A few weeks ago, in my life outside of cybersecurity, a person said to me: “You are always thinking three steps ahead of the rest of us”. I am not sure if it was meant as a compliment or not. I think they may have been observing that I was bringing up scenarios that were unlikely to occur and that the discussion of those scenarios was slowing progress on what we were working on. You see, I have always tended to think of the worst possible scenario in any situation I am in and to create mental plans for what actions I would take. Growing up, it would drive my family crazy. I am, to put it bluntly, a worrier.
Luckily, there is a career path for worriers. It is called risk management. Risk management is simply the practice of worrying about what can go wrong and determining how likely it is to go wrong and what can be done to lower the risk. The things that can go wrong are called “threats”. The things that can be done to decrease the impact or the likelihood of a threat are called “controls”. By adding these (and a few other) terms to my vocabulary, I am no longer just a worrier. I am a professional worrier!
Risk management is a foundational skill that every financial institution must have in place to operate. Every loan opened by a customer and every rate decision made comes with a certain amount of risk, and institutions must ensure that this risk level is acceptable. It should be easy for an institution to utilize these same risk management skills in managing IT risk, but I see many institutions where the application of these skills has not occurred much in IT.
There are two different reasons I see risk management not being adequately applied in IT. First, If an IT professional has developed in an environment outside of financial services, it is possible that they have never been exposed to risk management. IT people are not all natural worriers. Many extremely talented IT professionals are optimistic that the work they do will make their organizations better and more efficient and do not get overly concerned with what could go wrong.
Second, most risk management professionals inside financial systems do not truly understand the technical environment that is operated by IT. They are focused on lending and financial risk, and do not really know what the threats and controls are within IT. They do not know what they should be worried about.
The role of a CISO in a financial institution should be to coordinate the risk management mindset that each institution has with a technical knowledge of the systems, applications, and system processes of that institution. They should be worrying about what threats might occur, as well as what the institution is doing to mitigate those threats. And they should be communicating these risks to management and the board just as their risk management counterparts do.
If you feel that IT and cybersecurity risks are not being adequately identified and communicated within your institution, it may be that you need someone with expertise in both risk management and IT to help bridge the gap between these two disciplines. Bedel Security can help by providing services ranging from mentorship of existing staff all the way to becoming your full CISO. If this sounds interesting, please contact us at support@bedelsecurity.com to learn more!