As head of IT risk and governance of Lloyds Banking Group, Ameet Jugnauth and his team have the unique role of taking a holistic view of cyber risks across the organisation.
As part of his position, he oversees the IT function from a risk perspective, meaning that any operational work, service delivery work, work with third parties and day-to-day operations are analysed to ensure that they’re aligned with Lloyds Banking Group’s risk appetite.
“I’ll be looking at how the activities they’re conducting are linked to our risk appetite and whether we are doing the right things, and if there are any gaps, as well as ways I can support what they’re doing. That covers the core IT function but obviously it’s heavily related to the cyber security office too,” Jugnauth tells NS Tech at Cyber Security Connect UK in Monaco.
Jugnauth explains that his role is ‘second line’; first line risk professionals get into the deep granular details of services, products and processes. They ask questions around controls, how things operate and what tools are being used, whereas Jugnauth takes an aggregated view.
“Using a car analogy, one team is looking at the wheels, another is looking at the engine and so on, whereas I’m looking at how the car looks overall,” he says.
Jugnauth explains that in the last decade the evolution of cyber and IT have changed the way organisations have had to deal with risk.
“They’re changing so regularly in ways that we can’t control – there are new technologies and the way customers interact with us is changing, and those are areas where you can’t wait a year to change your policies and then put your risk management processes in. We have to be quite dynamic and that’s been the biggest shift as an IT and cyber risk professional,” he says.
There has also been a change within the risk department from focusing on business continuity to concentrating on resilience.
“Now the financial services regulator has put a big emphasis on resilience, where they’re asking what our operational resilience posture is, and that has been a game changer,” says Jugnauth.
This has meant a change in the way things are considered; organisations have to not only consider different types of risks, but also how the risk in cyber, IT and people are all related.
Previously, the focus on business continuity would be more about what an organisation would do in the event of an issue – such as an IT outage. Now, the focus is on what the company does to prevent it from happening.
This change has also resulted in resilience being built into day-to-day conversations among the risk team, as well as with the CIO and CISO and their teams.
“To just concentrate [resilience] into a meeting isn’t as effective as those regular conversations you have today, and what has been great about it, is it has forced security people to talk to IT people and IT people to talk to the business, and the business to talk to customers,” he says.
It has also changed procurement. When picking a tool, risk now drives a lot of decisions, whereas previously organisations would be fixed on a compliance approach – ticking off risk and IT security as an afterthought, now it is baked into the conversation from the start.
Part of Jugnauth and his team’s role is to translate the ‘technical’ knowhow of IT and cyber into risk, for the board.
“Boards and C-level executives understand the risk conversation – they don’t necessarily understand the technical security or technical IT conversation. When you translate that to risk they understand that, and then you can explain what the technical teams and process teams are going to do,” he says.
Considering the huge changes being made to his role and department, it wouldn’t be a surprise if the focus shifted once again in the next five years – but unlike previously, those in the industry are expecting this to happen, and Jugnauth and his team will be well prepared to adapt to whatever comes next.