It’s that time of year again. Pumpkin spice everything, the temperature hasn’t budged since mid-September in Texas and the FFIEC just sent out its FAQ on the annual Cybersecurity Assessment Tool. It’s that time of year when FIs, CIOs, CSOs and more are preparing roadmaps and formulating budgets for the coming year.

As community-focused financial institutions continue to review their security postures—always looking for ways to detect and protect against threats—inevitably the conversation turns to tools, tools and more tools. The landscape is overwhelming, with the tried-and-true name brands filling the space, peppered with thousands of newcomers and their new ways of identifying threat actors, correlating events and ways for FIs to spend money and their time.

After reflecting on this year’s trends, Q2’s own product roadmap and lessons learned, I find myself reminded that too often businesses jump into implementing solutions without spending enough time on the basics. Building a strong foundation allows third-party tools and practices to amplify and augment your security efforts. Without that foundation, the best cyberdefense tools in the world may not be enough.

At Q2, for example, we’re focused on refining our security governance model, making sure we have the right building blocks in place to support the continued growth of our company—both in our hosted fintech solutions as well as in our back office.

Take the FFIEC Cybersecurity Assessment Tool, for instance. This tool is a great (and voluntary) example of an iterative building block that vendors, FIs and more can use to measure their cybersecurity preparedness over time. Map your standard NIST framework to the FFIEC tool to execute against one “über set” of controls instead of five different programs. Together you have a single, coherent operational model that establishes a more comprehensive security posture.

Connected in many ways to operational controls, cybersecurity should absolutely be intertwined throughout all of your business practices—looking at your organization from a security-first view, not just as a section within the broader IT compliance puzzle. Your preparedness against cyberattacks relies both on tools and the partnerships behind them that ascend to your executive team—partnerships between IT and business units, development, and of course, with customers.

“Making security everyone’s business” is not just a catch phrase, but an idea that should be embedded from the beginning into engineering, operations, various branches of development and beyond. That idea makes it much easier to implement and adopt large-scale programs like NIST, as the tentacles of these frameworks reach far and deep across your organization.

Before tools, there are partnerships. Partnerships where both the CIO and CSO work together with the rest of the executives, and eventually the entire company, to weave security across and throughout an organization. Those partnerships create the alignment needed for your security program’s success from the get-go, not the other way around.


Written by Q2