Vendor Risk Management

BitSight EXCHANGE Sound Bites: Risk Management in Financial Services

BitSight | December 20, 2018

In the months since BitSight’s inaugural EXCHANGE forum, we have been digesting and processing the incredible sessions and discussions that came about from this forum. It was a great event that brought together security executives from all over to discuss the challenges they face in their roles every day.

One interesting panel discussion was focused on the evolution of risk in the financial services industry. Speakers included Mark Watson (Deputy Leader, Financial Services Center for Board Matters, Ernst & Young), Derek Vadala (Managing Director & CISO at Moody’s Corporation), Bob Lewis (Head of External Cyber Assurance & Monitoring at Barclays UK), James Lam (Chair, Risk Oversight Committee, E*TRADE), and moderator Peter Pernebo  (Executive Director of Third Party Risk Management, KY3P by IHS Markit).

James Lam shared his thoughts on the role of effective risk management within an organization below.


“I think qualitative assessment is useful, but insufficient because you're telling me what you think. So, it's a good start. And what doesn't work is also just providing information about our maturity relative to a framework like NIST. So, if you have higher maturity basically you're telling me you're doing your job. Okay. You're paid to do your job. But what's more important to me is how effective are you doing in terms of your work. So, I don't want to just hear about input. I am much more concerned about output. So, in terms of output, I want really good metrics. And I think Bitsight has done a really good job in getting the conversation in something that's objective and that's measurable, that's benchmarkable. And I want to understand how does this risk compare to the other risk that we oversee in terms of potential economic impact and business impact. And then finally, I want to understand what our exposures are relative to risk appetite. And so, to me, I think you need to have that kind of balance. And having just the input assessment and metrics are insufficient. You really have to understand how effective the program is. And the key question that directors ask is, how do I know if our cybersecurity program is working effectively? And to the degree that your assessments and metrics answer that question that's how you serve the board.”


“It's not a matter of just mitigating and minimizing risk. The job of risk management is to optimize the risk-return profile of the organization. And I've seen that evolution every other risk and right now I think cyber is challenged to be able to go through those (three) steps.”

Thank you to James and our other panelists for an extremely insightful conversation!

Read the recap of the inaugural BitSight EXCHANGE forum. 

Suggested Posts

How To Mature Your Vendor Risk Management Program

There are layers of uncertainty plaguing security professionals when it comes to the time, money, and energy they spend focusing on their third-party risk management systems. Without the proper tools and analysis, it is hard to know if...


Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Subscribe to get security news and updates in your inbox.