I know, I wrote about this topic just a few months ago. But I’m going to keep writing about it until the madness stops.
I’m talking about the tendency for existing IT providers to offer virtual CISO services to their banking customers.
In the last 90 days, I’ve heard stories about the following:
- IT Auditors offering virtual CISO services to the bank they audited (sorry, you can’t audit what you helped design and manage).
- Managed IT Providers trying to sell vCISO services to the bank whose network, servers, and workstations they were managing (there are just so many things wrong with this one).
- And even Core Banking Providers acting as Virtual ISO for their customers (I know these guys want to be the Amazon of banking, but we really need to draw the line somewhere).
Given that my company focuses on vCISO services in the banking industry, you may be saying that I’m just complaining about some good old-fashioned competition and I just need to stop whining.
But… Competition for us confirms the need for vCISO services in the banking industry and validates it as viable solution for community financial institutions wanting to enhance their cybersecurity programs. So, nothing could be further from the truth.
No, instead this is about independence and the NEED for it in a vCISO relationship. And my goal is to educate leaders at banks and credit unions so they can make an informed decision when it comes to a Virtual CISO.
Independence is one of the key benefits (there are many that you can check out here) of a Virtual CISO for a financial institution and to eliminate it greatly reduces the effectiveness of the role.
We just can’t have that happen - the banking industry needs independent vCISOs. Examiners expect independence from this relationship (as they should).
Don’t get me wrong - It’s not a question of if they CAN do it… The above-mentioned providers are perfectly capable of offering the vCISO service. But just because they can, does not mean that they should.
Some similar examples to demonstrate my point:
- It’s like one of your tellers getting cash from the vault by themselves - they are CAPABLE of doing it - but should they?
- Your back-office staff could do their own G/L account reconciliations.
- Your wire transfer administrators are perfectly capable of sending out hundreds of thousands of dollars by themselves - why have a verifier?
- Your lenders could fund their own loans.
My point is: we come from a dual control industry. We have to implement first, second, and third lines of defense. You should expect as much from your information security program as well.
There are plenty of experienced providers out there that you don’t need to sacrifice quality or independence when it comes to your Virtual CISO.
For more information on independence in all your IT roles, including a quick-reference chart, see the Independent Collaboration post here: https://www.bedelsecurity.com/blog/independent-collaboration-part-2-a-framework-for-outsourcing-it-in-financial-institutions
Additional Resources:
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
Independent Collaboration Part 1: A Concept for Outsourcing IT in Financial Institutions
https://www.bedelsecurity.com/blog/independent-collaboration-part-1-a-concept-for-outsourcing-it-in-financial-institutions
vCISO Questions and Answers 05: What are the Pros and Cons of a Virtual CISO?
https://www.bedelsecurity.com/blog/what-are-the-pros-and-cons-of-a-virtual-ciso
vCISO Questions and Answers 03: What does a vCISO do and what does a vCISO not do?
https://www.bedelsecurity.com/blog/what-does-a-vciso-do-and-what-does-a-vciso-not-do
5 Reasons Information Security is a Team Sport
https://www.bedelsecurity.com/blog/5-reasons-information-security-is-a-team-sport