Remarks as delivered to the 16th Annual International Conference on Policy Challenges for the Financial Sector at the World Bank Group and the International Monetary Fund

June 2, 2016 — Washington, DC

Thank you distinguished guests and panelists for taking the time out of your busy schedules to be here today and to listen to some of the most important technology policy topics for the finance sector. Your speakers and panels will touch on many timely topics, from crypto currency to fintec to cybersecurity, and I am thankful that you have taken time out of your busy schedules to listen, learn, and take back these new insights to help strengthen our financial sector resiliency.

I understand the role of government in strengthening cybersecurity and industry resiliency because I have been there. I was the first director of cybersecurity strategy at the Department of Homeland Security, and later the first Director for Federal Cybersecurity Policy at the White House on the National Security Council staff.

I also spent a number of years in industry, working within the finance sector and with Fortune 50 firms, from technical red teams to strategy and implementation. For the past year I have been working to bring what I learned in Government and the Financial Sector to manage cyber risk.

There is only one message I would like to leave you with today, and that is a concept and awareness of cybersecurity risk management as an appetite for cyber risk. I have two main themes to focus on for cyber risk appetite: 1. Pace of Technology, and 2. The Role of Regulators

  1. Pace of Technology

First, a larger appetite for new technology means financials institutions must inherently accept and then manage a larger appetite for cyber risk.

The challenge is that rapidly adopting new technology introduces greater cybersecurity risks. I think this is a great discussion point where we can elevate the conversation beyond just new technology, to highlight that banks must take into account increased cyber risk when they drive adoption of the latest cutting edge technology.

If this risk is not acknowledged by the institutions risk management function, they will take greater cyber risk than expected, increasing their likelihood of a material cyber loss. This is not a new idea in the Enterprise Risk Management space, and it is gaining traction in the cybersecurity risk management space as the field matures.

In fact, we can clearly see this in the continued focus on identifying some of the most significant and emerging cyber threats. The reality is that most security breaches today are caused by simple errors; failures in basic cyber security hygiene — not by the latest zero-day attacks and new threat vectors.

This is important: Because good cybersecurity isn’t about exciting new technology — but about better risk management of basic cyber hygiene. Better cybersecurity defense is not only about the technologists — it is also about the business and risk function. Ultimately, the owner of cyber risk should be the risk officer, not the CISO.

When we talk about attackers becoming more mature and their attacks getting more sophisticated, we are referring to their organizational maturity and ability to support long campaigns, and their capability to find weaknesses caused by simple missed patches and poor basic hygiene.

So how do we tackle this? As leaders we need to take a step back from the technology focus on cybersecurity, and remember what matters. The future of cyber risk management is beyond just the role of information security — it now impacts the survivability of our institutions.

2. The Role of Regulators

My second point I want to make is the regulatory role in systemic cybersecurity risk management. Regulators have a role to view the industry for systemic risks, especially those introduced unintentionally that can only be identified industry-wide. I think we can all agree that cybersecurity now fits well as a systemic risk, and an important regulatory role is to view the systemic risk introduction due to cybersecurity weaknesses. So we need to turn our attention from “what are attackers doing?” to “what matters to US, and how do we secure what matters?”

We have made great strides as a community in communicating the importance of cybersecurity. But we are still challenged in communicating what matters from a cybersecurity perspective, because the rest of our colleagues are not experts in cybersecurity.

Our efforts get confused with compliance, or a checklist exercise that has no meaningful impact on improving cybersecurity. Prescriptive programs like a compliance check list will certainly not help an organization identify the most important risks they need to address.

Leadership frequently does not understand cyber risk, and many organizations are still so busy doing basic hygiene or compliance that they have no time remaining to elevate the risk conversation. What really matters to an organization is revealed in their budget allocation. That is where leadership really makes decisions about what matters — and that is where cybersecurity needs a seat at the table.

If institutions are not able to make the argument for cyber risk appetite to their CFO, unfortunately the court of public exposure will make the point for them — through a breach that is significantly impactful to their organization, their reputation, and possibly the greater industry ecosystem.

In this case, it will only be after a public reputational impact that leadership attention will then bring cybersecurity to the table. Likely with different leadership.

Securing what matters requires a paradigm shift. Cybersecurity risk management can’t be a burden left only to the Chief Information Security Officer (CISO), and it is the role of the regulator to help support the CISO to elevate the cyber risk management conversation within their regulated institutions.

Only by engaging leadership, from the uppermost levels, and holding the business units responsible for cybersecurity, rather than the lone CISO, will we improve cybersecurity. This happens when the institution leadership sets a risk appetite for cybersecurity — and then the role of the CISO is to provide a link between risky business behaviors, such as pushing the adoption of new technology, and risk exposure.

The role of the future CISO is as a coach and mentor to help their organizations maintain an acceptable level of cybersecurity risk as part of the enterprise risk management function. The CISO and business units will need to work together to propose the risk appetite and establish a threshold for risk tolerance.

Finally, an important role of regulators is to enable the efforts of the institutional CISO, by ensuring an institutions cyber risk appetite is approved by executive leadership, and with cyber risk reporting measured against established risk tolerance thresholds.

Only when an institution understands where their organization falls in the spectrum of cyber risk management and they determine their own cyber risk appetite will they be able to “secure what matters”. But now we have the opportunity to make a difference as we recalibrate our assumptions on what it means for strong cyber risk management.

Thank You

About the Conference on Policy Challenges for the Financial Sector

This 3-day program is designed for senior level officials from around the world who hold key positions in the financial sector. These officials generally are governors, deputy governors, heads, or deputy heads of banking supervisory authorities, or high-level staff involved in, or capable of influencing, policy formulation as it concerns the supervision and regulation of banks in their respective countries. Participation in this program is by invitation only.

http://www.worldbank.org/en/events/2016/06/01/16th-annual-international-conference-on-policy-challenges-for-the-financial-sector