
Risk Assessment - Keeping Cyber Bully Away


Paul Ernst, CIO, Sandler Capital Management
Two roads diverged in a wood, I took the one less travelled by, and that has made all the difference.” – Robert Frost
This sounds like a great way to mitigate risk in some instances, but in today’s advanced, technology-driven capital markets, it’s all about who gets there first. Every day, companies invest capital into their network infrastructure to ensure that they receive real-time information and best execution on their trades–perhaps just nano seconds faster than their peers. While the goal for many firms is to build the ultimate shortcut, we can’t cut corners when it comes to security. As CIOs and CTOs, our goal is to ultimately reduce the risk profile of our companies.
Risk Assessment
The risk assessment is the all-encompassing identification of risk across the enterprise, and the subsequent determination of an acceptable level. While companies use different methodologies when performing an assessment, it is generally a combination of the following:
- Policy development and review
- Gap analysis
- Security assessment and penetration testing
- Vendor assessment and due diligence
- Employee awareness and training
Large companies will likely have an internal team to handle this, but for many of us in the hedge fund space, I find it best to engage a third party to perform the risk assessment. There are a number of excellent firms that provide this service, and while not cheap, I am very comfortable spending the money to have an expert with an objective eye to analyze my operations and make the appropriate recommendations.
It is absolutely essential to realize the threats that we face or else we have no chance of stopping them
While you may have solid policies already in place, validation is crucial. One misstep can throw off an entire incident response plan, or perhaps, you might be missing a critical element of a vendor assessment. Firms have been made increasingly aware that they are still responsible for investors’ data even if it resides with a third party. As the trend of enhanced scrutiny by investors and regulatory agencies will undoubtedly increase, a formal independent risk assessment is more likely to become a requirement at some point, rather than an option.
Perimeter and Endpoint Protection
Tune into any mainstream news media outlet on a given day, and you will almost certainly encounter a number of headlines regarding massive company data breaches, nation-state hacking and reports of new ransomware variants. As these cyberattacks continue to escalate, so do our security budgets.
Financial companies need to implement a scalable security solution that not only protects the perimeter, but also propagates down to every last endpoint. This list is by no means exhaustive, but a hybrid of next-generation firewalls, intrusion detection/prevention (there are some excellent third-party SOCs for smaller to mid-sized companies that don’t staff their own), multi-factor authentication, encryption, patch management, backup, web filtering, unified mail security products as well as endpoint access and control platforms should all be deployed throughout the organization.
Employee Awareness/Training
The adage may be a tired one, but none is truer than ‘your employees are your biggest threat’. While deliberate acts by an employee are cause for concern, those aren’t the ones that keep me up at night. It’s the other ones. It’s the ones where employees open email attachments from unknown senders and click links in emails supposedly from UPS and FedEx. It’s the untrained ones.
In my opinion, it’s not an accurate or comprehensive risk assessment unless it involves thorough and continuous employee awareness and training. While the format should be highly tailored to the company size and culture, general training sessions should be held regularly. As new threats evolve, so should employee awareness.
One highly effective component of security awareness is phishing and social engineering tests. Prior to a seminar, run a phishing campaign and share the results with the attendees. There’s no benefit to individually calling anyone out in public, but be assured that this is one area that will command their attention, so embrace it. After the meeting, run another campaign. And in a month, run another campaign. Of course this is pointless, if you don’t then train those employees based on their results. Statistics have shown a very high success rate training with this method.
Educate Yourself
“I am always doing that which I cannot do, in order that I may learn how to do it.” – Pablo Picasso
While the first three topics are fairly common across the industry, I seldom see this final one in this context. Every so often, I like to take a step back and take a look at my own performance-let’s call this my own personal gap analysis if you will. In our industry, it is absolutely essential to realize the threats that we face or else we have no chance of stopping them.
Granted, I don’t have the time to keep up to date with every technology in every publication, but what I have found to be incredibly beneficial, is peer networking. I’ve come across a wealth of instantly actionable information just by joining peer groups and attending industry events.
Finally, while I simply don’t have the bandwidth to address all of the sales pitches that are sent my way; I do find value in building meaningful relationships with a handful of vendors and integrators. I consider them to be a great source of knowledge on today’s security trends and products, and they are always anxious to educate me. So don’t be afraid to return that sales call. You might be surprised.
Featured Vendors
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
How "Cloud Compulsion" Impacts Legal Preservation and eDiscovery...
Championing the Health of the Individual
How Marco's Pizza Leaned on Technology to Succeed amid the Pandemic...
Digital Tack
Step In, Step Up, Or Step Off!
The Art of Digitalization
