With the internet now middle-aged, it is hard to imagine a world without it.

Between banking applications and online payroll, our co-dependence on technology in the financial services industry is now unimaginable, even for me.

After 50 years, the design of the internet is largely unchanged, making it a cyber vulnerability issue. It was never designed to protect against intrusion. When we use connectivity to conduct financial transactions we invite those with criminal intent to exploit our data.

Unlike a cat with nine lives, a single instance can leave an organization susceptible to cybersecurity threats – extinguishing both your reputation and your business. To combat cyber susceptibility, financial institutions must exhibit intellectual curiosity to understand changing technology, working proactively to protect assets and preserve investor confidence.

However, the sophistication of attacks are evolving as rapidly as the defenses. It is vital to admit no organization is secure, but rather its vulnerability to attacks are managed to a low level. Attempting to minimize risk and be prepared for a potential attack starts with that intellectual curiosity coming from the top down, beginning with Leadership, the Board, and extends through every layer of the organization, including employees, vendors, and even its customers.

Intellectual curiosity means being unafraid to question and challenge traditional security approaches. Non-technology managers must demonstrate the intellectual curiosity to understand the technology platform and participate in its assessment. Said differently, the Chief Technology Officer, Chief Information Officer, or Chief Information Security Officer cannot and should not be expected to perform this function in isolation. Question the norm.

No one has a perfect risk management system for dealing with cybersecurity attacks.  As mentioned earlier, optimization is achieved through minimizing vulnerability to attack and not underestimating the “enemy.”  However, in reality resources are limited regardless of the organization’s size and choices must be made to best protect your assets. If we do not listen to fellow industry participants and believe our systems are “secure enough,” we expose ourselves to the greatest vulnerability – arrogant complacency. We need to listen, learn, and respond carefully to our curiosity. No one individual or firm has the answer. Some of the answers may surprise us, but they won’t kill us.

We have the obligation to ask simple questions that should result in reasonable and likely technical responses; however, they must be asked. What is our level of protection against a certain event? Why are we comfortable with the decision? How could we better reduce the entity’s vulnerability? When can we implement such an approach? Who will be responsible for execution?  And, so on. Notice there is no mention of IPsec, iSCSI, IoT, or encryption algorithms. Cybersecurity protection involves everyone as we are only as strong as the weakest link.

So, curiosity will not kill the cat; in fact, intellectual curiosity is an integral part of cyber risk management.


Shaun Murphy is the Chief Operating and Credit Officer of Freedom Bank. Brevity is a lofty objective when applied to technology in the current environment, so consider this an attempt to scratch the surface by providing renewed awareness of risk management fundamentals. Shaun will share more of his perspective and real life expertise at Edwards’ upcoming Cyberbytes: Financial Focus on May 2, 2019.

Click here to learn more and register.

AUTHOR: SHAUN MURPHY (Executive Vice President/Chief Operating Officer and Chief Risk Officer of Freedom Bank of Virginia)

Shaun Murphy was a guest blog writer and co-presenter at an Edwards’ Cyberbytes event. Mr. Murphy has 25+ years of national and international experience in financial services leadership. He most recently served as SEVP and Chief Credit & Risk Officer at City First Bank in Washington DC since 2015.