At the 7th Annual Virtual Cybersecurity Conference for Executives, hosted by Ankura and Johns Hopkins University Information Security Institute, Keishi Hotsuki, Chief Risk Officer Morgan Stanley offered advice on framing and, insofar as it’s possible, quantifying risk assessments.
Quantifying cyber risk assessment: the 7th Annual Virtual Cybersecurity Conference for Executives.
At the 7th Annual Virtual Cybersecurity Conference for Executives, hosted by Ankura and Johns Hopkins University Information Security Institute, Keishi Hotsuki, Chief Risk Officer Morgan Stanley offered advice on framing and, insofar as it’s possible, quantifying risk assessments.
Cyber risk management informs business decisions.
Hotsuki noted that companies in the banking industry take financial risks in the course of doing business (for example, lending money or making investments). “We make a conscious decision to take a certain financial risk to make revenue,” Hotsuki said. He contrasted this with non-financial risk, which is rarely directly related to making money. This type of risk is often about managing expenses or balancing convenience with security. Hotsuki added that risk analysis is necessary, but it’s not the end goal—the purpose of the analysis is to help the organization decide which measures to take to address the risks.
“We identify where the risks are and we try to quantify, to a certain extent – or at least we need to differentiate what are the priorities and what are the most important risks we need to focus on – and we need to communicate the decision making to the right people, and ultimately we need to make a decision. Risk management is all about what decision to make,” he said.
Cyber risk assessment is a layered process.
Hotsuki explained that Morgan Stanley approaches the issue with three layers of business units.
“You need to identify that we create the layers of the involvement, in accord with three lines of defense,” he said. “The first line is typically the CISO and Chief Technology Officer getting involved and really building the first line of the defense against the cyber risk management. The second line is my team, we are independent units, to monitor and to try to set the principle about how we need to establish that risk management vis-à-vis the first line, and we have the responsibility to independently monitor what they’re doing. And the third line is the internal audit, and the internal audit has the duty of reviewing what the first line is doing and also what the second line is doing.”
He added that technical employees like the CISO need to be able to communicate the issues to non-technical executives.
“So by having independent layers of the checks that we have, we are more confident to find out what kind of risk is out there and identify the key areas of the challenges in cyber risk management,” Hotsuki said. “And the important thing is that the expertise that we need to have on the cyber gets distributed into not only the first line but also the second and third lines.”