The role of the community bank ISO has seen some changes over the years. The position at one time was thought to only be applicable to the big banks. Now no bank is too small to not need an ISO, and the requirements of the role are becoming more challenging and demanding.
The FFIEC has been saying for some time that the Information Security Officer should be an independent risk manager, not an IT production resource and should report to the CEO or directly to the Board, not through IT.
But the latest IT Management Booklet released in November by the FFIEC is also calling for the ISO role to take further steps in the maturity process, and become more of a strategic role for financial institutions.
Where the old IT Management Booklet only mentions the ISO as an administrator of the information security program in a small paragraph, the new guidance discusses the role of the CISO at length as a separate, very important, role in IT Governance.
It even goes into detail of the typical responsibilities that the CISO should have:
- Implementing the information security strategy and objectives, as approved by the board of directors, including strategies to monitor and address current and emerging risks.
- Engaging with management in the lines of business to understand new initiatives, providing information on the inherent information security risk of these activities, and outlining ways to mitigate the risks.
- Working with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information.
- Monitoring emerging risks and implementing mitigations.
- Informing the board, management, and staff of information security and cybersecurity risks and the role of staff in protecting information.
- Championing security awareness and training programs.
- Participating in industry collaborative efforts to monitor, share, and discuss emerging security threats.
- Reporting significant security events to the board, steering committee, government agencies, and law enforcement, as appropriate.
What does this mean for Financial Institutions?
It means there will be an ever-increasing push by examiners for banks to take the CISO role seriously in 2016 and going forward and that information security needs to be a part of strategic planning.
It also means that some community banks will need to start thinking outside the box on how they fill the CISO responsibilities. With the limited options that many smaller financial institutions face in human resources, it becomes a struggle to achieve a CISO role that is both independent and qualified.
Regardless of how Boards of Directors choose to address it, one thing is clear: the CISO will be key for the banking industry to effectively manage risks, now and into the future.
Like this post? Please share:
[feather_share]