The Bank of England (BoE) has published a speech given by Will Brandon, BoE Chief Information Security Officer, on the approach financial institutions should take to manage cyber-risk.
In his speech Mr Brandon states that cyber is not just a technology problem that can be solved entirely through engineering solutions. People and processes are every bit as important as most cyber-attacks start with social engineering – sending emails with tempting but malicious links or attachments.
Therefore Mr Brandon states that people need to be led and processes need to be managed. Leadership needs to be applied from the top, not just from the IT department and felt throughout the whole organisation. Processes also need to be managed holistically, via the same governance approaches that are used in other parts of the business. That will mean, among other things, clear policies and standards, good management information, and a sensible approach to compliance. Oversight may also be needed: a formal means for the business to assess and manage risk and a requirement for managers to take ownership of information security risk as they would any other.
View BoE speech on cyber-risk, 10 May 2016