<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

BitSight EXCHANGE Sound Bites: Risk Management in Financial Services

BitSight | December 20, 2018

In the months since BitSight’s inaugural EXCHANGE forum, we have been digesting and processing the incredible sessions and discussions that came about from this forum. It was a great event that brought together security executives from all over to discuss the challenges they face in their roles every day.

One interesting panel discussion was focused on the evolution of risk in the financial services industry. Speakers included Mark Watson (Deputy Leader, Financial Services Center for Board Matters, Ernst & Young), Derek Vadala (Managing Director & CISO at Moody’s Corporation), Bob Lewis (Head of External Cyber Assurance & Monitoring at Barclays UK), James Lam (Chair, Risk Oversight Committee, E*TRADE), and moderator Peter Pernebo  (Executive Director of Third Party Risk Management, KY3P by IHS Markit).

James Lam shared his thoughts on the role of effective risk management within an organization below.


“I think qualitative assessment is useful, but insufficient because you're telling me what you think. So, it's a good start. And what doesn't work is also just providing information about our maturity relative to a framework like NIST. So, if you have higher maturity basically you're telling me you're doing your job. Okay. You're paid to do your job. But what's more important to me is how effective are you doing in terms of your work. So, I don't want to just hear about input. I am much more concerned about output. So, in terms of output, I want really good metrics. And I think Bitsight has done a really good job in getting the conversation in something that's objective and that's measurable, that's benchmarkable. And I want to understand how does this risk compare to the other risk that we oversee in terms of potential economic impact and business impact. And then finally, I want to understand what our exposures are relative to risk appetite. And so, to me, I think you need to have that kind of balance. And having just the input assessment and metrics are insufficient. You really have to understand how effective the program is. And the key question that directors ask is, how do I know if our cybersecurity program is working effectively? And to the degree that your assessments and metrics answer that question that's how you serve the board.”


“It's not a matter of just mitigating and minimizing risk. The job of risk management is to optimize the risk-return profile of the organization. And I've seen that evolution every other risk and right now I think cyber is challenged to be able to go through those (three) steps.”

Thank you to James and our other panelists for an extremely insightful conversation!

Read the recap of the inaugural BitSight EXCHANGE forum. 

Suggested Posts

New Study: Organizations Struggle to Manage Cyber Risk in Their Supply Chains

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.


Eradicate Cyber Threats: Launch Your Third-Party Risk Management Program

When launching a third-party risk management (TPRM) program, one of the best places to begin to be proactive about mitigating cyber risk from your third parties is by examining the vulnerabilities present on their network. Despite global...


3 Software Tools Transforming the Vendor Selection Process

The world of procurement has been fundamentally changed by the introduction of technology. Source-to-pay software has brought digital workflows and automation to time-consuming processes like creating RFPs, managing contracts, and...


Subscribe to get security news and updates in your inbox.