An industry standard for assessing and reporting on cloud risk
By: David Kliemann, Cloud Risk and Controls Leader and Aly Farooqui, Chief Risk Officer, Cloud for Financial Services | 3 minute read
An industry standard for assessing and reporting on cloud risk for financial institutions.
Cloud-based technology is transforming the financial sector at a rapid pace. As financial institutions continue to prioritize digital transformation, there are several hurdles that inhibit organizations from fully realizing the benefits of moving critical workloads to cloud. One major hurdle is a lack of a commonly integrated, industry-recognized method to measure and report the risk level of hybrid multicloud operations.
Assessing cloud risk is essential to the health of financial institutions
It is well known that security and risk management are critical components for financial institutions to host mission-critical workloads in the cloud and transact with confidence. There is a gap, however — many organizations that move workloads to cloud find that they can’t easily articulate, measure and report risks in relation to their cloud environments. Organizations can find it overwhelming to translate the wide array of potential metrics to stakeholders and regulators, potentially resulting in misalignment of resources. This situation is further amplified with hybrid multicloud deployments that many financial institutions are adopting.
Without a holistic cloud metrics model, financial institutions often struggle to track and articulate key considerations:
With a variety in approaches, it can be difficult for organizations to align with existing risk management programs and determine if they are meeting business goals, while continuously demonstrating governance and compliance requirements.
Financial sector cloud metrics model: The IBM Cloud for Financial Services approach
To directly tackle these challenges, IBM Cloud has collaborated with many organizations within the IBM Financial Services Cloud Council (Council) to develop a Financial Services Cloud Framework. The Council consists of CIOs, CTOs, CISOs and Risk Leaders from global and regional financial institutions who collectively work to de-risk cloud for the industry. More recently, the over 20 financial institution members of the Council worked together to create an industry-centric cloud metrics model to address hybrid-multi cloud governance and reporting.
Based on the NIST Cybersecurity Framework (CSF), the most widely recognized and accepted risk management framework, our industry cloud metrics model compounds upon this tried-and-true foundation to provide organizations with more flexibility. After reviewing with various financial institutions, IBM has added additional functions and components to account for operational and compliance needs that may not be explicit in NIST CSF. Considering how many financial institutions are still early in their cloud journeys, this is an important area to address.
IBM recognizes that organizations across the financial sector have different risk appetite and tolerance levels. As such, the model must be able to be tailored towards each organization’s unique requirements. Instead of being rigid and prescriptive, our model provides a menu of metrics that can be geared towards different organizational levels — what the management team needs will be different from C-level or board-level requirements.
To help build a holistic picture for leadership to understand overall risk, IBM has worked with the Council to identify several cloud metric “domains” that can be used to bucket various metrics and demonstrate risk levels:
These domains include 50+ individual metrics, including insights for the following:
Integrating these cloud domains with the CSF functional areas and providing a metric dashboard for reporting enables financial institutions to thoroughly assess their cloud risk.
Moving toward a new era of trust and transparency for financial institutions
With this cloud metrics model in hand, IBM is continuing to receive input from global FIs, industry regulators and expert analysts to further refine its metrics and examine organizational needs from all angles. IBM Cloud for Financial Services continues to advance the cloud space for the financial services industry — IBM's proposed cloud metrics model is another key puzzle piece in the breadth of technology and expertise they provide to banking leaders looking toward the cloud. Stay tuned for more details.