Evolving conversations around cyber risk at Canadian financial institutions

Risk frameworks, business architecture, dashboards and reporting, threat risk assessments, cyber security governance, risk intelligence… these were all top of mind in the conversations we had with guests at a Canadian Bankers Association cybersecurity conference in Toronto at the end of March.

What we heard truly validated our belief that providing trusted, aggregated and transparent risk information to the board and executives is a top priority for CISOs today.

As part of the event we asked participants to fill out a survey to help inform us about how banks currently manage cyber risk. Where are they having success?  What are their challenges?  We promised to share our results, so here is a snapshot:

Survey participants were asked to rank their organization’s approach on the scales.   A sample of responses is shown above.

Survey participants were asked to rank their organization’s approach on the scales.
A sample of responses is shown above. (More results here…)

As you can see there’s a big range of responses. As one participant told us, the maturity can vary depending on the department and the process in question.  But what’s clear to me from this summary and from conversations that we had, is that companies are increasingly realizing that cyber risk is strategic, and requires a proactive solution focused on risk versus simply compliance.

It was encouraging to talk to banks about cyber risk because it’s clear they are taking it as seriously as Iceberg believes firms should be.  By sheer necessity they have invested hundreds of millions of dollars to put safeguards in place, but now they’re also looking to get more proactive and more strategic with their cyber investments.  Providing executives with a view of their key risks, related to their key business products and services, has become vital in today’s high-threat environment.

When it comes to cyber risk, technology leaders are asking How do I assess it?  How do I report on it? How do I get a trusted aggregated and transparent view of it?  How do I translate it into business language for our executives, allowing them to confidently make impactful business decisions?  And how can we ensure that we understand our risk appetite, so that we leverage the opportunity that new technology provides to build value for our company?

Another consistent theme from customers from my conversations was the ongoing “silo challenge”. There’s one organization we talked to recently where their audit group, finance group, IT group, and ORM group each have a different solution to measure risk. There’s no common taxonomy, no common framework.   How does a senior executive or board member know what a “3” means on their risk scorecard?

At its simplest, risk is a combination of impact plus likelihood. The likelihood of a breach is extremely high (especially for financial institutions!) and the impact is significant.  That’s why cyber risk is so top-of-mind for organizations.

Fortunately, there is light at the end of the tunnel. Our conversations at this event gave us confidence that the right program can help CISOs deliver trusted, aggregated and transparent risk data, so that their executives can make confident, informed and effective business decisions.

Ken.

Share this post:

Ken McPherson

About the author

Ken is the President and CEO of Iceberg. He considers himself very fortunate to work with an outstanding team of management consultants, professional services engineers, and recently graduated engineers who are focused on an ensuring success and making a difference for all of Iceberg's clients.