Insights from a Cybersecurity Roundtable on Mortgage Lending



  • Robert Furr
  • Published: 18 October 2021

Capco continued its Roundtable series this summer with another session comprised of CISOs from several of the country’s largest mortgage lenders. The areas of focus for these CISOs are once again relevant and timely for not only lending organizations, but also diversified financial services institutions, along with companies from other industries (e.g., energy). Key topics in this session indicate a continued need for cybersecurity to “shift left” and for organizations to adopt a DevSecOps model.

Cybersecurity is a premium, not a default. Unfortunately, many tools and vendors follow a freemium model with respect to cybersecurity features. It is typical for base, or free tiers, of a product to lack key security features, such as single sign-on (SSO) or syslog/SIEM integration. CASB and other SaaS offerings, such as phishing protections, may be unavailable or lackluster unless you move up to higher tiers of service. Consider what features are most important to you now and in the next 12-24 months to ensure you choose the solution that will best protect your workforce.

Resiliency and best practices are rarely built in from the start. Cloud providers and custom-built solutions get initiatives off the ground quickly and empower teams, but the right cybersecurity architecture must be part of the foundation. Bolt-on security increases threat vectors and may expose control gaps. Concepts like micro-segmentation and least privilege are easier to establish at the start, and they are cheaper to implement up front, rather than during a refactor or as the result of a breach. This complication is not only a technical issue; mergers and acquisitions (M&A) exacerbate these challenges by adding users, endpoints, and applications into the fold. If your firm is growing through M&A, make sure that cybersecurity rationalization is part of the integration process. Leverage reference architectures, security templates, and automation to maintain resiliency.

Comparing tools and vendors quickly becomes subjective. Deciding what tool is right for you can feel like jumping from one moving car to another… during an earthquake! Tools frequently change names, merge with other tools, or are sold from one vendor to another. Technology convergence leaves firms owning multiple tools that each have different levels of feature overlaps. Whether you are looking at IAM, EDR, network security, or another tool category, you will find varying maturity in areas such as: on-premise vs. hosted functionality, vendor lock-in vs. cross-vendor integration, and differing licensing models. To further complicate comparisons, independent reviews can be subject to testing methodology and sponsorship bias.

With so many nuances and choices, it can be hard to determine where to get started. Anchor your evaluation on a set of use cases tailored to your organization and prioritized by level of importance. Look at the key areas you wish to protect and capabilities of your existing team. Layer available funding and existing vendor relationships into your assessment. Finally, realize the vendor landscape will continue to change due to new releases and acquisitions, and you may need to reassess again at the end of your current support contract.

Dedicated cybersecurity awareness pays dividends. Investing in a champion or a team focused on awareness and training can unlock both immediate and long-term improvements in security posture. Growing organizations may be hesitant to make this investment, due to a perception of high upfront cost with little benefit. However, such a resource or team can level-up the organization’s security posture and cybersecurity culture. Leverage metrics around phishing and business email compromise before and after awareness activities (phishing simulations, annual security training, cybersecurity awareness month, etc.). Note the increase in reported events or increased use of tools like phishing button clicks after training events to quantify ROI.

In conclusion, this roundtable discussion further underscores how change within an organization and the software supply chain continues to make a CISO’s job difficult and ever-changing. Establish a strong cybersecurity foundation within your team, tools, and culture to maintain agility amidst this sea of change. If you are interested in hearing about our experience with these themes or to attend a future roundtable, please contact Robert Furr at