This blog post is going to sound a little bit self-serving, but I promise you it's not intended to be that way.
I've had the opportunity to do a little bit of traveling over the last month, and speak to varying groups on information security and cyber security in community banks and credit unions.
And I heard 2 things; one being surprising to me, the other being a bit of outdated thinking.
The surprising: there are still a larger number of financial institutions that are unaware of the Virtual CISO concept and how it can help them.
The outdated: there are still a number of dual role IT Managers that are skeptical of getting outside help via a Virtual CISO.
Both come down to awareness. As much as we preach awareness for our end users on understanding the threats, we as managers and executives need to make sure we’re aware of the tools at our disposal to be more efficient and effective in cybersecurity, and a vCISO may be one way of doing that.
Though I’ve covered this in blog posts before, I feel obligated to continue to promote awareness in this area. Community banks and credit unions need help managing and maintaining their cybersecurity program and that’s what we’re here to do.
So, if you find yourself in either camp, please read on to become more aware of how outside help could be beneficial to your financial institution.
--
- What is a Virtual CISO?
Simply put, a virtual Chief Information Security Officer is getting outside, contracted help with an individual or team to help manage your information security and cybersecurity programs.
It can go by other names such as: Virtual Information Security Officer, Fractional CISO, Outsourced CISO, or even just cybersecurity consultant.
Some of the benefits of a Virtual CISO include:
- Experience and expertise on your team at a fraction of the cost of a full time employee
- Independent oversight for your cybersecurity program
- Outside information sharing on threats and best practices
- The service can be done remotely, allowing you to get the help you need regardless of geography and local human resource limitations
And if the service is structured properly, other benefits come in to play, like scalability, repeatable framework, and customized to needs and budget. [An example of this is our CySPOT™ Program structure]
Auditors and Examiners are becoming more familiar and much more welcoming of the Virtual CISO as they see its value. Not to mention that the DFS NYCRR law in New York openly allows for it, as does the proposed changes to the GLBA.
--
- Are You Skeptical of a Virtual CISO?
The other thing I've seen as I've been talking to bankers in the last month is that even if there's an awareness of the vCISO concept, it almost feels like something to be feared rather than embraced.
Especially for the person who's wearing two hats as both IT Manager and ISO.
I get where you're coming from, I was once there too. And that's why we started this business. We did it to help people just like ourselves, like you; we didn't do it to take your job.
And I think you'll find that most virtual CISOs, whether it be Bedel Security or other outside firms, feel the same way.
The concept of the Virtual CISO it's not meant to make you give away control. Instead it can be a trusted partner that can help you manage the demands of balancing operations and cybersecurity.
As I said earlier, I‘ve been there. The workload of managing the network, managing the servers, and managing the endpoints is too overwhelming to also be good at information security.
So instead of viewing the idea of a Virtual CISO as a threat, you should look at it as a tool to augment your current efforts with a customizable menu of services. [Take a look at our CySPOT™ modules]
--
So my challenge everyone reading this blog post is to do what you can to learn more about some of the options out there. Don’t do it for me, do it for yourselves, do it for your fellow community financial institutions.
- Are you in the boat, where you don't know enough about a virtual CISO, and maybe it's time to take a look at it and go out and find those resources?
- Would your Banking or Credit Union Association benefit from a webinar on the concept of the vCISO to educate your members?
- Or are you in the boat where you know you need help, but you're not truly considering this as an option?
My challenge to you would be just reach out and see what that might look like.
Because none of this is getting any easier. For a community bank to survive (And I want them to survive), creatively outsourcing various pieces of your business is going to be key. Information security and cyber security is no exception to that.
If you feel any need whatsoever to find out more about what a Virtual CISO is or does, I am happy to speak with you in a strictly informative way. Or let us know if we can send you any of our resources on the topic!
Just contact me at chris@bedelsecurity.com