How to leverage cybersecurity to gain customer trust

The financial services industry, and the banking sector, in particular, has been heavily regulated from a cybersecurity perspective.

As a result, many organizations within the industry have prioritized aligning their capabilities and establishing strong governance mechanisms to adhere to regulatory requirements, mitigate regulatory scrutiny and manage their associated reputational risk.

However, with the fast pace of technological innovation, for organizations to be truly successful, the perception of cybersecurity must shift from being a ‘check box’ activity to being a strategic tool that can further drive business objectives and build customer trust.

To dismiss cybersecurity as a threat is to ignore the current reality of banking and with relationships and interactions increasingly online, opportunities to better serve clients in the cyber realm are expanding.

The World Economic Forum (WEF), in co-operation with the National Association of Corporate Directors (NACD) and the Internet Security Association (ISA), published the Principles for Board Governance of Cyber Risk report in 2021.

This report describes the six principles that can help boards of directors with cyber risk governance. The first principle, “cybersecurity is a strategic business enabler”, highlights the need to ensure that organization-wide digital transformation efforts proactively account for cybersecurity considerations and that executive leadership and the board are well informed to actively participate in cyber-related discussions.

In a 2022 PwC survey, when asked how senior leaders frame the cyber mission in their organization, more than half (54%) of the CEOs chose bigger-picture, growth-related objectives from their security team.

Two in five (20%) of respondents stated that “a way to establish trust with our customers with respect to how we use their data ethically and protect their data” was the number one cyber mission choice.

As a result, the power moves to maximizing business value through cybersecurity are two-fold:

1. Building a culture of cybersecurity within the organization so there is effective collaboration between the business, technology and cybersecurity teams.

2. Communicating the impact of the organization’s cybersecurity capabilities to drive customer satisfaction.

The messaging to build an awareness of cybersecurity within the organization comes from the top. In order to equip the board to encourage senior leadership to drive cybersecurity outcomes, board members should be included in periodic tabletop exercises to educate the board on their roles and responsibilities to respond to cybersecurity threats. This would make the impact a cyber-attack could have on their business more tangible.

Additionally, as boards receive formal cybersecurity programme updates, they should be provided with key questions to raise to encourage them to challenge their technology, business, and cybersecurity leadership teams to enable risk-based prioritization, communication and decision making, as opposed to compliance-based prioritization.

Following that, the next learning curve will be for board members to gain experience in understanding the implications of the answers they receive. Board members often receive critical input from cybersecurity experts, and therefore, their effective response can support funding decisions, prioritize initiatives, and provide the appropriate executive attention.

It is also essential to build a culture that empowers cybersecurity information security officers to serve as conduits who provide subject matter support to business leaders in implementing cybersecurity requirements, solicit business line feedback to enhance the cybersecurity strategy, and interact not only with technology teams but also marketing and product teams while supporting large-scale digital transformation efforts.

Security team leaders should actively foster collaboration with peer organizations, security user groups, and intelligence feeds to maintain an up-to-date understanding of the evolving cybersecurity landscape and ensure their teams are educated accordingly. Furthermore, all security professionals within the organization should maintain a high level of expertise through continuous role-based training.

Security team leaders should collaborate to define and publish cyber risk mission and vision statements in alignment with the organization’s overall purpose, values, and objectives, to encompass the company identity and communicate the approach to managing cyber risks to customers.

These statements can serve as the “north star” for the cybersecurity programme and inform the future alignment of programme initiatives to measure and evaluate impact.

When engaging with customers, cybersecurity should be included as a discussion point and offer insight into the organization’s capabilities to monitor threats, analyze long-term cybersecurity impact, and incorporate cybersecurity considerations in customer offerings, in order to build lines of transparent communication with customers.

Given the shift to drive businesses online, providing customers with visibility into the organization’s data security capabilities will establish a sense of increased confidence and trust in its efforts to manage their data with integrity.

For example, when Julius Baer presented the group’s 2021 annual sustainability results, the formal presentation not only included key financial indicators but also included material outlining how continuous technological innovation and operating with a responsible approach to cybersecurity risk management can help the bank to seize digital opportunities and build customer trust.

Cybersecurity affects everyone in today’s world, but the topic is often left unaddressed because it is viewed as too abstract, intangible, and cumbersome to deal with.

Therefore, adopting a “we’re in this together” approach and fostering proactive collaboration between business teams, cybersecurity teams and customers will underpin a successful and digitally-forward organization.