Intrinsically, we all have an understanding of what might be risky and why.

However, when it comes to formalizing risk assessment in financial institutions, the process is more critical and structured. Companies use risk scores as guidance to focus the efforts of the staff to safeguard financial information.

According to the ISACA Risk IT Framework, IT risk is composed of a combination of the possible damage or reduction of the organization’s value due to operations or service delivery and the potential missed opportunities to use technology.

The business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise

Typical considerations for assessing and quantifying risk include the following.

  • Identifying mission-critical information systems. This process includes several stages, from asset discovery to monitoring systems for vulnerabilities to reviewing these information systems’ role in business processes. This assessment is even more critical in a DevOps environment as they are more fluid than traditionally developed IT systems.
  • Data categorization and assessing the risk of sensitive information disclosure.  FDIC gives his example: if a large depositor list were made public, that disclosure could expose the bank to reputational risk and the potential loss of deposits. Further, the institution could be harmed if human resource data (e.g., salaries and personnel FILes) were made public. The assessment should identify systems that allow the transfer of funds, other assets, or sensitive data/confidential information, and review the appropriateness of access controls and other security policy settings.
  • Understanding external connections, both customer-facing APIs and connections to partners, external SaaS services, and data backends. For financial institutions, this often means caring about their security and compliance and those of the partners, vendors, and cloud platforms.
  • Potential legal liability. For example, GDPR violators could be fined up to 4% of the worldwide enterprise revenue.

A proactive and on-going risk assessment is a foundation of a sound security program and is one of the essential responsibilities of a CISO.

We sat down with Andreas Wuchner of Credit Suisse to learn about his view on risk and practical risk management approaches in a large bank.

Traceable> Please, introduce yourself.

Mr. Wuchner> My name is Andreas Wuchner and I spend my last 26 years on focusing on Cyber Security and IT Risk for large scale global organizations.

Traceable> Based on your previous experience and Credit Suisse, what does risk mean to a data-driven organization? Does it need to be handled by a dedicated corporate organization like a chief risk officer?

Mr. Wuchner> Operational Risk management and especially IT Risk and Cyber Risk are very important duties of a financial service organisation. It is not a question of if, it has to be done and each regulator expects you to have this managed and under control. Other industries may not have regulations making it mandatory but risk management is a fundamental element of proper management. For a bank it needs to be managed by an appropriate and independent organisation. In SMB companies I can easily see it being included in an existing governance structure.

Traceable> What is the connection between risk and cybersecurity? Should risk reduction be a part of a CISO’s mission?

Mr. Wuchner> Cyber risks are ops risks. Each CISO needs to know his control effectiveness and the resulting risks given the actual threat landscape they face. To manage risks, remediate them, accept them, defer or insure them, is a responsibility of each CISO.

Traceable> How do you assess risk in the context of the software operations, software modules and APIs?

Mr. Wuchner> The same way you address other risks in the organisations. Existing controls and their effectiveness, compared with the existing threats of doing business defines the resulting risks. This is not different for an API or an infrastructure component from a risk management point of view. The fact that many companies don’t have proper clarity around API controls is a different problem.

Traceable> Can you recommend any risk assessment frameworks to quantify risk?

Mr. Wuchner> Standardisation clearly helps but quantification of risk comes with appropriate asset inventories and clear understanding of the business values involved. No framework can address this and many also large scale organisations are not able to quantify their cyber risks with real $ values. Qualitative is ok and also risk appetite definition on them is ok but quantitative is a completely different game.

Traceable> How does data categorization figure into understanding and quantifying risk?

Mr. Wuchner> Data classification and categorization helps to get better focus and criticality done right but only business understanding, process knowledge and details about the values supported by this special process, application or process allows you to do quantitative risk management.

Traceable> When your team members prioritize security incidents either in the context of security operations, how do they use risk?

Mr. Wuchner> In incident management the criticality plays the biggest role. Existing risks are good to know but in the case of a crisis everyone focuses first on “stop the bleeding” or “operational excellence and stability” and not so much on risk. A combined incident management system which has the criticality of systems and processes embedded plus the appropriate risks makes the handling of an incident so much better. There is a reason why ServiceNow embedded in the meantime a security and a GRC module into their offering.

Traceable helps companies (financial and otherwise) secure their applications and APIs by providing complete visibility and risk assessment of APIs, their data flow, and transactions, and detecting and blocking attacks before they happen. Traceable does this with extremely low false positives by combining distributed tracing and cutting edge continuous unsupervised machine learning to rapidly identify anomalies in user and system behaviors. To learn more about Traceable you can visit us at https://traceable2024.wpengine.com or view a recorded demo.