Book of the year: Cyber Risk
Operational Risk Awards 2017: Winning entry taps into number one concern for many op risk managers
The winner of Risk.net’s inaugural Book of the Year award, Cyber Risk, will be out of date within two years, editor Michael Woodson believes. “It’ll be sooner rather than later,” he says. “Cyber risk is evolving at a very rapid pace. With cloud computing and the Internet of Things, we are going into new territory.”
Cyber Risk tackles the most rapidly evolving and dangerous risk now facing the financial sector, covering the nature of the threat, techniques for measuring, modelling and responding to it, and the outlook for cyber risk in the future. Judges were unanimous in their conclusion that the book not only tackles a highly relevant topic, but also adds something new to the operational risk canon.
“Michael Woodson has collected together an interesting roster of authors to provide a book that deals with technical information such as new threats and where they arise from, but would also help a user with little or no prior knowledge of cyber risk to build a complete, relevant framework,” says one judge.
The spread of mobile technology has increased the potential attack surface that cyber risk professionals must now defend. And a growing problem, says Woodson, is the use of outdated technology. In May 2017, the UK National Health Service was brought to its knees by the WannaCry ransomware attack, largely because so many of its computers were using outdated versions of the Microsoft Windows operating system.
This problem will only worsen with the growth of the Internet of Things, as many internet-enabled appliances will be intended to operate for decades, and may be difficult or impossible to upgrade and patch, but could still provide weak points that an attacker might choose to penetrate.
“Where old meets new, that creates cracks, which become holes, which become craters,” says Woodson. The final chapter of Cyber Risk, written by Soltra Solutions chief executive Mark Clancy, examines the future of cyber risk in more detail, warning that “the discipline has evolved in response to external incidents and has been playing catch-up”. He highlights the danger of an attack sponsored by a nation state, such as the 2014 hacking of Sony Pictures by a North Korean group, for which very few corporate IT security departments are prepared.
There is already extensive technical literature on cyber security aimed at IT professionals, but in Cyber Risk, Woodson has aimed at a slightly different audience. “We were focusing on senior management,” he explains. “This is where we are, what we’re dealing with and where we have been, and we alluded in the last chapter to where we are going.” A second edition would be aimed at board members as well, he adds, as they also need to understand the issues facing the business.
Focusing on a target audience in senior management brought the spotlight on to issues of measurement and management, as well as threats and countermeasures. RiskLens’ Jack Jones, who wrote the chapter on quantifying cyber risk, warns that cyber risk professionals face a “highly complex and dynamic cyber risk landscape”, and they often lack the mature approaches and tools to address it.
“We need to do a better job of coming up with metrics that tell us what these risks are as the threat landscape changes, and as people’s demands and services change,” Woodson says. “If I had to pick one chapter [where we had trouble], it would be metrics.” A second edition of the book would delve deeper into the development of qualitative and quantitative metrics for cyber risk.
Security information management systems require skill and experience to interpret and monitor external threats. As new vulnerabilities emerge, banks and other financial institutions may be forced to place much greater reliance on machine learning software to handle the data analytics required to monitor and measure cyber threats.
Risk officers will need to get used to a much faster pace of change in cyber security, Woodson predicts. “We have to get into a prevention mode and prepare for unknown threats and that’s where machine learning comes in. We need continual monitoring via modelling, and analysing and adjusting the risk and defence posture accordingly; it might be on a daily basis.”
Risk professionals also have to widen their scope, he says: a second edition of Cyber Risk will have to look more closely at the risks inherent in the use of social media, especially when combined with a bring-your-own-device policy. As well as looking at the security of devices, risk managers will need to consider the security of social media applications, and the risks that their employees’ social connections bring to the firm. “It comes down to awareness training – it is a huge issue,” says Woodson. Managers will also have to pay even more attention to third-party risks, and to the potential for reputational loss and damage.
And finally, he predicts a change in terminology and personnel. The growing overlap between risk and security could lead to the rise of the chief information security and risk officer, and even to the merger of information security and physical security responsibility, as advances such as the Internet of Things and ‘smart buildings’ blur the lines between the physical and digital realms. Technology and privacy issues could also overlap, with a ‘chief security officer’ or ‘chief information risk officer’ reporting directly to the board, rather than to a chief information officer.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Awards
Trading systems: structured products/cross-asset – Murex
Murex won the Trading systems: structured products/cross-asset award at the 2025 Risk Markets Technology Awards for its MX.3 platform, praised for its flexibility and advanced analytics
Best vendor for system support and implementation: Murex
Murex has won the Best vendor for system support and implementation at the Risk Markets Technology Awards, recognised for its innovative MX.3 platform, exceptional client support and seamless implementation services
FRTB-IMA product of the year: Murex
Murex wins FRTB-IMA product of the year for its advanced, scalable MX.3 platform enabling seamless regulatory compliance
Pricing and analytics: equities – Finastra
Finastra’s Sophis platform wins the Risk Markets Technology Award for Pricing and analytics in equities, recognised for its robust capabilities in equities and derivatives trading
Best execution product of the year: Tradefeedr
Tradefeedr won Best execution product of the year for its API platform, which standardises and streamlines FX trading data, enabling better performance analysis and collaboration across financial institutions
Collateral management and optimisation product of the year: LSEG Post Trade
LSEG Post Trade wins Collateral management and optimisation product of the year for interconnected services that help mitigate counterparty risk and optimise capital usage
Clearing house of the year: LCH
Risk Awards 2025: LCH outshines rivals in its commitment to innovation and co-operation with clearing members
Driving innovation in risk management and technology
ActiveViam secured three major wins at the Risk Markets Technology Awards 2025 through its commitment to innovation in risk management and technology