BIP. Monticello Consulting Group

  • About Us
    • Home
    • Who We Are
    • What We Do
    • Leadership
    • Corporate Responsibility
    • Locations
  • Services
    • Digital Transformation
    • Change Management
    • Financial Services Advisory
    • Cyber Services
  • Careers
    • The BIP.Monticello Difference
    • A Day in the Life
    • Build Your Career
    • Your Career
    • Join Us
  • Case Studies & Insights
    • Case Studies
    • Insights
    • Global Perspectives
  • Brochure
  • Contact
    • Home
    • Who We Are
    • What We Do
    • Leadership
    • Corporate Responsibility
    • Locations
    • Digital Transformation
    • Change Management
    • Financial Services Advisory
    • Cyber Services
    • The BIP.Monticello Difference
    • A Day in the Life
    • Build Your Career
    • Your Career
    • Join Us
    • Case Studies
    • Insights
    • Global Perspectives
  • Brochure
  • Contact
bigstock_In_The_Library_5835710.jpg

Insights

  • All
  • Basel
  • Data
  • EMIR
  • IMM
  • Management Consulting
  • Regulatory Reform
  • Risk and COntrols
  • TECH
Cyber Risk.jpg

Managing Cyber Risk with a Practical Approach to Investment and Implementation

Deepak Khurana May 31, 2021

Despite the ongoing economic impact of the pandemic and the consequent impact on many company’s budgets, cybersecurity budgets continue to grow. While the increase in investment may buck the overall trend in corporate spending, it’s a necessary response to a threat that escalates seemingly by the day. Will the latest round of investments to enhance cybersecurity be enough to keep up with 2020’s leap forward in both digital transformation and cybercrime?

Worldwide information security spending is estimated to be $123.8 billion in 2020 according to Gartner, up year-over-year though still a small fraction of the overall $3.4 trillion in estimated IT spending.[1] The growth appears poised to accelerate, with some estimates showing increases by as much as 8.4% globally in 2021.[2] Despite the tumult and tough budget decisions brought about by the pandemic, the sustained year-over-year investment growth indicates that security will remain a top priority for the foreseeable future.

Despite the continued investment in cybersecurity, the number of data breaches and ransomware attacks hit an all-time high last year. With the shift to remote working environments and the acceleration of digital transformation efforts, the trend in cybersecurity incidents will unfortunately continue to rise and it is not only the largest financial institutions that need to worry, as a recent report by the Federal Reserve highlighted. A cyberattack on smaller financial institutions could quickly cause a spillover effect due to the highly interconnected nature of the US financial system.

It is essential for organizations to adopt a multi-layered and holistic approach to cybersecurity and digital transformation, combining employee awareness, data protection best practices, threat and vulnerability detection, and rapid response mechanisms. Doing so has become a matter of survival. The question then becomes how can organizations best allocate their budgets to deliver the greatest impact with so much at stake?

Assessing the Risk Landscape for Potential Threats

The reality is that cybersecurity is an asymmetric battle. Companies must invest in expansive defensive measures to maintain the highest levels of security. As for the hackers, only one out of the innumerable digital threats need to succeed (whether through skill or luck) to wreak havoc. Adding to the disadvantage that most companies face, threat actors constantly evolve to exploit new vulnerabilities in the technology which we increasingly rely on to transact business and serve customers. The financial, operational, reputational, and existential cost of a security lapse has never been greater.

Corporate leaders must view the threat landscape beyond simply “defending against hackers.” From phishing attacks designed to exploit remote workers to ransomware attacks that cripple entire organizations, the types of attacks that organizations face present distinct challenges and demand tailored plans and responses. The sources of these types of attacks also present unique challenges to information security leaders building a company’s defense. The media is awash with news regarding state-sponsored threats from nations like Russia and North Korea and their capabilities are vast and formidable. There are also more loosely organized networks that often serve as middlemen or even “contractors” providing hacking-as-a-service. Not to be ignored is the insider threat – where employees already within the company and granted a certain level of access and trust unfortunately end up causing the most damage due to the deeply intimate nature of the security breach.

While the damage from any breach can be significant, organizations can minimize the impact by ensuring their cybersecurity strategy specifically addresses the unique threats they face rather than taking a one-size-fits-all approach.   

