Cyber Security and Risk Management Briefing: Deutsche Security Executive Discusses the Risk Management of Cyber Security

Omkhar Arasaratnam has plenty of memories from his 15 years working at IBM, but one conversation that stands out was with one of the firm's product managers regarding regulatory compliance.

Arasaratnam, who was a chief security architect of an enterprise-level cloud at the time, asked his colleague about how they could possibly hedge on some Federal Financial Institutions Examination Council (FFIEC) regulations they were required to meet.

The product manager was blunt with her answer.

"She said, ‘Omkhar, we don't risk manage compliance,'" Arasaratnam told the crowd at Waters' inaugural Cyber Security and Risk Management briefing held in New York.

Fast forward to Arasaratnam moving into financial services to work at TD Bank, and he said there was a complete change in strategy working for a bank.

"We are in the business of managing risk. That is how we make money. Sometimes we take regrettable bets, but that's how we make money. And that's core to the business," said Arasaratnam, who is now the CTO and global head of CISO strategy, architecture and engineering for Deutsche Bank. "All that I learned for 15 years about this absolute security really didn't exist. ... This is just further evolution of security in the business. We now have to speak as the business. When it comes to the CISOs of today, we're no longer the high-level firewall or glorified policy blockers. We are legitimate C-level executives with the accountability in order to manage risk effectively."

Three Levels

Arasaratnam talked about how a key part of the job is having strong oversight functions in place. He outlined having three lines of security, with regulators serving as the backstop.

The first line is broken up into two groups, according to Arasaratnam. There is the traditional IT shop, such as a system administrator running a Windows server, which performs regular tasks. The second tier within that first line of defense is the management oversight and internal control, which monitors and ensures the system administrator is consistent with the firm's security policy.

The second line of defense sets the risk policies for the firm and makes sure it fits within the framework. It also oversees the first line.

Finally, the third line of defense serves as the audit that checks the second, and sometimes first, line of defense.

"These three lines of defense work together synchronously, in an ideal scenario, to make sure that you have the right investment at the right time for the right purpose," Arasaratnam said.

Right Spend in the Right Place

As for spend, Arasaratnam said the typical amount spent on the first line alone is roughly 10 percent of the entire IT budget. The second line of defense that's properly staffed and budgeted should account for about 1 percent.

Arasaratnam pointed out that even with that many lines of defense, hacks can still occur. As is the case with most things in financial services, cyber security is all about hedging bets. Most CISOs wouldn't spend $2 million on a risk that would only result in a loss of $400,000, Arasaratnam said.

"Any CISO that steps up and says, ‘I will prevent you from getting hacked,' is probably pretty new on the job. As security leaders, we can never guarantee something that's an absolute," Arasaratnam said. "What a savvy CISO will do is ensure that you have the right framework in place to balance your non-financial risks with the investment you have to put in."

The Bottom Line

• A big part of cyber security in financial services is properly hedging your bets and ensuring you have effectively implemented the right systems in the right places.
• Oversight of the systems in place is also important. Deutsche Bank's Omkhar Arasaratnam says a firm should have three lines of defense in place with the regulators as the backstop.
• In terms of spend, firms should look to spend 10 percent of their IT budget on the first line of defense and 1 percent on the second line.