New Coordinates Articles Details


Cybersecurity Means Business: Taking a P&L Approach to Data Risk - Ash Khan

Ash Khan
New Coordinates
Summer 2018

Cybersecurity is a business problem—not just an information technology problem. By now, executives across the financial services industry may be well aware of this. At some banks, though, business planning, budgeting, and day-to-day operations may exhibit the classic gap between knowing and doing. Closing that gap will not be easy. It requires resetting ingrained approaches, mindsets, and relationships to align cybersecurity executives and business executives in the pursuit of shared objectives.

In other words, to mix metaphors, cybersecurity and business executives need to be both on the same page and at the same table, working together to ensure their objectives are achieved.

Too much is at stake to continue operating at cross-purposes. Cyber-related events can harm brand reputation, customer confidence, and share price—ultimately, profitability. What’s more, companies today operate as part of broader interconnected ecosystems, so that an attack on one can have an impact on others. Depending on the nature of a cyber event, whole industries can be affected by a breach at a peer institution.

The CISO Profile
The Chief Information Security Officer (CISO) and cybersecurity team should assist the business in achieving objectives while managing information security risk within a defined risk appetite. To do this requires an enterprise-wide mindset that elevates security from a back office function or cost center to a partnership with the business to ensure business performance. The security team may not “own” traditional Profits & Losses (P&L) like the business does, but it needs to understand P&L to ensure that security is in lockstep with the business.

Financial services CISOs should be business leaders with in-depth knowledge of technology, security, the financial services business, and the business of doing business—meaning classic MBA skills like understanding corporate finance, relationship management, and leadership.

Their skills will surely be put to the test. For one thing, security-related news stories appear regularly in the media. A CISO is routinely put on the spot by executives, with topical questions about any and all technologies, from cloud computing to the Internet of Things, the blockchain, quantum safe cryptography, and the security flaw du jour. All of which requires CISOs to have a very broad and continually refined range of knowledge and skills to respond effectively.

A number of recent regulations have mandated that institutions designate a CISO. One example is the New York Department of Financial Services’ Cybersecurity Regulation. Since the rule went into effect in 2017, the resulting increase in job postings for CISOs has only aggravated an existing skills shortage. Generally, over half of information security professionals reported open cybersecurity positions in a recent survey by the Information Systems Audit and Control Association (ISACA).

Certainly, it isn’t easy to find the right CISO candidate, with a mix of deep technical knowledge, knowledge of the financial services vertical, and sharp business skills. One approach is to find a technologist who has at least one of the other two strengths, and then to help develop the third. Whatever the approach, partnership with the business to manage security-related risks would be key to the success of any new CISO.

P&L-Driven Processes
In an ideal scenario, CISOs and team members would be invited early and often into business planning meetings, to help identify risks raised by new products and services under development. With an understanding of the business proposition, the security team can work with business executives to identify which risks might be unacceptable, acceptable, or readily mitigated by implementing new controls and at what cost. With a better understanding of the threat landscape and cyber defenses, business executives can innovate with greater confidence and success.

What is not ideal is a persistent culture relegating security to a back-office, after-the-fact, check-the-box function. This mindset will consistently bring in the CISO late in the process, when few options are left—mainly giving the thumbs up or thumbs down on a business proposal. The culture of security saying “no” without an understanding of the business impact needs to change, too.

Regulation can also create an environment for checkbox compliance, which often breeds a false sense of security. Getting a real grasp of the situation requires meaningful dialogues on security risks among cybersecurity, technology, and business executives. For the security team, this means a move up from technical security metrics to higher-level key risk indicators, risk radars, and aggregated security maturity dashboards. While this is not an easy move for security professionals, who are accustomed to working with technical details, the security payoff can be significant.

One example involves a CISO responsible for communicating hundreds of security-related metrics to the business. All of this detail overwhelmed the business and IT teams, which in turn could not easily prioritize their remediation efforts. Monthly operating reviews were fraught with tension and frustration during the security discussion. Finally, analyzing a year’s worth of data led to the identification of the biggest risks, each with about 20 related metrics. Next came weighting the risks and creating three high-level red-amber-green indicators to share with the business and technology teams. Incorporating the simplified security risk data into business and IT performance scorecards gave it teeth that changed behavior.

It has been widely debated exactly where the security team fits in, but the decision is important because of the need to raise the visibility of cybersecurity. C-suite executives and senior leaders don’t, as a rule, invite security teams to the decision-making table. Even if cybersecurity does not claim a permanent seat at the table, business executives need to make sure that there is some governance mechanism, such as a cyber risk committee, that regularly brings cybersecurity and business leaders together—preferably chaired by a business executive.

Funding Shortfalls
The security threat landscape is evolving at the greatest rate seen in recent times. In terms of sheer scale, the U.S. government has projected that some 20 billion devices will be connected to the internet in 2020. Malicious actors are backed by increasingly sophisticated and well-funded criminal organizations and sometimes nation-states. Banks’ own technology and customers’ digital behaviors are changing at an equally dizzying pace, involving innovations as transformative as artificial intelligence, robotic process automation, and ubiquitous mobility.

The security team’s evolution typically runs at a slower pace—leaving the team playing catch-up. This situation deprives banks of something they need now more than ever: a team with the wherewithal to see through the eyes of their digital adversaries and identify the weakest links in their ongoing digital transformations.

The culprit, in many cases, is under-resourcing, and indications of this shortfall are many. For example, the largest global banks are each spending roughly the same amount on cybersecurity—up to a half billion dollars a year—clearly demonstrating that they value the function. However, other financial services companies may not be stepping up, in relative terms. Another clear sign of under-resourcing is that any significant public breach is usually followed by a corresponding uptick in spending on cybersecurity tools and people—a case, perhaps, of too little, too late.

One common sense approach would be to run any request for security funding through the same kind of lens used to analyze business requests, rather than engaging in serial stop-gap spending in reaction to cybersecurity incidents. This approach carries an important caveat—that business executives must understand the risk implications and explicitly sign off on rejected funding requests.

Tapping Outside Perspective
To analyze security budgeting, risk management, technologies, and staffing, business executives often like to bring in an external perspective, with independent consultants benchmarking against peer institutions. This last point is another area in which cybersecurity and business executives should collaborate rather than working at odds.

Clearly, internal security teams can feel exposed by outside reviews, which could highlight issues that are either undiscovered or not yet prioritized for remediation. At the same time, they may have a lot to gain. A consultancy of experienced professionals who can speak at their level and do a technical deep dive can both give comfort to business executives and earn the respect of security teams.

The Final Analysis
Partnership between cybersecurity and business executives can lead to a clear understanding of the threat landscape, digital transformation, and the right level of resources for cyber defense, so the bank can thwart adversaries, keep innovating to serve today’s increasingly digital customers, and drive profitability and growth.

View as PDF

Treliant, LLC, Compliance, Risk Management, and Strategic Advisors to the Financial Services Industry and Consumer-Oriented Businesses, brings to you New Coordinates, a quarterly newsletter offering insights and information regarding pertinent issues affecting the financial services industry. This article appeared in its entirety in the Spring 2018 issue. To subscribe to our quarterly newsletter, please Contact Us.