Summary
This blog shares 10 insights from banking CISOs on how to make cybersecurity investments that truly matter. Covering tool sprawl, SOC economics, staffing shortages, regulatory pressure, and board-level expectations, it highlights how banks can reframe cybersecurity from “necessary expense” to strategic value. It also explains how Zero Trust strategies can reduce breach costs by up to 75% and provide measurable business outcomes.
Table of Content
Last week, I sat down with CISOs from U.S. banks in Omaha to talk about the economics of banking cybersecurity. One theme came through clearly: bigger budgets don’t always mean better protection. Simply throwing money at the latest tools and trends just isn’t cutting it.
One thing I heard from the CISOs is that proven economic models can help banks decide which cybersecurity investments deliver the most impact. By the end of the event, we had a clear take on getting best value from cyber budgets (and how Zero Trust may help)..
Cybersecurity in financial services: Trends banking CISOs can’t ignore
During the roundtable conversations, CISOs shared firsthand the pressures they face daily and the broader cybersecurity challenges in banking cybersecurity. Here’s ten key insights from and for CISOs:
1. Weak fundamentals still drive breaches
Weak or default credentials, unpatched systems, and tool sprawl remain the main causes of incidents. Focusing on these basics delivers more impact than chasing the newest tools.
2. Tool sprawl and a buyers’ market are draining budgets
Banks now run 20–45 security tools on average, each with licensing, integration, tuning costs, and so on. Vendors continue flooding the market with point solutions, contributing to the cybersecurity market remaining a buyers’ market with significant information gaps (check out this article for more).
3. Smarter investments come from valid data
Quantifying cyber risks does not require mountains of actuarial data. Reliable data enables CISOs to balance potential loss against the cost of running security operations.
4. 24/7 operations are resource-intensive
Maintaining around-the-clock coverage requires at least four shifts and leave allowance. Realistically, you need at least two analysts per monitoring console to manage alert fatigue. These staffing realities quickly drive up costs.
5. Talent shortages amplify operational challenges
Analyst turnover rates of 30–35% in many regions create additional costs, as banks pay to recruit and replace staff. Even with higher salaries, only 38% of leaders believe they can find the right talent.
6. Regulatory pressure is growing
Frameworks like GDPR, DORA, PCI DSS, NIS 2, and the SEC’s cyber-disclosure rules add heavy reporting workloads. Most in-house SOCs struggle to automate or integrate these requirements effectively.
7. Investment decisions should be risk-driven, not compliance-driven
CISOs agreed that budgets should reflect the bank’s risk appetite. Viewing cybersecurity purely as a compliance or expensive checklist limits the ability to make strategic investments.
8. Boards want business value, not jargon
Executives care about measurable outcomes: avoided losses, cost savings, and risk reduction. Translating technical complexity into business terms is key to gaining support.
9. The “IKEA effect” undermines decision-making
The IKEA effect, which involves overvaluing in-house solutions, leads to sunk cost bias and not invented here syndrome. CISOs warned that these biases can trap banks in expensive, ineffective projects.
10. SOCs are long-term, multi-million-dollar commitments
Building and running a 24/7 SOC goes beyond a single line item. CISOs emphasized that understanding total cost and operational requirements is essential for sustainable security operations.
Reframing cybersecurity: What should CISOs be doing
One clear thing all CISOs agreed on: banks can’t just keep treating cybersecurity as a checkbox. Turning them into actions means reframing how we think about cybersecurity.
What does that look like? Shifting from:
- “necessary expense” to strategic investment
- “bottomless pit” to measurable value
- “hope we’re covered” to resilient by design
Cybersecurity strategies like Zero Trust can come in handy, helping you prioritize investments and reduce breach costs significantly. Can they really help? I believe they can, in fact: evidence from recent analysis shows that Zero Trust as a Service (ZTaaS) can lower breach costs by up to 75% by reducing the likelihood and impact of incidents (for more detail, see How to Reduce the Cost of a Breach).
Practical approaches and frameworks like this can help you turn these CISO insights into action. If you want to learn more, contact us to explore how they can be applied to your organization.
Interested in joining us for our next event? Stay tuned for more events like the Omaha roundtable — maybe we’ll see you at the next one!
FAQ
What are the biggest cybersecurity challenges for banks today?
According to CISOs, the top challenges include tool sprawl, high SOC costs, staffing shortages, and growing regulatory pressure from frameworks like GDPR, DORA, PCI DSS, NIS 2, and SEC rules.
Why don’t larger cybersecurity budgets always improve protection?
Bigger spend often goes into adding more tools, which increases complexity instead of reducing risk. CISOs at the roundtable stressed that focusing on fundamentals—like patch management, credential hygiene, and efficient SOC operations—delivers more measurable protection than tool sprawl.
What is the cost of running a 24/7 SOC?
Running a Security Operations Center is a multi-million-dollar commitment requiring at least four shifts, redundancy, and multiple analysts per console to avoid alert fatigue.
How can Zero Trust help reduce breach costs?
Zero Trust as a Service (ZTaaS) can lower breach costs by up to 75% by reducing both the likelihood and impact of incidents, making cybersecurity investments more efficient.
How can CISOs win board support for cybersecurity investments?
Boards want clarity on business impact, not technical detail. CISOs should frame security in terms of reduced financial losses, improved efficiency, and stronger resilience. Linking investments to avoided costs and regulatory readiness helps executives see cybersecurity as a strategic value driver, not a technical cost center.