By Adesuwa Aderemi
When Griffith Ehebha stepped into the dual role of Chief Information Security Officer and Group Head of Operational Risk Management at Diamond Bank, Nigeria’s financial sector was undergoing a quiet transformation. Digital channels were expanding.
Transactions were moving online. But behind this progress loomed an unsettling truth: many banks were unprepared for the risks they were walking into.
At the time, cybersecurity was still seen largely as a technical function, a matter for IT departments. Operational risk, meanwhile, was treated as a regulatory checkbox. But I believed and still believe that this thinking is dangerously outdated.
Cybersecurity and operational risk are not back-office issues. They are strategic, enterprise-wide imperatives. They demand executive attention, cultural alignment, and above all, foresight.
“One of the first decisions I made at Diamond Bank was to establish a Managed Cybersecurity Operations Center (CSOC), a move that gave us real-time visibility into our threat environment.
Before then, our response to cyber incidents was mostly reactive. But once we built the CSOC, we could detect and analyze threats proactively, often before they caused damage,” says Ehebha.
This shift was more than technological, it was philosophical. You cannot protect what you cannot see. And yet, visibility without action is equally useless. We integrated the CSOC into our overall risk governance framework, ensuring that insights from the security center were informing decisions across departments.
Another major transformation Griffith undertook was the automation of our Risk and Control Self-Assessment (RCSA) and the Loss Database Management System. These weren’t cosmetic upgrades, they were foundational. I’ve always believed that if your operational risk strategy is not grounded in data, it’s built on sand.
By automating these systems, we were able to use historical and real-time data to detect fraud triggers, identify process weaknesses, and anticipate where internal failures might occur. It created a loop of continuous learning and improvement. Suddenly, our risk assessments were no longer hypothetical they were evidence-based, timely, and actionable.
Operational resilience must be tested, not just documented. That’s why I led the redesign of our business continuity and disaster recovery programs, aligning them with ISO 22301 standards. But compliance alone wasn’t the goal. We needed to know, with certainty, that if the worst happened, we could recover—and fast.
So we conducted live simulations. We ran war games. We invited senior executives into the room and threw real-world crisis scenarios at them. Not to panic, but to prepare for them. Because in a crisis, leadership clarity matters more than technical controls.
Here’s something I learned early: your organization is only as secure as its culture. You can invest in firewalls, encryption, and endpoint protection, but if your people aren’t aligned, if they don’t understand their role in managing risk, those investments won’t save you.
That’s why I focused heavily on executive buy-in and cultural change. Risk governance needs to be cross-functional. Cybersecurity needs to be embedded into every department, from HR to product development. I worked closely with our leadership team to make cybersecurity a shared responsibility, not a siloed function.
One of the most powerful tools in any risk management arsenal is not a system, it’s a mindset. I ran executive-level cybersecurity simulations because I wanted to build that mindset. I wanted our leaders to practice thinking clearly under pressure, to identify blind spots before they became vulnerabilities.
As I often told my team, “Securing systems is just one part of the job. Real security comes from preparing leadership to think clearly under pressure.” That kind of readiness doesn’t happen overnight. It has to be built, tested, and reinforced over time.
Looking back on my time at Diamond Bank, I’m proud of the frameworks we built, many of which became models for others in the industry. But I’m even more proud of the shift in mindset we were able to achieve.
Today, as digital threats grow more sophisticated and attackers more emboldened, our response as institutions must be equally evolved.
That starts with treating cybersecurity and operational risk as board-level priorities—not technical headaches. It means moving from compliance to capability. From silos to systems. From reaction to foresight.
The future of secure banking in Africa—and indeed globally will belong to institutions that embed resilience, data-driven governance, and leadership readiness at their core. Anything less is an invitation to disruption.
Disclaimer
Comments expressed here do not reflect the opinions of Vanguard newspapers or any employee thereof.