The Bedel Security Blog

Case Study: A Virtual ISO in a Community Bank ($325 Million)

Written by Chris Bedel | Jun 19, 2017

 

This blog post is part 1 of a three-part series.  It is an excerpt from our whitepaper on the Virtual Chief Information Security Officer concept.  We hope you find it helpful in visualizing practical applications of outsourcing the Information Security Officer function in financial institutions.

To get the whitepaper, you can enter your information below, or click here to learn more.

Case Study #1 – Virtual ISO ($325 Million in Assets)

Sunnyville State Bank had been experiencing steady growth over the past 5 years in their rural communities. Management had worked hard to develop a solid team in their information technology department, led by an experienced Information Security Officer/IT Officer, and including three other staff members.

Although the lack of independence for the ISO position was always a concern, Sunnyville consistently earned satisfactory ratings in their IT audits and exams. But, when the Information Security Officer resigned to join her family business, things took a turn for the worse. Management’s initial response was to name one of the current IT staff to the ISO position, but it quickly became clear that the skills that make for great IT professionals don’t always translate to making a great leader for the information security program.

Sunnyville then tried to hire for the position externally but found that the talent pool in their rural community was a bit sparse. Combined with the desire for a candidate that had information security and banking experience, the search and selection process became almost impossible.

Outsourcing the ISO

After attending a presentation on “Outsourcing the ISO” at Sunnyville’s state banking conference, the COO developed a plan to utilize a Virtual ISO (vISO) to help with their problem and got approval from the executive committee to move forward.

[mc4wp_form id="1649"]

The vISO firm they contracted with assigned a Certified Information Security Manager to the bank to lead, develop, and maintain the information security program in a combination of onsite meetings and remote consultation. For a fixed annual fee, their Virtual ISO handles security tasks like an in-house ISO, including policies, risk assessments, training, collaborating with IT staff, board reporting, and incident response.

Because of the experience and expertise that their vISO brought to the table, the transition period was short, and the immediate value has been high as bank executives and board members now have a clearer understanding of their cyber risks and controls.

Sunnyville utilizes their IT Committee to provide oversight for their Virtual ISO and found that the independence gained by outsourcing the position has actually improved their information security governance. And their recent FDIC examination delivered satisfactory results, as examiners were pleased to see bank management make a move to continue the maturity of their information security program.

Want to learn more about Virtual ISO services?  Click here.