Applying a Risk-Based Framework for Investing Scarce Resources

The pressure for CISOs to protect data and networks has never been greater. Since the sources of cyber threats differ in capability, potential impact, and proximity, a multi-faceted defense provides for the best chance at success. It is critical for organizations to develop a layered approach based on the principles of continuous improvement to stay one step ahead. In addition to segmenting the threat actors, systems and data can also be demarcated and prioritized to best allocate financial and human resources.

Defending against every type of attack, often with limited resources, also means an ever-greater reliance on tools that can sift through vast amounts of data to counter attacks, detect risks and allow scarce human resources to focus on the highest priority threats. The complexity and variety of threats and attacks also typically demands the engagement of third-party vendors to fortify internal defensive efforts. As the SolarWinds hack recently reminded us, third-party vendors that are brought on to improve a company’s operations can eventually become a threat vector as well, necessitating thorough selection and vetting methods before (and after!) engaging in any potential security partnership.

Building a holistic view of how an individual company’s risk profile fits into their overarching risk management strategy provides a starting point for developing a risk-based framework for investing scarce resources. Extending and implementing the strategy across the entire organization is the next hurdle in the journey.

Executing Digital Transformation within the Cyber Risk Environment

During the course of digitizing their businesses, many companies find it difficult to balance the seemingly contradictory goals of enhancing the customer experience and ensuring data security while also identifying and driving cost efficiencies within the organization. A critical mindset that drives the most successful outcomes is “starting with the end in mind” and embedding security and privacy into digital transformation at the earliest possible point in the process. Incorporating security principles early not only signals the priority, but also embeds security as fundamentally entrenched into the end-state rather than simply bolted on to meet a technology or business requirement. More recently, concepts such as “shift left security” make the case for moving security to the earliest possible point in the development lifecycle.

While the importance of security is generally understood at a theoretical level, the challenge in most organizations becomes gaining executive-level, and even board-level, buy-in to dedicate the time and resources to execute a security-focused strategy. It is incumbent on modern CISOs and security professionals to transform the ingrained reflex that security is a cost to be managed to a mentality that security is a customer requirement and therefore a business imperative. Extending cybersecurity expertise and insight across the C-suite and into the boardroom has become a critical differentiator.

The successful transition to a security-driven organization is not an easy path, and the ability to adequately identify and quantify the risks and opportunities related to security investments in the language of business and finance is key.  As organizations continue to invest and evolve their cybersecurity capabilities, effective frameworks and stakeholder communication will better enable leaders to build sustainable and resilient operations to support their digital transformations.  

About Monticello

Monticello Consulting Group is a management consulting firm supporting the financial services industry through deep knowledge and expertise in digital transformation, change management, and financial services advisory. Our understanding of the competitive forces reshaping business models in capital markets, lending, payments, and digital banking are proven enablers that help our clients remain in compliance with regulations, innovate to be more competitive, and gain market share in new and existing businesses. By leveraging our risk management and cyber services capabilities, Monticello guides its clients in the deployment of the latest digital technologies with confidence and resilience.


[1] https://www.gartner.com/en/newsroom/press-releases/2020-05-13-gartner-says-global-it-spending-to-decline-8-percent-in-2020-due-to-impact-of-covid19

[2] https://www.crn.com/news/data-center/it-spending-will-jump-more-than-expected-in-2021-surpassing-4t-gartner

TagsDigitalAnalytics
  • Insights
  • Older
  • Newer
linkedin facebook instagram-unauth twitter-unauth
  • Privacy Policy
  • Press Kit
  • Events

2023 BIP.MONTICELLO      |     ALL RIGHTS RESERVED ©

It is BIP.Monticello’s policy to provide equal employment opportunities to all individuals based on job-related qualifications and ability to perform a job, without regard to age, gender, gender identity, sexual orientation, race, color, religion, creed, national origin, disability, genetic information, veteran status, citizenship or marital status, and to maintain a non-discriminatory environment free from intimidation, harassment or bias based upon these grounds.

BIP. Monticello Consulting Group

Monticello Consulting Group is a trusted management consulting firm servicing clients in the global financial services industry. Our mission is simple—to provide exceptional management consulting services by focusing on three core principles for our clients: value creation, superior execution, and uncompromising integrity.
linkedin facebook instagram-unauth twitter-unauth