Cybersecurity Risk Management—Mapping the Value Chain to Create a Holistic View

By Shahryar Shaghaghi, Kurt Salmon, CIO Advisory Practice

The breach of customer data at JPMorgan earlier this year pulled back the curtain on bank cybersecurity, revealing systems that are far from perfect. While regulations have helped individual banks identify and close some gaps, too many remain. The challenge in further tightening financial organizations’ cybersecurity is twofold.

First, financial firms have traditionally addressed information security risk in a reactive manner—either in response to an event, such as an information security breach, or as a result of increased regulation. In either case, this means that the focus on cybersecurity has typically been based on addressing the question “How can we fix the problem that led to X?” rather than thinking about closing the potential loopholes that led to the event or created the need for more stringent regulation in the first place. As a result, risk management strategies have often been born from “expected” or “seen before” scenarios, leaving financial institutions blind to hackers’ increasingly sophisticated tools and methods that are able to penetrate new levels of security in unpredictable ways. Even with today’s regulatory regime requiring regular demonstrations of information security capabilities to regulators, many financial firms have yet to adopt a proactive “above and beyond” mentality toward developing information security capabilities and potentially preventing “zero-day” events from occurring.

A second challenge facing financial services organizations is the fact that the channels on which financial information travels these days are becoming increasingly complex, with many more touchpoints involved in the process, not all of which have the same stringent cybersecurity standards as the end financial organization. Large financial institutions typically rely on many third-party entities and a suite of different software programs and a wide variety of hardware providers to process transactions, potentially opening up numerous avenues for intruders to breach security systems.

So what can organizations learn from the recent spate of breaches? The key to creating a more secure environment in financial institutions is to take a comprehensive and holistic end-to-end view of IT security, using the following framework:

Scope the security organization—No two information security strategies are the same. In order to establish a complete view of a information security organization, firms must first determine its scope, including the roles and responsibilities of the security teams distributed throughout the larger financial institution. Increasingly, this scope, as noted in Figure 1, should be expanded to accommodate third parties, whose applications connect to banks’ internal systems or who provide contract services to the IT organization.

Figure 1. Scope of an Information Technology Security Organization

Scope of an Information Technology Security Organization

Map existing IT security resources—Before making any changes to the organization’s cybersecurity processes, it is essential that the business have a transparent picture of the existing IT security apparatus and understand the interactions and interconnectivity among its various pieces.

Conduct a comprehensive quantitative risk analysis—Once existing behaviors and processes are mapped, financial institutions must accurately assess the level of sophistication and risk posed by each part of the security structure. Standardized industry frameworks, such as information security management systems (ISMS) or system security engineering capability maturity model (SSE-CMM), are most useful for this process, though they may need to be tailored to the organization’s unique circumstances and likely will need to be applied more broadly to factor in risks from third parties along the financial transaction chain.

Figure 2. One Element of a Risk Analysis Framework – Risk Matrix with Scoring Methodology Based on Four Risk Categories and Four Core Elements of Risk

One Element of a Risk Analysis Framework - Risk Matrix with Scoring Methodology Based on Four Risk Categories and Four Core Elements of Risk

Once implemented, the risk analysis framework should provide a comprehensive, holistic view of the security apparatus within a financial institution, giving responsible professionals a clear view of the risk at each stage of the value chain, enabling more effective prioritization of security improvement efforts and creating greater risk transparency for the organization as a whole.

As the level of sophistication of cyberattacks increases, it becomes imperative that financial institutions understand the full extent of their information security risk, accurately assess and quantify vulnerabilities, and utilize methodologies that support effective and efficient cybersecurity risk mitigation efforts. When paired with organizations’ existing expertise in data privacy and information security regulations, an appropriate risk analysis framework can help financial organizations shift from responding reactively to taking a proactive view of financial cybersecurity that factors in all risks, from the data source level all the way through to third-party vendor applications.

Shahryar Shaghaghi ( is a partner with Kurt Salmon’s CIO Advisory practice, which assists CIOs in formulating, planning and executing programs that improve the responsiveness, adaptability and cost-effectiveness of their IT organizations and that drive overall business performance.


Follow Us:

Sitemap | Privacy | Copyright © © 2017, WSTA®, All Rights Reserved.