Intrinsically, we all have an understanding of what might be risky and why.
However, when it comes to formalizing risk assessment in financial institutions, the process is more critical and structured. Companies use risk scores as guidance to focus the efforts of the staff to safeguard financial information.
According to the ISACA Risk IT Framework, IT risk is composed of a combination of the possible damage or reduction of the organization’s value due to operations or service delivery and the potential missed opportunities to use technology.
The business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise
Typical considerations for assessing and quantifying risk include the following.
A proactive and on-going risk assessment is a foundation of a sound security program and is one of the essential responsibilities of a CISO.
We sat down with Andreas Wuchner of Credit Swiss to learn about his view on risk and practical risk management approaches in a large bank.
Traceable> Please, introduce yourself.
Mr. Wuchner> My name is Andreas Wuchner and I spend my last 26 years on focusing on Cyber Security and IT Risk for large scale global organizations.
Traceable> Based on your previous experience and Credit Swiss, what does risk mean to a data-driven organization? Does it need to be handled by a dedicated corporate organization like a chief risk officer?
Mr. Wuchner> Operational Risk management and especially IT Risk and Cyber Risk are very important duties of a financial service organisation. It is not a question of if, it has to be done and each regulator expects you to have this managed and under control. Other industries may not have regulations making it mandatory but risk management is a fundamental element of proper management. For a bank it needs to be managed by an appropriate and independent organisation. In SMB companies I can easily see it being included in an existing governance structure.
Traceable> What is the connection between risk and cybersecurity? Should risk reduction be a part of a CISO’s mission?
Mr. Wuchner> Cyber risks are ops risks. Each CISO needs to know his control effectiveness and the resulting risks given the actual threat landscape they face. To manage risks, remediate them, accept them, defer or insure them, is a responsibility of each CISO.
Traceable> How do you assess risk in the context of the software operations, software modules and APIs?
Mr. Wuchner> The same way you address other risks in the organisations. Existing controls and their effectiveness, compared with the existing threats of doing business defines the resulting risks. This is not different for an API or an infrastructure component from a risk management point of view. The fact that many companies don’t have proper clarity around API controls is a different problem.
Traceable> Can you recommend any risk assessment frameworks to quantify risk?
Mr. Wuchner> Standardisation clearly helps but quantification of risk comes with appropriate asset inventories and clear understanding of the business values involved. No framework can address this and many also large scale organisations are not able to quantify their cyber risks with real $ values. Qualitative is ok and also risk appetite definition on them is ok but quantitative is a completely different game.
Traceable> How does data categorization figure into understanding and quantifying risk?
Mr. Wuchner> Data classification and categorization helps to get better focus and criticality done right but only business understanding, process knowledge and details about the values supported by this special process, application or process allows you to do quantitative risk management.
Traceable> When your team members prioritize security incidents either in the context of security operations, how do they use risk?
Mr. Wuchner> In incident management the criticality plays the biggest role. Existing risks are good to know but in the case of a crisis everyone focuses first on “stop the bleeding” or “operational excellence and stability” and not so much on risk. A combined incident management system which has the criticality of systems and processes embedded plus the appropriate risks makes the handling of an incident so much better. There is a reason why ServiceNow embedded in the meantime a security and a GRC module into their offering.