Treating Cyber-Risk as an Operational Risk: Governance, Framework, Processes, and Technologies

by Joan McGowan, October 12, 2016
Product Trends/ Reviews
Global

Abstract

Celent has released a new report titled Treating Cyber-Risk as an Operational Risk: Governance, Framework, Processes, and Technologies. The report was written by Joan McGowan, senior analyst in Celent’s Banking practice. 

Celent believes a smarter approach to balancing cyber-risk and innovation is strong top-down governance and the implementation of the National Institute of Standard and Technology (NIST) cybersecurity framework, with the alignment of cybersecurity under operational risk management processes.

Treating cyber-risk only as an IT issue is dangerous. Cyber-risks need to be treated holistically and owned by all.

There are several industry frameworks available to financial institutions. Celent recommends the NIST framework because it is well organized and comprehensive and lets you take advantage of your current operational risk program. Very few institutions, if any, should be going this alone; institutions need dedicated expert partners, and advanced technical capabilities.

“Stop throwing money at cybersecurity technology. Use the NIST cybersecurity framework functions to navigate and manage your technology requirements. Do not purchase in siloes or under pressure. Select the right expertise to identify the issues and the right products. The most important thing is to educate decision-makers on why and how breaches happen,” says McGowan.

“Cyber-risks are weaknesses in people, processes, controls, and operations: the definition of operational risk. Take advantage of your current operational processes and consider adopting the NIST cybersecurity framework,” she adds.

Celent is a research and advisory firm dedicated to helping financial institutions formulate comprehensive business and technology strategies. Celent publishes reports identifying trends and best practices in financial services technology and conducts consulting engagements for financial institutions looking to use technology to enhance existing business processes or launch new business strategies. With a team of internationally based analysts, Celent is uniquely positioned to offer strategic advice and market insights on a global basis. Celent is a member of the Oliver Wyman Group, which is a wholly-owned subsidiary of Marsh & McLennan Companies [NYSE: MMC].

Media Contacts

North America
Michele Pace
mpace@celent.com
Tel: +1 212 345 1366

Europe (London)
Chris Williams
cwilliams@celent.com
Tel: +44 (0)782 448 3336

Asia (Tokyo)
Yumi Nagaoka
ynagaoka@celent.com
Tel.: +81 3 3500 3023

Table of Contents

Executive Summary

1

 

Key Research Questions

1

Introduction

3

 

Breaking the Bank

4

Convergence of Cyber-Risk and Operational Risk Management

5

Cybersecurity Governance Starts with the Board

9

Measuring Cyber-Risk Remains a Challenge

11

 

Not Quite Mature Enough

12

Framing Cybersecurity Risk Management

13

 

A Pragmatic Blueprint

13

 

Comparing Frameworks

14

 

NIST Framework Offers a Risk-Based Approach

14

The Five Functions of the Cyber-Risk Kill Chain

15

 

Identify: Assess and Prioritize

15

 

Protect: Safeguard and Controls

16

 

Detect: Monitor and Analyze

16

 

Respond: Plan and Mitigate

16

 

Recover: Resilience and Restoration

17

Cybersecurity Technology Topology Bounded by the Five Functions

19

 

Resource Management Is Paramount

21

Navigating the Cybersecurity Vendor Landscape

22

The Path Forward

24

Leveraging Celent’s Expertise

25

 

Support for Financial Institutions

25

 

Support for Vendors

25

Related Celent Research

26

Sign in to download reports and access personalized information