Ever get that feeling that you don’t know what you don’t know about the effectiveness of your cybersecurity program?
You’re not alone. Trust me though, you are better off than those with blind confidence. That’s a whole other story.
BTW - I just attended a banking conference where FDIC chair Jelena McWilliams said that credit and cyber are the 2 biggest risks that a financial institution faces. If that’s not a wake-up call, I don’t know what is.
So, is 2022 the year where you get your information security program moving in the right direction? You know, where your financial institution starts driving toward a place where:
- You understand the threats and how they may impact your specific environment
- You manage cyber risks by administering appropriate mitigating controls
- You integrate people and processes into security, not just technology
- You communicate the right type and right amount of information to staff, management, and board
- Your users are trained and tested on a regular cadence
- You have a plan in place to handle and recover from incidents
- Your program and processes are efficient, consistent, and sustainable for growth
- You are proactive, not reactive with all these things
- You have the right people, in the right seats (including the driver’s seat) to take you there
Sound great - doesn’t it? But just like any other destination on the map, you have to know where you are and what direction you need to be headed to get there.
You need to start with a gut check. It’s an assessment of where your program is strong, where you can improve, what are the most pressing issues, and what are the long-term plans to get you to the point where you can say “yes” to all the statements above.
But that can be hard to do. It’s hard to read the label from inside the bottle, so there’s not a DIY checklist for this. You really need to get some outside help with the assessment process.
Unfortunately, your IT audit won’t fully deliver on this. Yes, audits are great at testing controls (an absolute must) and can provide some guidance, but they are not intended to give holistic, strategic advice on your information security program.
You need someone that’s been there, done that, and can visualize the plan to bridge the gap.
That’s where virtual CISOs can bring a very interesting perspective to your institution. I’m not saying that you contract with a virtual CISO as an ongoing service, but a small project for an assessment of your program could be very beneficial. Good vCISOs are strategic by nature AND have managed multiple institutions of varying size and complexity. They have the experience and expertise to tell you where you are and where you need to go.
Ok, shameless plug here: if you already have a relationship with a vCISO that performs assessments like this, it might be a great time to get one scheduled to help plan for 2022. If you don’t have someone, you can learn more about Bedel Security’s CISO Assessment here: https://www.bedelsecurity.com/services/the-ciso-assesment
We developed it because banks were telling us they just didn’t know where they stood and what they could do to improve.
If you want to know more or have any questions, please contact us at support@bedelsecurity.com.
Additional Resources:
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
What Monitoring Reports Should Be Included in Management Reports?
https://www.bedelsecurity.com/blog/what-monitoring-should-be-included-in-management-reports
The Powerful GLBA Board Report
https://www.bedelsecurity.com/blog/the-powerful-glba-board-report
The Perfect Meeting Agenda to Improve IT & Cyber Governance
https://www.bedelsecurity.com/blog/the-perfect-meeting-agenda-to-improve-it-cyber-governance
3 Keys to Cybersecurity Maturity
https://www.bedelsecurity.com/blog/article-review-3-keys-to-cybersecurity-maturity
Your Information Security Program Needs Focus
https://www.bedelsecurity.com/blog/your-information-security-program-needs-focus
5 Tips for Creating an Information Security Program That Works
https://www.bedelsecurity.com/blog/5-tips-for-creating-an-information-security-program-that-works