The CRO-CISO Waltz
The adjoining of cybersecurity and operational risk management in financial institutions
The increasingly complex regulatory environment, along with ongoing technological gains largely propelled by the new emerging industry of FinTech have transformed the very nature of financial fraud and given rise to a new breed of adversary more technologically advanced than decades past. Over the past two decades, the Chief Risk Officer (CRO) and Chief Information Security Officer (CISO) fought different foes on disparate fronts. However, the change in adversarial motives in the cybercrime epoch while still harboring the same anomie has evolved from web site defacements over the last twenty years to a $1.5 Trillion global shadow economy equal to the GDP of Russia that trades in data as the new commodity — now more valuable than oil. If cybercrime was a country, it would have the 13th highest GDP in the world.
This requirement for unification between the two silos is bringing together two different sides of the corporate aisle in financial institutions (FIs) — operational risk management and cybersecurity. Over the last few years, the first studies are beginning to surface that changes the global perspective of cybercrime as a marketplace where entropy reigns supreme, to a well organized, autonomous system of negentropy fueled by revenue flow and profit distribution in a very well funded global economy.
The role of the Chief Risk Officer (CRO) is to maintain a risk register based on the identified applicable laws and regulations, fraud schemes, and anti-money laundering (AML) concerns. Her job is to assist in the execution of the corporate compliance, fraud, and Bank Secrecy Act (BSA) risk assessments by identifying key risks and assessing mitigating controls to determine the risk profile of the organization. Ultimately, her role in the organization is to track the progress of remediation of control weaknesses identified by internal audits or control assessments; monitor the risk profile of the company and develop and monitor key risk indicators; identify emerging risks; coordinate and analyze the collection of risk information; and develop and maintain policies and procedures.
While the CRO is responsible for the macro-view across the total landscape of operational risk management, the CISO is responsible for risk management within her domain of IT; managing vulnerabilities in the company’s IT on-premise and cloud infrastructures and much like the CRO, has purview over IT risk assessments, internal and external audits, compliance, and technological and administrative control assessments and monitoring. While this may be a morass, understand that while these sound similar, they are different. As a matter of fact, both roles historically reported to different individuals in the C-suite.
Historically, the CISO reported to the Chief Information Officer (CIO) due to the historical belief that it was a technology-focused role. Some organizations — in my view — mistakenly have the CISO report up to the Chief Technology Officer (CTO), which is something I hope is quickly becoming a dying practice. However, as the CISO position has evolved and the court of public opinion has weighed in on cybersecurity no longer being viewed as a technology problem, more organizations are moving the CISO reporting structure lines to the Chief Risk Officer, shifting the world view of cybersecurity for the CISO to a risk-based lens rather than purely technological.
Because cybersecurity is a people problem, this requires the CISO to sit at the same dinner table with the rest of the C-suite and have a seat in the board room. Read more on this systemic gap in the C-suite reporting structure in a recent article I was quoted in by Brian Krebs on this very issue.
That’s not to say this isn’t improving. In 2016, a Bay Dynamics report revealed that 74% of board members say they are presented their company’s cyber risk every week. Of those surveyed, 26% of respondents said that cyber risk has the highest priority in their boardrooms, with financial, regulatory, and competitive risks scoring in a close second of 16%-22%.
Historically, adversaries on the fraud and cybersecurity side of the house differed in the tactics, techniques, and procedures (TTPs) that were used, which is now beginning to converge into a single adversary. Because of this, the line between the fraud department and the cybersecurity department fueled largely by FinTech is becoming increasingly blurred and so have the security controls to counter it.
Two decades ago, the objective of hackers in compromising a target was web site defacement. Today it’s for-profit payment cards or PII data breaches, ransom, or nation-state warfare. This has increasingly created a growing audience for vendors offering a litany of anti-fraud solutions to FIs that requires both the CISO and CRO in their audience.
In 2017, the Ponemon Institute released a study on the 2017 Cost of Data Breaches, which estimated that the global average cost of a data breach now exceeds $3.62 Mn. Cyber attacks, financial crime, and fraud are becoming increasingly more targeted, intricate, and persistent — and intertwined. While technologies have made advances in risk management, cybersecurity, and fraud prevention, a recent IBM Institute for Business Value (IBV) report revealed that 42% of banking executives believe that their fraud operations are in dire need of an overhaul.
The fact is, companies need to develop a joint ORM strategy that aligns both fraud and cybersecurity to cope with the shared threats emanating from online criminals, hacktivists, or nation states looking to destabilize payment and financial systems, especially those targeting large scale FIs that sit at the apex of our nation’s financial system. Today though, FIs are struggling to connect the technical aspects of cybersecurity around technological controls with the people and process risks that the CRO is responsible for.
A 2014 report by the Basel Committee on operational risk, which includes cyber attacks as a scenario, illustrates the nature of the operational risk that can result from cybersecurity breaches that range from continuity to credit and even market risk.
The evolution of operational risk management (ORM) to include cybersecurity threats is being driven by three major trends: the rise in number and complexity of cyberattacks that now pose a threat to a FI’s profits, reputational damage, and regulatory fines; boards and the C-suite realizing cybersecurity is not a technology problem rather, includes the broader context of people and processes within the FI; and a poor cost-to-income ratio driving banks to consolidate their silo-based risk management functions.
This “new normal” of expanded ORM that aligns cybersecurity, fraud, and anti-money laundering disciplines was made painstakingly obvious in the Dyre Wolf malware attacks against banks that this convergence was long overdue proving phishing, malware, fraud, money laundering, and business disruption now all coexist together and therefore requires a similar coordination between cybersecurity and ORM strategy.
In summary, the alignment of these two separate functions in the organization is increasingly becoming an existential imperative for FIs to ensure both are aware of their specific responsibilities and how they align within the broader context of the enterprise risk management strategy. Connecting these dots and aligning the strategy is key and starts with the FI adjoining these two historically siloed functions and bringing both under a formal standards framework such as ISO or NIST that ensures both CISOs and CROs coexist together under the same umbrella of operational risk management.
As usual, if you liked this article, please support me by clicking LIKE and share it with your own feed! This is the best possible way that you can support me and my continued research. If anyone has anything to add or comment on in this article, please feel free to share it with everyone below in the comments section! Learn more about me at my homepage at www.alissaknight.com, LinkedIn, watch my VLOGs on my YouTube channel, listen to my weekly podcast episodes, or follow me on Twitter @alissaknight.
I am a senior analyst with Aite Group where I perform focused research into cybersecurity issues impacting the financial services, healthcare, and fintech industries through the assessment of sector trends, creation of segment taxonomies, market sizing, preparation of forecasts, and developing industry models. I provide these industries a combination of syndicated and bespoke market research, competitive intelligence, and consulting services in the cybersecurity market through unbiased, objective and accurate research and content development. Out of my research into the contemporary cybersecurity issues affecting these industries today, I produce research reports and white papers, as well as provide advisory services that include inquiries, briefings, consulting projects, and presentations on study findings as well as bespoke speaking engagements where I often keynote at cybersecurity conferences, seminars, and roundtables annually.