Apple Bank Enhances and Streamlines Cyber Risk Management Program with MetricStream
- IT Risk & Cyber Risk
- 10 July 24
Introduction
At the 2023 GRC Summit, MetricStream’s annual flagship event, Jonathan Ruf, First Vice President - Head of Cyber and Information Risk, Apple Bank, discussed how the organization leveled up its cyber risk management program with MetricStream. Apple Bank is the largest state-chartered savings bank in New York.
Here are the key takeaways from Jonathan’s session at the summit.
Getting Started
Jonathan: We started the Journey with MetricStream about four years ago, and the use case was more so around the operational risk. It wasn't necessarily a decision that we were going to use it in cyber and information security. But we realized that there were a lot of synergies, so we took this on.
So, at the beginning, we relied on a GRC process. But what does that really mean if you don't have a framework or a tool? Great value was given, but we needed something to scale, and early on, the selection was made that MetricStream was going to be the tool for Apple Bank. It fit our needs, and it had a roadmap that definitely appealed to us.
Challenges
Jonathan: As we began this journey, my cyber and information risk management team found a lot of opportunities for improvement.
What did we have? Manual processes, spreadsheets all over the place, disparate data sources. There was no central inventory of applications, or even a well-populated CMDB. It was very difficult to understand what was available and what was being done ad hoc.
We had control validations. For each of the risk assessments, the controls needed to be validated, and they were stored in file shares -- again, decentralized.
Issues and exceptions were PDF documents. You can't report on them.
And the assessments. If you aren't centrally managing your assessments, then how are you reporting them? At the end of the day, it’s about reporting, it’s about system integration, and it's about moving to the next level to reduce the manual efforts and to increase the automation of your security monitoring tools for the organization.
The Journey So Far
Jonathan: We standardized and automated the process for initiating the risk assessment of application services and infrastructure services.
Let’s look at the risk assessment lifecycle. We're also going to see in this lifecycle how we have integrated systems through APIs.
A GRC isn't an inventory. It's not where you should be holding your assets or your infrastructure components, it's not a CMDB, it's none of those things. You need a source of truth for everything. So, your vendors, your applications, your CMDB, those are in-source systems. But we want to ingest this information. Ingesting this information is difficult because it was manual, and manual processes are prone to errors. But now, we have the ability to pull directly from our inventory sources and schedule assessments.
Considering we're a bank, we are highly regulated. We're also a New York State Bank, so we're even more scrutinized with DFS. We have the GLBA and we have DFS risk assessments that need to be done on in-scope applications on an annual basis. But this information is stored in our application inventory, not in our GRC. So, what we need to do is we need a push-pull mechanism we can schedule those assessments based on the date the last assessment was completed, and it will automatically send out those notifications -- never touching the integrity of the source system data within a GRC.
So, why are we not using this information to validate these controls? We have it. Let's use it. I had just one source here, which was Qualys. So, I could say, okay, an infrastructure comes in and it could scan it for vulnerabilities. That's pretty simple.
But we also want to look at -- Is it integrated with SSO? Does it have MFA? Is data encrypted? Is the database connection pool secure? We can bring all of this information in through our APIs, and this is all living in MetricStream. So, we got our source systems and we got our security monitoring tools feeding assessment. It's reducing the burden on the lines of business and providing a more accurate and realistic depiction of risk to the organization.
We just finished with a wonderful, smooth upgrade from Arno to Danube. Now, in every release moving forward, we'll have a low-code/no-code API framework. That's a game changer because if you don't put that in place, creating one-off integrations is going to be a nightmare. Now, you have a low-code/no-code methodology to integrate these systems.
Business Value Realized
Jonathan: We have made such tremendous progress in our cyber risk management portfolio. It just really is truly inspirational and light years from where we first started.
MetricStream solution currently supports 500+ employees. This extends all the way to our 86 branches, to our multiple headquarters. It provides us with qualitative and quantitative cyber risk information. This is stuff that we can really use, and that drives decisions because ultimately, at the end of the day, we want to provide enriched information to our C-level and our board.
Business Value and Realized Benefits
- Supports 500+ employees – centralized and streamlined risk assessment, issue tracking for critical processes and IT assets
- Provides qualitative and quantitative cyber and information risk assessment results, centralized risk register, detailed metrics, and KRIs for senior management and board committees
- Facilitates continuous control monitoring of 100+ processes
- Significant increase in risk visibility through centralized and streamlined reporting
- Reduced time taken to manage and close issues and action plans
- Reduced the risk of compliance violations, penalties, and reputational damage with timely insights on compliance readiness at each organizational level
- Prescriptive control recommendations for issue management
You can watch the complete session here:
Also Read:
