Risk – the possibility that something undesirable will occur – is always around us. And we make decisions based around risk every day, from the moment we take our first step, ride our first bike, drive our first car, or buy our first home. These types of risks are usually common and easily understood. As such, we have health insurance in case we get sick or injured, wear helmets on our bikes, wear seatbelts in our cars, and install alarm systems in our homes, all to reduce the risks around us. We understand that we can choose to either accept, transfer, or avoid the risks.
The way we manage security risk within the financial industry is similar, and yet, we often have difficulty doing it efficiently. Risk assessments can make us groan and very seldom make us happy, mostly because there are different types of assessments used to manage different types of risk. We check the compliance box, but don’t always have a complete picture of the issues that could result in a significant breach at the FI. So, how do we bridge the gap between business and security risk?