As the velocity and rate of technology change exposes financial institutions to greater risk and regulatory compliance, it also opens new pathways to value creation and opportunity investment. According to Charles Jacco, principal, cyber security services at KPMG, this has led to a movement to take cyber risk from what has been historically seen as a technology leadership problem to a business problem that is just one part of managing risk across the enterprise.
Historically, addressing cyber security has been the role of the CISO, who owned every aspect, from setting the policy to protecting the enterprise in the perimeter against the business’s strategic direction, as well as implementing the tools and technology to control the environment.
“That worked because we needed to have a person with enough authority to just get it done,” says Jacco. Now, however, most of the other functions across a typical financial enterprise have been split up into three lines of defense — the front end business function that own the controls; an independent risk management function that provides checks and balances; and then an internal auditor that cross-checks everything even before an external audit. Cyber security, however, has not sat in that space — because companies felt an individual tech authority was required to keep the enterprise safe.
That individual tech authority — often the CISO — has started to become a business inhibitor, Jacco explains. “They don’t want to be that, but they own the risk, so they feel they have to protect the environment,” he says. That, however, frustrates the business, which is just trying to find new ways make revenue and compete with startups. As a result, a natural evolution is now happening — in which it has become clear that the business should be able to make a decision based on a thorough understanding of the company’s appropriate risk appetite. “That should not be the CISO’s job,” he says. “The CISO should focus on protecting the enterprise, and the board of directors and Chief Risk Officer’s organization should be put in the driver’s seat when it comes to defining and calculating risk appetite.”
A More Holistic Outlook Is Needed for Cyber Risk
At a high level, the pace of business change is exponentially faster than just 5-10 years ago. In order for the business to move as quickly as it wants, it needs to understand what the appropriate risk posture is, and that needs to include cyber security in all due diligence exercises — to help make sure cyber is incorporated throughout the business in a holistic way.
The typical CISO and CIO do monthly board readouts that are technical in nature and very operational — without discussing how the company can reduce its risk, says Jacco. “If the IT organization is installing some tools, there isn’t an understanding if all of these metrics are actually reducing risks,” he says. “Were any of them critical? Were any on core platforms or crown jewels? Was anything compromised? That data didn’t exist and it is starting to now.”
Now, cyber risk exposure should be shared in a quantifiable dollar amount on core assets they really care about, and based on their risk appetite and key risk indicators, funding can be allocated to reduce risk. “This is a different conversation than has happened in the past, on how to reduce risk across the entire enterprise — with cyber risk woven in throughout,” he says.
A New Operational Risk Framework: With Cyber as a Foundational Component
KPMG believes a holistic operational risk framework, which includes cyber security risk as a foundational component, can help financial institutions — and eventually other industries — achieve competitive advantage while securing the enterprise’s most valued assets against cyber-attacks and threats.
At a high level, says Jacco, this means separating the first and second lines of defense. “The CISO should report to the CIO,” he says. “Rather than focusing on the risk of the business, the primary role of the technology risk function within the CISO function — as it has historically been — is about maintaining the processes and asset inventories for the business and all the technology assets they own.” That function must understand what the core platforms are, the core servers they sit on, the type of data that sits on them — as well as why from a risk classification standpoint they are important.
They need to create a robust risk framework that applies controls and implement technology to protect those assets, he continues. “They are the first line of defense, and they are responsible for protecting and monitoring that environment,” he says. “And then they also need to do periodic scenario testing and undergo tabletop exercises for the board of directors to go through various cyber-attack scenarios.”
The cyber security policy, on the other hand, should be firmly owned by the second line of defense, under a cyber risk management leader role. That person should sit at the top of the operational risk management functions, to report straight to either the risk committee or board of directors. That function, Jacco explains, needs to develop an independent risk management framework for the business to sign off on, as well as KRIs against those risk appetites that will eventually feed into a cyber policy encompassing of the business’s desire for risk appetite.
“The cyber risk management leader needs to be independently challenging the first-line role of the CISO to make sure they are putting appropriate controls in place to meet those objectives,” he says. “Naturally, the CISO needs to be closely involved, but the business can make educated, risk-based decisions where they own the risk like they should.”
How businesses can enable the appropriate cyber risk posture
Enabling the appropriate cyber risk posture starts with the foundation component of updating your organizational model. That is, clearly putting the CISO in the first line, reporting to the CIO. Then, if it doesn’t already exist, creating a cyber risk management lead function in the second line, reporting directly to the operational risk management lead.
This, says Jacco, is the game changer for solving the business problem of technology and cyber risk. “Foundationally, this is important and new,” he explains. “That function needs to have authority and own the high-level cyber policy.” The cyber risk management function needs to establish risk appetite, KRIs, and an overall risk management framework that will feed into that high level policy.
“Then once the company has done that — and that takes a while, then you move to the next level, towards intelligent automation and data analytics to report on quantifiable risk.”