The Financial Sector Cybersecurity Framework Profile was developed by the Financial Services Sector Coordinating Council (FSSCC) as a means to harmonize to the plethora of cybersecurity regulations and standards that members of the financial sector must comply with. According to the FSSCC, over 80% of the supervisory instructions in finserv regulations had a similar focus, but used different language, or had marginally different compliance requirements. The Profile was developed as a means to streamline compliance with those various regulatory requirements, much like the NIST Cybersecurity Framework has emerged as a means for organizations to build their cybersecurity programs on regardless of industry. NIST has hailed the Profile as a perfect extension of the CSF, tailored specifically for financial institutions - going so far as to add two new functions to NIST’s five: Governance and Supply/Dependency Management.
Institutions of all types can use it for internal and external use with vendors as a means to benchmark cybersecurity posture. As you and your organization consider whether to adopt the Profile to increase efficiency at your organization, we’ve assembled three Do’s and Dont’s when adopting the Profile.
What to Do When Adopting the Financial Sector Cybersecurity Framework Profile
Get the Board and Executive Management involved early
Whether your organization is one in which the CISO presents to executive management and the Board frequently or yours is one where the CISO presents less frequently (annually), building a strong line of communication between business-side leadership and the security organization is critical. While we have seen the CISO title emerge as a mandated function under some regulatory standards, there are no standards set for the relationship that individual has other executive leaders.
Ensure that as a technical leader that you’re facilitating early and often with executive management in terms that are actionable. One of the many benefits of the Financial Services Sector Cybersecurity Profile is its ability to translate complex compliance and cybersecurity terms into actionable information that leadership can act on.
Align Risk and Compliance Teams
A critical element of the Profile is a risk assessment. Ensure that your risk teams and compliance teams are aligned and in sync especially around the adoption of this process. Often that requires exploring tools to enable that alignment including single-pane-of-glass solutions that allow risk and compliance teams to work within the same platform side by side.
Approach the Profile with a Continuous Assessment Mindset
The Profile is most effective when organizations approach it as a living process, not a static or periodic method to hit 80% of compliance requirements. For some organizations, that can mean a change in solutions. Most GRC solutions today are designed for periodic assessments, not the continuous approach that gold-standard frameworks like the Profile suggest. As a result, the adoption of the profile can be a watershed moment for your organization towards making the shift to an integrated risk management approach to cybersecurity program management.
What Not Do When Adopting the Financial Sector Cybersecurity Framework Profile
Prioritize the Profile Over Regulations and Standards
While the Profile can help streamline the compliance process by harmonizing multiple standards, ensure that you approach adopting the Profile as a means to increase efficiency for your organization. While many regulatory frameworks do have commonalities and that’s where the Profile is of value, ensure that your organization is meeting all the necessary requirements for each standard. The Profile is often referred to as the 80% solution - ensure your organization is meeting that remaining 20% of standards and regulations.
Assume that the FSSCC Profile is Only for Large Financial Institutions
Much like the NIST CSF, the Profile is a scalable and extensible assessment tool for financial institutions of all sizes. For small and medium-sized organizations, adopting the Profile early in your program’s maturity can pay large dividends down the road as compliance requirements become more complex.
Manage a Profile Assessment in a Modular or Static Tool
As we discussed in the Do’s, ensuring program alignment between risk and compliance is critical. However, many financial institutions manage their programs using modular and siloed tools that make the assessment process difficult. The goal of the Profile is to streamline and increase efficiency for financial institutions’ compliance, yet conducting the assessment in a modular solution can result in the time that would have been spent on assessments being spent on assembling assessment data across modules in a tool.
Adopting the Financial Sector Cybersecurity Framework Profile
As we’ve seen, adopting the Profile is a sound decision for financial organizations of all sizes. It is an extensible assessment that financial institutions can use to not only build and enhance relationships with business-side leadership but also as a means to significantly increase efficiency across the compliance process.
Ensuring that your cybersecurity program is fully integrated is critical for success when implementing the Profile, an integrated solution like CyberStrong can help - with risk and compliance at the control level, both teams are fully aligned throughout of the assessment process. To learn more, give us a call at 1 800 NIST CSF or click here and request a free demo
