Cybersecurity Leadership for Senior Executives of Thai Banking Firms
Article Sidebar
Main Article Content
Abstract
Cyber threat is one of the most important risks for banking firms. Leadership is one of the critical success factors for having effective cybersecurity. Baldrige Cybersecurity Excellence Builder framework identifies what leaders should do to ensure the effectiveness of cybersecurity in organization; however, the framework does not provide detail on approaches for the identified activities. This paper proposes approaches for bank executives to lead cybersecurity in Thai banking firms. The proposed leadership approaches were based on the leadership category from the Baldrige Cybersecurity Excellence Builder. The approaches for each item in the leadership category were synthesized from 2 popular cybersecurity frameworks, 4 cybersecurity standards, and 1 quality management system standard. The approaches were also complied with Bank of Thailand regulation and associated laws. The cybersecurity frameworks in this research included NIST Cybersecurity Framework and COBIT5. The cybersecurity standards being studied in this research are ISO/IEC 27001:2013, CIS Control 7.1, ISA 62443-2-1-2009 and NIST.SP.800-53 Revision 4. The proposed approaches also followed the quality management standard, ISO 9001:2015. The proposed leading approaches covered all leading items for leading effective cybersecurity, including mission-vision-value setting for cybersecurity, demonstration of cybersecurity commitment, commitment to legal and ethical behavior, communication and engagement with stakeholders, creation of environment for cybersecurity policies implementation, and focused on cybersecurity action to achieve the cybersecurity objectives. Following the proposed leadership approaches will not only ensure effectiveness of cybersecurity in banking operation, but also reduce risks and impacts on business loss from both internal and external cyber threats.
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
The articles published are the opinion of the author only. The author is responsible for any legal consequences. That may arise from that article.
References
X. M. Liu, “A risk-based approach to cybersecurity: A case study of financial messaging networks data breaches,” The Coastal Business Journal, vol. 18, no. 1, pp. 21–38, 2021.
I. Aldasoro, L. Gambacorta, P. Giudici, and T. Leach. (2020, Feb.). BIS Working Papers No 840: Operational and cyber risks in the financial sector [Online]. Available: https:// www.bis.org/publ/work840.pdf
ETDA. (2019). 2017–2018 ThaiCERT Annual Report. (2nd ed.). Electronic Transactions Development Agency. Bangkok, Thailand. [Online](in Thai). Available: https://www. etda.or.th/th/Useful-Resource/documentsfor- download/ThaiCERT-Annual-Report- 2017-2018-Thai-Version.aspx
H. Melissa “Leadership and responsibility for cybersecurity,”Georgetown Journal of International Affairs, Special Issue on International Engagement on Cyber 2012: Establishing Norms and Improving Security, pp. 71–80, 2012.
2019–2020 Baldrige Excellence Framework: Proven Leadership and Management Practices for High Performance, National Institute of Standards and Technology, 2019.
NIST. (2019). Baldrige Cybersecurity Excellence Builder: Key questions for improving your organization’s cybersecurity performance Version 1.1. [Online]. Available: https://www. nist.gov/document/baldrige-cybersecurityexcellence- builder-v11pdf
NIST. (2018, April 16). Framework for improving critical infrastructure cybersecurity Version 1.1 [Online]. Available: https://nvlpubs.nist.gov/ nistpubs/cswp/nist.cswp.04162018.pdf
International Organization for Standardization ISO/IEC 27001 Information technology - Security techniques - Information security management systems - Requirements, 2013.
Critical Security Controls V7.1, 2019.
Security for industrial automation and control systems Part 2-1: Establishing an Industrial Automation and Control Systems Security Program, ANSI/ISA-62443-2-1 (99.02.01), 2009.
NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations, 2013.
International Organization for Standardization ISO 9001 Quality management system – Requirements, 2015.
COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (ISACA), 2012.
Bank of Thailand. (2021, December 30). Cyber Resilience Assessment Framework. [Online]. (in Thai). Available: https://www.bot.or.th/ Thai/FinancialInstitutions/PruReg_HB/FSI Notifications/Cyber%20resilience%20frame work%202019.pdf
Thailand government, “Cybersecurity Act, B.E. 2562,” 2019 (in Thai).
Thailand government, “Personal Data Protection Act, B.E. 2562,” 2019 (in Thai).
NIST. (2022, March). Three Organizations Win 2021 Baldrige Awards for Performance Excellence. [Online]. Available: https:// www.nist.gov/news-events/news/2022/03/ three-organizations-win-2021-baldrige-awardsperformance- excellence
H. Snyder, “Literature review as a research methodology: An overview and guidelines,” Journal of Business Research, vol. 104, pp. 333–339, 2019.
S. Cleveland and M. Cleveland, “Toward cybersecurity leadership framework,” in MWAIS 2018 Proceedings, Saint Louis, Missouri, 2018, pp. 1–5.
