This blog post is going to sound a little bit self-serving, but I promise you it's not intended to be that way.
I've had the opportunity to do a little bit of traveling over the last month, and speak to varying groups on information security and cyber security in community banks and credit unions.
And I heard 2 things; one being surprising to me, the other being a bit of outdated thinking.
The surprising: there are still a larger number of financial institutions that are unaware of the Virtual CISO concept and how it can help them.
The outdated: there are still a number of dual role IT Managers that are skeptical of getting outside help via a Virtual CISO.
Both come down to awareness. As much as we preach awareness for our end users on understanding the threats, we as managers and executives need to make sure we’re aware of the tools at our disposal to be more efficient and effective in cybersecurity, and a vCISO may be one way of doing that.
Though I’ve covered this in blog posts before, I feel obligated to continue to promote awareness in this area. Community banks and credit unions need help managing and maintaining their cybersecurity program and that’s what we’re here to do.
So, if you find yourself in either camp, please read on to become more aware of how outside help could be beneficial to your financial institution.
--
Simply put, a virtual Chief Information Security Officer is getting outside, contracted help with an individual or team to help manage your information security and cybersecurity programs.
It can go by other names such as: Virtual Information Security Officer, Fractional CISO, Outsourced CISO, or even just cybersecurity consultant.
Some of the benefits of a Virtual CISO include:
And if the service is structured properly, other benefits come in to play, like scalability, repeatable framework, and customized to needs and budget. [An example of this is our CySPOT™ Program structure]
Auditors and Examiners are becoming more familiar and much more welcoming of the Virtual CISO as they see its value. Not to mention that the DFS NYCRR law in New York openly allows for it, as does the proposed changes to the GLBA.
--
The other thing I've seen as I've been talking to bankers in the last month is that even if there's an awareness of the vCISO concept, it almost feels like something to be feared rather than embraced.
Especially for the person who's wearing two hats as both IT Manager and ISO.
I get where you're coming from, I was once there too. And that's why we started this business. We did it to help people just like ourselves, like you; we didn't do it to take your job.
And I think you'll find that most virtual CISOs, whether it be Bedel Security or other outside firms, feel the same way.
The concept of the Virtual CISO it's not meant to make you give away control. Instead it can be a trusted partner that can help you manage the demands of balancing operations and cybersecurity.
As I said earlier, I‘ve been there. The workload of managing the network, managing the servers, and managing the endpoints is too overwhelming to also be good at information security.
So instead of viewing the idea of a Virtual CISO as a threat, you should look at it as a tool to augment your current efforts with a customizable menu of services. [Take a look at our CySPOT™ modules]
--
So my challenge everyone reading this blog post is to do what you can to learn more about some of the options out there. Don’t do it for me, do it for yourselves, do it for your fellow community financial institutions.
My challenge to you would be just reach out and see what that might look like.
Because none of this is getting any easier. For a community bank to survive (And I want them to survive), creatively outsourcing various pieces of your business is going to be key. Information security and cyber security is no exception to that.
If you feel any need whatsoever to find out more about what a Virtual CISO is or does, I am happy to speak with you in a strictly informative way. Or let us know if we can send you any of our resources on the topic!
Just contact me at chris@bedelsecurity.com