A global bank with investment banking, asset management and wealth management arms had a high degree of scrutiny of its cybersecurity posture by regulators and external as well as internal auditors. Due to the complexity of the organisation and its technology there was a long list of compliance gaps when measured against any security framework (e.g. NIST CSF). Executive management saw the importance of the issue but found it hard to make sense of audit findings and gap analyses. These were either written in too technical language or concerned risk scenarios that seemed very hypothetical. As a result it was hard for management to know which issues to prioritise.

I was asked to take over a project that aimed to provide meaningful insights for each business division into their specific risks and how best to address them. The projecthad initially been spun up with junior resources from a Big 4 firm but with little direction or oversight.

I developed a standard pitch to kick off workshops with senior stakeholders in each division (IB, WM, AM). This outlined the approach we were going to take, which was essentially a way of making the CIA triad relevant to their business by understanding their most important activities, the data involved and systems used. I ran these workshops with senior leaderships, produced an agreed list of data and systems and obtained agreement to work with named SMEs in each business for more in-depth review. Over a series of workshops we iterated and fleshed out our understanding and played this back to all stakeholders. We created visual illustrations of:

• Key activities
• Data used
• Systems used
• Threats to those systems (from internal or external threat actors)
• Resulting risk scenarios
• Relevant controls to address those scenarios (from an existing catalogue of tech risk controls)
• Latest results of testing or auditing those controls

I wrote up the findngs in exec-level presentations which I socialised in meetings with senior leadership of each division, with CISO and risk teams also attending to ensure alignment. The presentations made clear:

• What were the actual biggest risks for each business, i.e. what they should focus on out of the plethora of previous reports and findings
• Where there were controls that were common to addressing multiple risks or even across multiple business divisions, giving higher “bang for buck”
• Where control gaps were being addressed by existing improvement programs, which just needed the right support from the divisions
• Where new divisional or group-level work should be initiated to address high priority issues

The rsk profile for each division was quite specific based on their activities and data used. For IB, Availability of real-time systems was the highest priority and the biggest risk to this came from systems that simply didn’t meet BCM requirements or hadn’t been tested frequently or stringently enough to provide reasonable assurance. Addressing this was relatively cheap but required focus at application level. For WM, Confidentiality of client data was all-important and was largely addressed by existing group programs around controls such as DLP and DRM, which however needed ongoing support from the business as they competed with other priorities. For AM, Integrity of data in reports for institutional clients was paramount and was addressed partly by application-level validation and partly by ability to restore last known good data as part of BCM capabilities.

All divisions welcomed the exercise and the resulting reports, which was not a typical outcome for cyber and risk engagements with the business. I aggregated the divisional reports into a single report which the CISO used to provide assurance to the Board of Directors that the bank was identifying and managing risk appropriately.

As I ran the entire project with only two junior consultant resources, it was a lot cheaper than a typical Big 4 engagement and was also more effective due to my existing knowledge of the business and focus on staying close to the business at all times.

The credibility I built through this project allowed me also to flag the possibility of a “dollars and cents” quantitative risk analysis using the FAIR (Factor Analysis of Information Risk) methodology, and obtain support from one division to run a pilot of this.

• Cybersecurity Risk Assessment
• business architecture
• Stakeholder Engagement

• Organisational Agility & Effectiveness

• Banking and Capital Markets
• Financial Services