NICSA members learned strategies for surviving and thriving in uncertainty during a session on the topic at last month’s General Membership Meeting.
Antonio Crombie, Strategic, Regulatory and Operational Risk Management Leader at Deloitte, lead a panel of experts from Foreside, Putnam, and SEI through the discussion, which was centered on best practices.
TRENDS IN RISK MANAGEMENT
Rich Walzer, Chief Information Security Officer, Putnam, said it’s hard to read the news without learning about yet another data breach.
“If we don’t take advantage of the lessons learned from others who have been a little less fortunate than we’ve been, we’re doomed to repeat that history,” he said. “But the thing that worries me most about the cyber side of things isn’t the technology; it’s the skills gap in this particular area.”
Indeed, some reports indicate that there will be 3.5 million unfilled cybersecurity jobs by 2021. “That’s a problem,” Walzer said.
Rhonda Cook, Chief Risk Officer, SEI, said risk management teams are often viewed as “no” people. “Philosophically, the way I’m trying to position my team and the work that we do is simply to say, ‘You can drive faster on a paved road — let me help you set up guard rails; and as long as you operate within those guardrails, you can go as fast as you want to go,’” she said.
Samantha Swift, Chief Risk Officer, Foreside, pointed to the evolution of the regulatory landscape with respect to data privacy — think GDPR and CCPA — which further complicates risk management. “These rules are not just acting as guidance for best practices; they’re very prescriptive in nature,” she said. “This prevents a challenge for smaller firms with limited resources, whether human or capital. That’s something more and more businesses will need to pay attention to.”
OVERCOMING CHALLENGES
Walzer said the pace of technological change is faster than ever and will continue to accelerate in the future.
“You hear so much about this digital transformation across basically every sector, but security has been slow to adopt it,” he said. “What’s been lacking in the cybersecurity industry are hard facts about what’s happening, and there are a couple of respected organizations that are changing that.”
For example, Verizon publishes an annual Data Breach Investigations Report (DBIR), and Mandiant’s M-Trends report investigates the most prominent cyberattacks each year. “These reports take all that information and feed it back to the community,” Walzer said. “Security teams have to take that information, digest it, and mold their programs based on fact, not fiction.”
Rhonda said the executives at her firm want more awareness of and transparency into risk issues. “We’re trying to present risk dashboards to them on a routine basis, and we’re putting them in front of management quarterly so they can see trends over time and understand where risk is at the organization,” she said.
Swift said there’s a great deal of overlap within her organization in terms of risk management. “We’ve put in place governance structures that bring us together to talk about risk,” she said. “But I don’t think there’s a right answer to risk management — the solution has to be right for your organization.”
Website Design By Branophia LLC