Risk – the possibility that something undesirable will occur – is always around us. And we make decisions based around risk every day, from the moment we take our first step, ride our first bike, drive our first car, or buy our first home. These types of risks are usually common and easily understood. As such, we have health insurance in case we get sick or injured, wear helmets on our bikes, wear seatbelts in our cars, and install alarm systems in our homes, all to reduce the risks around us. We understand that we can choose to either accept, transfer, or avoid the risks.
The way we manage security risk within the financial industry is similar, and yet, we often have difficulty doing it efficiently. Risk assessments can make us groan and very seldom make us happy, mostly because there are different types of assessments used to manage different types of risk. We check the compliance box, but don’t always have a complete picture of the issues that could result in a significant breach at the FI. So, how do we bridge the gap between business and security risk?
As I look back and reflect on my years participating in, and watching organizations perform security risk assessments, those who were successful, and conversely those not as successful, had these basic elements in common:
- Roles and responsibilities
- Risk appetite statement
- Common language of risks and controls
Roles and Responsibilities (R & Rs)
We typically begin risk assessments with objectives and information assets, but high on the list are also employees or third parties involved, along with their job title and responsibilities. In many cases, we gloss over R & Rs because “we know what their job is.” Great, we know that CEOs are the ultimate authority in an organization, CFOs oversee budgets and financials, CIOs oversee IT, CISOs oversee security, etc. But what exactly are they responsible for during a crisis? And who is the appropriate individual to determine, for example, the risk of theft by robbery to a branch?
That is what is often missing or outdated in many documented security programs. Consequently, risk assessments will not run efficiently if the team is not clear on who is responsible for what. More importantly, knowing what our job is does not constitute evidence during audits. Spend the time up front carefully outlining the responsibilities of the individuals involved in managing security risk at your FI. It will pay off in the long run.
Risk Appetite Statement
There are many academic definitions of risk appetite (which we won’t go into here). Suffice it to say, it is crucial to understand how much security risk your FI is willing to accept. Once again, taking the time to craft a comprehensive statement of your security risk appetite will set the framework for an efficient (and successful) program.
Common Language of Risks and Controls
Risk assessments are successful when a proper balance is established between risks and controls. Once you have clear roles and responsibilities and an approved risk appetite statement, you can better determine your security risk profile. Your FI’s risk profile should be defined using a common framework for understanding business risks as they relate to information security. The cybersecurity assessment tool (CAT) is a great resource to build your risk profile, but it needs to be underscored by your own risk appetite and supported by your accepted set of controls.
Using the CAT, you can implement a framework for your FI that provides
- a common language to effectively understand and manage security risk, and
- a structured approach to assess risk and consistently apply the appropriate controls.
This risk and control framework ensures that controls are not only commensurate with the risks they address, but also appropriate and acceptable to senior leadership and the board of directors.
Controls are defined as measures incorporated into policies, standards, and procedures, which are intended to prevent or reduce the probability and/or the severity of a risk event. Controls are anything that mitigates risk, thereby contributing to the likelihood that the business will achieve its objectives. Applying controls in a structured manner allows for a consistent approach that can also bring visibility to areas where risks may not be fully mitigated (residual risk).
Success in security risk assessments requires the right governance structure, complete with proper roles and responsibilities for information security, proper consensus on risk appetite, and a common language of risks and controls that everyone understands. I’d be remiss if I did not mention that all this is achievable with the relevant expertise to bring teams together in making it happen.
Looking for free resources to help you bolster your cybersecurity strategies? Visit the ProfitStars Cybersecurity Awareness Resource Center today for tips and helpful sight to elevate your #FIcybersavvy!
Like this article? Subscribe to the Strategically Speaking blog to gain access to weekly articles from our industry leaders right from your inbox!