The Convergence of Business and Cyber - Risk Management Through a Bigger Lens
Where cybersecurity and operations converge – as they increasingly do -- financial services firms must view cyber risks as operational risks. That integration is a sign of cyber maturity, says Matt Harper, Aflac’s Vice President and Global Practice Lead, Product Security, and Program Strategy, but it affects the practice of risk management. He advises financial services cybersecurity leaders to learn about the business side and map security processes toward it to the benefit of the overall institution.
Risks aren’t tech or operational – they’re both. Financial services firms used to categorize cybersecurity risk as a technology issue. But as cyber and business processes converge – fusion centers were an early example – business processes make cybersecurity a fundamental part of operations. As such, the risks can’t be managed independently of each other, and core processes and controls need to be mapped to business processes.
Cyber teams can accelerate the convergence. Cyber professionals need a solid understanding of the business side, from strategy to day-to-day operations. Similarly, the business side needs to understand that cybersecurity professionals are more than technologists and that security enables and enhances business. “The brakes on the car are not there to slow you down,” Harper says. “They’re there for you to go fast safely.”
Learn about the business side from the business side. To understand how security processes impact operations and customers, Harper recommends that technologists and security professionals sit in design meetings with business owners – even those they’re not directly involved in – to learn more about business processes. Listen to learn, he recommends, and repeat back what you hear.
Aflac’s integration successes. Claims processing is core to Aflac’s mission, but processing at scale with effective fraud detection controls takes time. So the operational and fraud functions worked closely together to move risk telemetry outside of the core flow, automate more detection, and build a risk engine independent of the claims process.
Explain convergence to stakeholders. Cloud, AI, and (soon) quantum computing are changing the nature of cybersecurity, and budget is always a priority. Clarify how integrating cyber and business in an evolving landscape helps the firm manage risk, improve sales, and serve customers. Leaders may not need to know how controls work but should understand how they facilitate business.
FinCyber Today
FinCyber Today is a podcast from FS-ISAC that covers the latest developments in cybersecurity, contemporary risks, financial sector resilience and threat intelligence.
Our host Elizabeth Heathfield leads wide-ranging discussions with cybersecurity leaders and experts around the world who bring practical ideas on how to confront cyber challenges in the financial sector, improve incident response protocols, and build operational resilience.
Amid the clutter and noise, FS-ISAC Insights is your go-to destination for clarity and perspectives on the future of finance, data, and cybersecurity from C-level executives worldwide.
© 2025 FS-ISAC, Inc. All rights reserved.
