As the velocity and rate of technology change exposes financial institutions to greater risk and regulatory compliance, it also opens new pathways to value creation and opportunity investment. According to Charles Jacco, principal, cyber security services at KPMG, this has led to a movement to take cyber risk from what has been historically seen as a technology leadership problem to a business problem that is just one part of managing risk across the enterprise.
Historically, addressing cyber security has been the role of the CISO, who owned every aspect, from setting the policy to protecting the enterprise in the perimeter against the business’s strategic direction, as well as implementing the tools and technology to control the environment.
“That worked because we needed to have a person with enough authority to just get it done,” says Jacco. Now, however, most of the other functions across a typical financial enterprise have been split up into three lines of defense — the front end business function that own the controls; an independent risk management function that provides checks and balances; and then an internal auditor that cross-checks everything even…
