Enabling cybersecurity success through governance and risk management

By fostering collaborative communication, an engaged board and leadership team can ask the right questions and identify potential areas of undue exposure or control gaps.

By Steve Soukup

With increased reliance on technology, rapid digital transformation, and the steady pursuit of growth in the banking sector, the threat to banks of cyber-attacks has become a growing and critical concern. Cybercriminals are increasingly innovative and bold in their attempts to breach systems and infrastructures, and banks are held to a higher standard to ensure they can prevent, detect and mitigate threats.

To succeed in cybersecurity, banks benefit when they establish efficient governance to oversee their program. This requires implementing a cyber risk management system that provides real-time visibility into the program’s successes and deficiencies, enabling banks to measure risk accurately and direct program initiatives effectively.

Prioritizing governance is critical to the success of any financial institution because it ensures compliance, improves communication and decision-making, and increases efficiency.


An effective governance program starts with a clear framework that outlines how the institution and its employees will operate through established policies, procedures, processes and personnel. The framework should detail appropriate security measures to protect their customers’ data while aligning with the goals, objectives, and expectations established by the board. A strong program is shaped according to regulatory requirements and industry standards and drives effective risk management and compliance.

Once the frameworks are established, the next step is to create a program that will govern and ensure the effective implementation of those directives. Proper governance guarantees the program is working as intended, the risks are being appropriately managed and the bank is staying in compliance. Control testing and sampling are employed to ascertain that the policies are being adhered to and that the designed system of controls is effectively mitigating risks down to a residual risk level within the board-prescribed risk appetite.

Monitoring key metrics and reporting on performance and risk levels to the board and other stakeholders are also key pieces that enable proper governance while helping to inform decision-making and provide assurance that risks are within tolerance. Establishing an efficient governance program serves as a solid foundation, enabling banks to direct their focus toward cyber risk management.

Cyber risk management

With a well-designed, successfully executed and versatile cyber risk management program, banks can effectively prevent, detect, and mitigate potential cyber threats, protect sensitive customer data and assets and ensure compliance with regulatory requirements.

When assessing their cyber risk management strategy, banks benefit when they consider these two core principles:

1. Banks are unique targets. The financial industry is set apart from others due to the responsibility to safeguard high-value assets while grappling with compliance and regulatory pressures.

2. Cyber threats are dynamic and constantly evolving. Threat actors are relentless in their attempts to breach bank systems to gain unauthorized access. With every modification to business operations or adoption of new technology, you are exposed to new risks. So, a reasonable expectation is that banks evolve their cyber risk management strategies in tandem with the evolving threat landscape.

Banks benefit when they ensure that their cybersecurity program, governance over that program, and risk management system around the program are commensurate with other risk management systems employed in the bank, such as their credit risk management or interest risk management programs. Additionally, stakeholders must be engaged and informed to adequately approve and govern the program.

When effective programs are in place, and the appropriate support from stakeholders is employed, the result is an effective cyber risk management solution that swiftly identifies and responds to emerging risks, has sufficient resources to implement the appropriate system of controls to mitigate these dynamic risks and ultimately protects the bank from financial and reputational risks.

Understanding and mitigating risk

What we know: Risk is inherent and constantly evolving. What we need to know: Proper risk management and governance programs are in place.

To ensure the utilization of proper risk management and governance programs, it’s essential to consider the individuals responsible for approving and overseeing the program—namely, the board—and their ability to not only comprehend the objectives of a cybersecurity program but also establish appropriate cultural expectations that drive it.

Historically, boards and CEOs have been less willing to delve into cybersecurity than they are with other key risk areas, such as asset quality or consumer compliance. One of the more common reasons is the perception that the content is too technical. Given the high stakes involved, executive leadership and the board cannot afford to adopt a dismissive attitude of “that is too technical for me” any longer.

It’s impossible to approve a program, make informed decisions about it, or ensure its effectiveness without a clear understanding of the risks driving the program and the directives within it. It’s like trying to build a house without a blueprint.. Simply put, the board and executive team must be willing to understand cyber risks to govern effectively.

Stakeholders must comprehend the risks and understand why the existing mitigating controls are appropriate for overseeing the program. They must be adequately informed on the successes and gaps of the program to make the right decisions around resource allocation and risk priority. It’s crucial for them to define the risk appetite, and the metrics for monitoring against the risk appetite, identify tolerance levels for those metrics, and receive consistent, meaningful reporting on identified key metrics. This is indicative of a mature risk management program. Unfortunately, we are not seeing this level of risk management around cyber risk throughout banking, and we cannot wait for an event to mature the cyber risk management program.

Further, it is the board that sets cultural expectations that are exemplified and disseminated by executive leadership. Culture is a key factor in supporting a program, ensuring that policy directives are adhered to daily on the front lines and that risk decisions align with the institution’s risk appetite. It’s worth examining whether or not an influential security culture bolsters the bank’s cybersecurity program. If leadership does not understand cybersecurity, the culture is likely not as strong as it should be.

Bridging the gap

While we recognize the significance of aligning the board and leadership on matters of cybersecurity, the real obstacle lies in determining the most effective first step to bridge the knowledge gap. A productive approach is for banks to be intentional in the way they engage with and educate stakeholders to ensure that their programs are adequately governed.

Engagement will support a security-focused culture, ensure resources are adequately allocated, and provide the program with effective challenge, strengthening the program and ultimately protecting the bank and its customers. By fostering collaborative communication, an engaged board and leadership team can participate in asking the right questions and identify potential areas of undue exposure or control gaps. This ensures the program continues to grow and mature, enabling the bank to better prevent and respond to potential events. A mature risk management system holds immeasurable value, and an engaged and informed board can only benefit leaders overseeing cybersecurity programs.

Unify for success

The growing prevalence of cyber threats drives a crucial need to evolve the risk management systems surrounding cyber and information security programs. It is imperative to design and implement governance programs comparable to governance seen in other areas of the bank, which requires leadership and the board to be united with the same goal. When an effective security culture is established at the top levels, it permeates the entire institution. So, the time is now to bridge the gap in knowledge and facilitate productive engagement to build an efficient governance program, which will ultimately guarantee success.

Steve Soukup is CEO of DefenseStorm.