In this Help Net Security interview, Rich Friedberg, CISO at Live Oak Bank, discusses how banks can better align cybersecurity efforts with broader cyber governance and risk priorities.
Banking institutions often falter when cybersecurity is siloed as purely a technical or compliance issue. Cyber governance requires treating cybersecurity as a strategic business risk embedded across enterprise-wide decision-making.
Where do banks typically struggle when trying to align cybersecurity efforts with broader governance and risk priorities?
Banks may struggle to align cybersecurity with broader governance and risk priorities when cyber is viewed primarily as a technology, or compliance issue. This disconnect can stem from several areas. Bank leadership may see cybersecurity as a technical or compliance function, or CISOs, often highly technical themselves, may struggle to communicate cyber risks in business terms. As a result, cybersecurity may be managed in a silo, excluded from strategic conversations about business initiatives, macro-level risk decisions, and enterprise risk alignment.
These challenges are often compounded when cybersecurity teams are positioned lower in an organization, reporting into technology, engineering, or other functions, limiting visibility and influence. However, this can be mitigated by establishing strong governance processes and forums that integrate cyber leadership into enterprise risk discussions and strategic planning efforts.
To be effective, cybersecurity must be treated as a business risk, embedded in top-of-the-house strategy discussions, engaged early in key initiatives, and fully aligned with enterprise risk management frameworks.
How do you ensure that cybersecurity strategy is integrated into enterprise-wide decision-making, from product development to mergers and acquisitions?
This is a great question, especially in the context of the earlier discussion aligning cybersecurity with governance processes. It starts with positioning: cybersecurity must be viewed as both a business risk and a business enabler, not just a technical control or compliance function. Banks are built on trust, and cybersecurity risk management is foundational to building and maintaining customer trust.
Integration begins with governance. When cybersecurity is properly embedded in enterprise-wide governance and risk management, security leaders are naturally included in key forums, including strategy discussions, product development, and M&A decision making.
Once at the table, the cybersecurity team must engage productively. They must identify risks, communicate them in business terms AND collaborate with the business to develop solutions that enable business goals while operating within defined risk appetites. The goal is to make the business successful, in a safe and secure manner.
Cyber teams that focus solely on highlighting problems risk being sidelined. Leaders must ensure their teams are structured and resourced to support business goals, with appropriate roles and encouragement of creative risk mitigation approaches.
The teams’ goals and communication strategies should incentivize risk-informed decision-making, and collaborative solutioning, over basic risk identification.
What are the KPIs or metrics that you recommend for measuring the effectiveness of cyber governance in a banking environment?
I love this question. Too often, cybersecurity metrics and KPI discussions focus on technical control monitoring rather than evaluating governance effectiveness.
I believe the best metrics are designed to help answer a specific question tied to a goal. The right KPIs will depend on where your organization is in its maturity journey of integrating cyber governance into enterprise strategy and risk management. Do we have governance? Is that governance effective? Are risks being managed?
At the foundational level, a simple metric is the percentage of strategic initiatives with cybersecurity embedded from the beginning. As governance matures, organizations can begin to track how often and how early risks are identified, as well as the rate and timeliness of mitigation or resolution. Organizations should structure metrics in a way that incentivizes early risk identification AND cross-functional collaboration to address risks in a way that helps ensure project success.
Additional useful metrics include:
- Number and aging of policy exceptions
- Projects or business units operating outside defined risk tolerance
- Instances where cyber risks or governance processes are cited as a blocker to revenue or project delivery
- New initiatives that may introduce increased data security, regulatory or compliance risks
KPIs and metrics can be designed to both measure whether appropriate governance exists, and whether processes are effective in supporting decision-making, enabling growth, facilitating trust, and managing risk within tolerance.
How should banks structure roles and responsibilities across the CISO, CIO, Chief Risk Officer, and Chief Compliance Officer to avoid overlaps or blind spots?
In my 25 years in this space, I’ve yet to see a perfectly clean way to structure roles and responsibilities across the CISO, CIO, CRO, CCO, and other leaders. There are nuances to these decisions specific to each unique organization. If there is no one “right” structure, how do you avoid overlaps and blind spots?
In my view, the answer lies in having a well-structured enterprise risk management (ERM) program and fostering strong collaboration amongst these leaders. At its core, risk management is about proactively answering two key questions: “What could go wrong?” and “What should we do about it?”
When a bank launches a new initiative, this group of leaders—across cyber, risk, compliance, legal, and technology—should work together to assess potential risks, answering that question of “What could go wrong?” As risks are identified, the most important step is to assign clear accountability and ownership for each risk, ensuring that every item on the list has an accountable executive owner.
In many cases, risk ownership will align naturally with existing roles. For example, regulatory risk with the CCO, technology resilience with the CIO, or data security with the CISO. But some risks may be shared or fall into gray areas. In those situations, the specific assignment is far less important than ensuring each risk has an owner assigned. Without that clarity, risks can fall through the cracks—or worse, everyone assumes someone else has the ball.
Ultimately, the structure doesn’t need to be perfect and will vary from organization to organization. Risk can be effectively managed through strong governance, role clarity, and a culture of collaboration and ownership.
With the tightening of regulations like DORA in Europe and increasing scrutiny from the OCC and FFIEC in the U.S., how can banks proactively align cyber governance with evolving regulatory requirements?
To stay ahead of evolving regulations like DORA in Europe and increased scrutiny from the OCC and FFIEC in the U.S., banks should treat regulatory change as they would any major business initiative.
Start by ensuring there is a regulatory management function that actively tracks and analyzes emerging requirements. These updates should be integrated into the enterprise risk management (ERM) framework and governance processes—not handled in isolation. They should be treated no differently than any other new business initiatives. By bringing regulatory changes through established processes, the right stakeholders from cybersecurity, technology, operations, legal, compliance, fraud and others can assess impact and develop implementation plans.
It’s also critical to consider third-party and vendor risk. Many of these regulatory requirements extend to a bank’s external service providers. Banks should ensure that vendor risk management leaders are actively involved in these discussions, and that third-party oversight frameworks are updated to oversee whether vendors are meeting these requirements.
Ultimately, aligning cyber governance with regulatory change requires cross-functional collaboration, early engagement, and integration into strategic risk processes, not just technical or compliance checklists.
