Bitsight EXCHANGE Sound Bites: Risk Management in Financial Services
In the months since Bitsight’s inaugural EXCHANGE forum, we have been digesting and processing the incredible sessions and discussions that came about from this forum. It was a great event that brought together security executives from all over to discuss the challenges they face in their roles every day.
One interesting panel discussion was focused on the evolution of risk in the financial services industry. Speakers included Mark Watson (Deputy Leader, Financial Services Center for Board Matters, Ernst & Young), Derek Vadala (Managing Director & CISO at Moody’s Corporation), Bob Lewis (Head of External Cyber Assurance & Monitoring at Barclays UK), James Lam (Chair, Risk Oversight Committee, E*TRADE), and moderator Peter Pernebo (Executive Director of Third Party Risk Management, KY3P by IHS Markit).
James Lam shared his thoughts on the role of effective risk management within an organization below.
“I think qualitative assessment is useful, but insufficient because you're telling me what you think. So, it's a good start. And what doesn't work is also just providing information about our maturity relative to a framework like NIST. So, if you have higher maturity basically you're telling me you're doing your job. Okay. You're paid to do your job. But what's more important to me is how effective are you doing in terms of your work. So, I don't want to just hear about input. I am much more concerned about output. So, in terms of output, I want really good metrics. And I think Bitsight has done a really good job in getting the conversation in something that's objective and that's measurable, that's benchmarkable. And I want to understand how does this risk compare to the other risk that we oversee in terms of potential economic impact and business impact. And then finally, I want to understand what our exposures are relative to risk appetite. And so, to me, I think you need to have that kind of balance. And having just the input assessment and metrics are insufficient. You really have to understand how effective the program is. And the key question that directors ask is, how do I know if our cybersecurity program is working effectively? And to the degree that your assessments and metrics answer that question that's how you serve the board.”
“It's not a matter of just mitigating and minimizing risk. The job of risk management is to optimize the risk-return profile of the organization. And I've seen that evolution every other risk and right now I think cyber is challenged to be able to go through those (three) steps.”
Thank you to James and our other panelists for an extremely insightful conversation!