BITS President: Cyber Guidance Confuses CISOs

Conflicting cybersecurity guidance from banking regulators and a federal agency is making it more difficult for CISOs to set priorities, says Chris Feeney, president of BITS, the technology and policy division of the Financial Services Roundtable.

Regulators and agencies need to improve collaboration so they can send a consistent message about the best cybersecurity practices and the expectations CISOs should meet, he says in an interview with Information Security Media Group.

"We certainly believe in working with the regulators, and we think what they are trying to do is really protect the safety and soundness of the industry," Feeney says. "They're trying to provide the industry, specifically the firms that they regulate, with a set of tools to do that."

Nevertheless, Feeney says BITS is concerned that the Federal Financial Institutions Examination Council's Cyber Assessment Tool, which was released in July, contains some recommendations that conflict with the National Institute of Standards and Technology's cybersecurity framework, which was released in February 2014.

This is a concern, Feeney says, because BITS considers the NIST framework the benchmark of cybersecurity standards for banking institutions (see How Will NIST Framework Affect Banks?).

Building on a Chassis

"The NIST framework is the chassis to build on, primarily because of the collaboration that led to its creation, and then, obviously, the multiple years of education and embedding in a set of processes," he says. "However the CAT [FFIEC Cyber Assessment Tool] has elements that are relevant and important and are useful for the industry. So what we would really like to see is these groups come together in a very collaborative way and develop a set of tools or frameworks, almost merged in a way, that allows them to take the best of both and come out with a very comprehensive and very operationally achievable framework. ... We'd love to get behind that kind of effort."

During this interview (see audio link below photo), Feeney also discusses:

Why CISOs need to educate their boards of directors about cybersecurity and regulatory issues; How cyberthreat intelligence sharing and data breach notification could become more regulated; and Why adoption of the top-level Domain, .bank, will make waves in 2016.

Earlier this year, Feeney replaced Paul Smocer as president of BITS, which addresses emerging technology and operational opportunities for the financial services industry. BITS is the technology and policy division of the Financial Services Roundtable, an advocacy organization for the U.S. financial services industry. Feeney works with the nation's largest financial institutions and policymakers to promote cybersecurity and fraud prevention. He has more than 30 years of experience in executive management, technology, business/sales management and operating roles at software companies, broker/dealers and investment management firms.