By Alex Beigelman, former Head of Technology & Cyber Security Risk, JP Morgan.
Alex, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
I started my career as a software developer in the 80s just before I entered college. It’s how I paid for college. I’ve had jobs in a number of firms across the financial and technology industry. I’ve done everything from writing software to managing infrastructure, from pulling cables to designing strategic architecture. Over the past decade I’ve focused on managing Cybersecurity Risk, as a Chief Information Security Officer for UBS Wealth Management Americas and then created and led the Technology and Cybersecurity Risk organization at JPMorgan Chase.
My newest endeavor is my own company, Beigelman Risk Advisors, focused on helping firms and government organizations to assess and manage their Cyber risks. We help with setting up an appropriate organizational structure, making sure the technical solutions are appropriate, ensuring the regulatory compliance approach meets the spirit and letter of the laws and regulations, and provide both formal and informal training to IT and non-IT executives in the ramifications of current and emerging technology. Our overall goal is to help organizations achieve a risk-optimized return on investment.
What, for you, are the benefits of attending a conference like the ‘Operational Risk Management USA Congress’?What can attendees expect to learn from your session?
The world is now run by technology. It is a rare organization that can operate effectively or for any length of time without its technology base. I hope to exchange thoughts with the other attendees on the implications of this to the overall risk posture of the enterprise, discuss some challenging questions, and share some ideas for approaching this risk in a practical and meaningful way that supports, rather than hinders business goals.
In your opinion, what are the biggest risks posed by the global technology ecosystem?
There are a number of risks including: the lack of clear definition of key business processes and how they depend on the underlying technology, the defensive posture that does not fully acknowledge that the common approach to security – perimeter based – is obsolete and no longer effective, the lack of definition of “acceptable” or “good” behaviour that makes it very difficult to find the “bad” behavior, the lack of useful predictive risk metrics.
How can financial institutions ensure they are best prepared against these risks?
a) The key is to agree that the current common approach is very expensive while simultaneously being only somewhat effective. The return on investment is very poor.
b) The next step is to build technology plans, including resilience, security, and capabilities, directly into business plans and strategies rather than as an add-on. In this model, technology is not an enabler of the business, it is a core part of it.
c) The final step is to create software development, resilience and security models that assume an open city model, rather than a fortress with high walls. This way of thinking is required to succeed in the near future that in many ways is already around us, and rapidly evolving.
How do you see the risk landscape evolving over the next 6-12 months?
Technology has become a core of many organizations and this trend will only accelerate. The threats posed to this landscape due to malicious attacks as well as poorly understood interdependencies and loss of talent and knowledge is also accelerating.
We are currently at an inflection point, where old models of technology and business operation are breaking down. Old ways of protecting those interactions are becoming less effective. New threats are emerging. The financial industry, technology providers, regulators, and malicious actors are all in a rapid evolutionary race that will result in some “ordinary” and some potentially spectacular failures as the new ways are learned.