Congratulations to all the financial institutions that have completed the FFIEC Cybersecurity Assessment Tool (CAT). Well done! Mission Accomplished!
So what’s next on the plate – world hunger? Cures for diseases yet to be discovered? Sending mankind beyond the stars?
Well, bankers, before you drop the mike—we should talk.
This latest and greatest addition to the regulatory family of expectations has been tacked on to an already over-crowded, sprawling McMansion with six different architectures, eight different siding finishes and a towering turret off the master bedroom. Yes, a turret. In castle-grey.
Think of this new assessment like that addition you built to accommodate the home gym your loved one promised to really, really use—this time.
We all want to please that loved one and build brownie points or make up for that time we forgot to pick the kids up from a birthday party. (Not that I’ve ever done that, mind you. It was the soccer field.) Financial institutions are oftentimes the same way—they want to do the right thing exactly as their regulators “suggest.” Regulators, meanwhile, have historically not given such specific direction and with such a prescriptive approach as they’ve done with the CAT. So what?
The “So what?” is this: my reaction is similar to what my colleague Ryan Rackley recently wrote about unsolicited vendor offers [1]. There’s a voice saying, “Just do it, make the leap. It’ll work.” Only in my case it’s, “The addition will look fine and no one will notice that the roofs don’t match or the brick is a totally different color.”
So, before bankers run off and build another one-off, standalone, unsustainable solution using the static, basic tool the FFIEC has put out there, they should stop and consider a few things. Bankers need to take a breath before they cut out that first doorway investing money and, more importantly, that most elusive commodity: time. Poor planning or missteps here will cost more later on, not only in terms of time and money but also in the bank’s ability to effectively address today’s growing information and cyber security threats. It’s like my dad always told me around his shop, “Measure twice, cut once.”
We all know the “ounce of prevention, pound of cure” axiom to be true, whether it’s putting an addition on a house, creating a process, developing software, or managing an effective information security program. Many of us have experienced the direct relationship between the cost to correct an issue and the time that passes as that issue persists. (My thanks to Barry Boehm for first articulating this observation.)
What’s the Alternative?
Okay, we’re not building a house here but hopefully the metaphor is helping. We’re trying to meet the needs of our “loved one,” and maybe that’s our customers, our regulators or our boards. We get that this request is not currently a “requirement,” per se, but c’mon, 
we’ve all been in relationships where we know how things work, and what the expectations are.
So what should you do?
I’ve taken the following three-step approach to building out a comprehensive IT and security risk program before, and it works. Sure, it takes a little more time up front to understand the requirements, identify existing solutions that can be leveraged, and figure out what needs to change, but in the end, you can create a sustainable approach that requires less effort, with better results.
1. Plan and Assess Your Options. The good news is that, as usual, the regulators have given us a lot of good content with which to work and plan. The bad news is that many organizations are not good at taking time to thoroughly and thoughtfully consider the best approach. Too often, it’s “Fire, Ready, Aim.”
At this initial stage, understanding the content and how the self-assessment fits into your program and organization is critical. Can you be successful by just jumping in and executing the assessment? Sure, but you could stumble into a few pitfalls here:
- Redundant questions that you or others in the organization are already asking that would result in the creation of another silo’d risk repository
- The likelihood of time being wasted by business, IT and security people who are already trying to get out from under the daily demands of myriad other risk assessments but find themselves answering the same or very similar questions they feel they’ve already answered elsewhere
- Gaps or inconsistencies in your overall risk models if you just add this layer on top of other existing risk management efforts. Oftentimes we see conflicting treatment or assessment of risks because an institution uses two different risk models, or two different groups are assessing the risk independently. Who’s right?
The biggest potential danger is putting all your eggs in one basket and thinking this new tool is the end-all, be-all solution. It isn’t. It’s only a piece of the puzzle in building and maintaining a program. Take some time to figure out how this “vision” fits into your culture, organization and program.
2. Reduce, Reuse, Recycle. Be conscientious of your surroundings and recognize that it’s a shared risk environment. Look to repurpose proven or accepted processes that have already been established. Instead of thinking of this as a shiny new solution to be built from scratch, consider whether existing processes or assessment activities can be tweaked to achieve the same result.
For example, instead of standing this CAT effort up by itself, there’s often more value in collapsing or consolidating the effort with other similar risk management processes where there’s overlap in scopes or reusable automation. Maybe you have an established asset-based or controls-based information security risk assessment process that could be combined, resulting in a more effective, efficient approach. Perhaps you have some automated workflow in place to manage those other efforts and capture documentation to support risk management decisions. There are opportunities like these in many organizations that can be tapped to streamline efforts and drive efficiencies and value instead of just adding more layers and redundancies.
3. Be a Realist. Recognize that this CAT in its current incarnation is only a single tool in your toolbox to keep threats at bay. You have to be able to articulate how this assessment, in whatever form it’s been deployed in your organization, fits into your overall information security program and the institution’s overall risk management structures. Maybe simply completing the assessment and adding it as a new section in your information security manual is enough. However, if you’re looking to move your efforts to the next level and drive efficiency and effectiveness into your practices, take some time to look around the house before putting up more walls.
Reaching the Next Level
Instead of a “cyber-only” solution, consider developing a consolidated assessment approach that looks more broadly across the bank’s risk landscape and considers your requirements across a number of areas (FFIEC, NIST, ISO, Payment Card Industry, HIPAA, Sarbanes-Oxley, Cloud Security, etc.) to create a tailored, technology and security risk framework.
Following this three-step process shows management (particularly for funding these efforts), the board and regulatory partners that you are building a comprehensive approach that will yield more complete, consistent results across the organization and require less time and fewer resources.
-Wes
“To raise new questions, new possibilities, to regard old problems from a new angle, requires creative imagination and marks real advance.” –Albert Einstein, theoretical physicist, lover of music, and Nobel Prize winner (but not for what you think)
What do you want to build today?
Your Cyber or Information Security Risk Assessment efforts should be the foundation of your organization’s strategic and operational security readiness to identify, protect, detect, respond to and recover from potential security events.
How solid is your foundation?
Cornerstone Advisors [4] can help your organization assess your program’s effectiveness across a variety of areas.
Contact us today [5] to learn more.
[4]