,” Hibbs said. “It’s not [about] cyber skills, but having that awareness in terms of communicating with each other. That’s probably one of the biggest things, across almost every major institution, that would reduce the security risk.
Valerie Abend, managing director of financial services security practice for North America at Accenture, said: “You can’t just have cyber-security that’s parked ‘over there’. You need to make everybody truly walk the walk.”
Abend said firms needed to “make sure everyone had a speaking role in security discussions. That way, you’re uplifting the level of awareness and actually spreading the risk management throughout your organisation.”
The concept of spreading risk among staff is something ANZ has been working on as well, Connick suggested.
“Cyber-security is a team sport, you don’t do it on your own,” she said.