“You're trying to take our jobs.”
I think the comment was half joking, but also half serious.
It was four years ago, and I was presenting to a group of bank technology officers on the concept of the virtual Information Security Officer (vISO). I get to the end of my presentation where there's comments and questions. And the very first one that flies out from the group was just that:
“You're trying to take our jobs.”
I look around the room and there were a lot of head nods in agreement. “Ok. This isn’t going to be easy…” I say to myself. The thing is, it wasn’t true back then and it’s definitely not the case now.
BankDirector.com did their Annual Risk Survey in 2019 and found that of the participants surveyed, 53% of banks don't have a dedicated information security officer and 33% don't have one at all.
If you’re in the 33%, you can stop reading this now and go directly here: https://www.bedelsecurity.com/the-cyspot-program
But if you're in the 53%. This, this blog post is for you.
You might be saying yourself: “But Chris. Do we really need a dedicated information security officer? Why do they have to be dedicated?”
That's a great question.
In this case, the term dedicated means that your ISO or CISO aren’t dual purpose. They aren’t wearing multiple hats. And that can be hard for most community banks and credit unions. That’s why going virtual for this role can be extremely beneficial in a lot of circumstances.
So I've come up with five reasons why, even if you have a named information security officer, you should consider a virtual information security officer (vISO) or virtual chief information security officer (vCISO) at your financial institution:
- Independence - not only are examiners and regulators pushing for independence in the information security officer role. It's also good practice. You can't have someone providing oversight to their own work. Plain and simple. This typically happens when you've named the IT Manager, as your information security officer.
- Expertise and Structure - A virtual information security officer is working on building and maintaining information security programs every single day of the week. As a colleague of mine, Aidan Simister, said in a recent podcast interview that we did together, a Virtual CISO “is like having an information security officer on steroids” (Check out the full podcast here: https://www.linkedin.com/posts/lepide-software-pvt-ltd-_cisotalks-cybersecurity-virtualciso-activity-6630485815535378432-7ABc) We see this come up in cases where someone who has very little experience in being an information security officer has been named that role, and is having a tough time even knowing where they should begin.
- Outside Perspective - This goes for everybody, and we're told time and time again, it's that it's one of the most valuable parts of our service. Banks and credit unions love to ask: “what's everybody else doing?” And having this perspective, at the table with your team can really help with your cybersecurity program.
- Workload - We often hear dual role Information Security Officers say: “I just don't have the time to get all this stuff done, along with the other responsibilities that I have.” Symptoms of this might be scrambling at the last minute to get things ready for an audit or exam, lapses in reporting to the board, and missed deadlines (i.e. they didn't get the risk assessment done last year).
- It's hard to be good at something that you're just don't like to do - The reality is that most dual-purpose information security officers, like their other roles better than being an information security officer. Don't get me wrong, that doesn't mean they don't think cyber security is interesting and intriguing. But let's be honest, there is a lot of documentation and paperwork that goes with being a good information security officer: the assessments, the policies, the reports. Most IT Managers don't like doing this kind of work. And most non-technical people find it overwhelming and stressful. In both cases, we often find that this is not the kind of work that these folks want to be doing. And if they don't enjoy doing it, it's going to be hard to be really good at those activities.
So I think from those five items you can see, we're not trying to take anybody's jobs. This is about being a resource and providing help where help might be needed. This is about making people's lives easier.
And I hope this blog post is open your perspective to what the possibilities are of engaging with a vISO or vCISO, or at least find at least finding out more about it.
If you'd like to know more, shoot me an email at chris@bedelsecurity.com and we can set up a 10 or 15 minute chat.