The CRO-CISO Waltz

The adjoining of cybersecurity and operational risk management in financial institutions

The increasingly complex regulatory environment, along with ongoing technological gains largely propelled by the new emerging industry of FinTech have transformed the very nature of financial fraud and given rise to a new breed of adversary more technologically advanced than decades past. Over the past two decades, the Chief Risk Officer (CRO) and Chief Information Security Officer (CISO) fought different foes on disparate fronts. However, the change in adversarial motives in the cybercrime epoch while still harboring the same anomie has evolved from web site defacements over the last twenty years to a $1.5 Trillion global shadow economy equal to the GDP of Russia that trades in data as the new commodity — now more valuable than oil. If cybercrime was a country, it would have the 13th highest GDP in the world.

This requirement for unification between the two silos is bringing together two different sides of the corporate aisle in financial institutions (FIs) — operational risk management and cybersecurity. Over the last few years, the first studies are beginning to surface that changes the global perspective of cybercrime as a marketplace where entropy reigns supreme, to a well organized, autonomous system of negentropy fueled by revenue flow and profit distribution in a very well funded global economy.

The role of the Chief Risk Officer (CRO) is to maintain a risk register based on the identified applicable laws and regulations, fraud schemes, and anti-money laundering (AML) concerns. Her job is to assist in the execution of the corporate compliance, fraud, and Bank Secrecy Act (BSA) risk assessments by identifying key risks and assessing mitigating controls to determine the risk profile of the organization. Ultimately, her role in the organization is to track the progress of remediation of control weaknesses identified by internal audits or control assessments; monitor the risk profile of the company and develop and monitor key risk indicators; identify emerging risks; coordinate and analyze the collection of risk information; and develop and maintain policies and procedures.

While the CRO is responsible for the macro-view across the total landscape of operational risk management, the CISO is responsible for risk management within her domain of IT; managing vulnerabilities in the company’s IT on-premise and cloud infrastructures and much like the CRO, has purview over IT risk assessments, internal and external audits, compliance, and technological and administrative control assessments and monitoring. While this may be a morass, understand that while these sound similar, they are different. As a matter of fact, both roles historically reported to different individuals in the C-suite.

Historically, the CISO reported to the Chief Information Officer (CIO) due to the historical belief that it was a technology-focused role. Some organizations — in my view — mistakenly have the CISO report up to the Chief Technology Officer (CTO), which is something I hope is quickly becoming a dying practice. However, as the CISO position has evolved and the court of public opinion has weighed in on cybersecurity no longer being viewed as a technology problem, more organizations are moving the CISO reporting structure lines to the Chief Risk Officer, shifting the world view of cybersecurity for the CISO to a risk-based lens rather than purely technological.

Because cybersecurity is a people problem, this requires the CISO to sit at the same dinner table with the rest of the C-suite and have a seat in the board room. Read more on this systemic gap in the C-suite reporting structure in a recent article I was quoted in by Brian Krebs on this very issue