The important and difficult job is never to find the right answers, it is to find the right question.”
—PETER DRUCKER
The Practice of Management. Should be studied by
all business managers
So what is the right question for managing Technology and Cyber risk management?
Since risk management is identifying the exposure, implementing controls to contain the potential financial and reputational losses within the Risk Appetite, having the resources and plan to rapidly recover from a loss after it happens, and having the right governance to manage these effectively, we will start with exposure. The right question then is: what is the exposure?
A quick search for types of cyber risk on the internet will produce a long list such as
Data breaches,
Phishing attacks,
Malware attacks,
Ransomware attacks,
DDOS attacks,
Password breaches,
Insider threats,
IoT threats,
Cloud risks, etc.
If you search for technology risk the list will include data breaches, cyber-attacks, and system failures.
Familiarize yourself with each of these and test your understanding by explaining each to one of your group members.
After you have completed this exercise, consider the following questions:
Is technology risk and cyber risk the same? From the above, there seems to be at least some overlap.
Can the list be structured as a MECE? Perhaps breaches, attacks, threats?
All you need to know about Cyber Risk:
Cybersecurity management is the application of the ECRG framework to ensure that information is available to whoever is authorized to access the information, that sensitive information is kept confidential, and that the information has integrity.
The State of Cyber Risk Management And Industry Survey by Deloitte
The shift toward remote work and virtual customer engagement in the financial services industry appears to have fueled not only digitalization but also several changes to the cybersecurity landscape. This article takes a fresh look at cybersecurity through the lens of a leadership survey and reveals what changes might be ahead for the sector. Read more
Quantifying Cyber Risk: Factor Analysis of Information Risk (FAIR)
The FAIR approach to quantifying Cyber Risk, see:
the FAIR Institue site is a valuable resource to explore cyber risk topics, especially the quantification of cyber risk:
Last week, I came across a report discussing how bots create fake social media accounts to spread negative misinformation, which contributed to a surge in withdrawals at First Republic Bank. Does this have any connection to the CIA?
How can the institution ensure that the scenario testing conducted on its existing defenses is sufficient for risk management, given the rapid advancements in technology within the computer science industry? Is it necessary for the company to conduct scenario testing whenever there are new developments in cyber-attack techniques?
The Deloitte survey suggests that remote work and digitalization have reshaped the cybersecurity landscape. In what ways can businesses adapt their cyber risk strategies to account for these shifts, and what unique vulnerabilities might these trends introduce?
The role of the ECRG framework in cybersecurity is a key point, as it emphasizes ensuring the availability, confidentiality, and integrity of information-at the heart of financial institutions' particular vulnerability to cyber threats in today's digital environment. But given that more and more banks are now doing digital transformation, what are some of the practical ways that financial institutions can strike a balance between maintaining strong cybersecurity and rapid digital transformation?
The FAIR model offers an interesting approach to quantifying cyber risk, moving away from traditional qualitative assessments to a more data-driven methodology. Another question is how companies handle data limitations when using the FAIR model. If there isn’t enough historical data for certain risks, does the model still provide reliable insights?