Community banks often face the dilemma of designating their CIO, CTO, IT Officer, IT Manager, or even a Managed Service Provider (MSP) as the Chief Information Security Officer (CISO). It’s a solution that seems to make sense—these individuals or entities already understand the technology and the bank’s infrastructure. But while this approach may appear convenient, it’s not ideal from a security or regulatory perspective.
Why Does This Happen?
The rationale is simple: community banks need someone qualified to manage cybersecurity. Unfortunately, talent is limited, and finding a qualified CISO can be tough in these environments. As a result, banks often default to assigning the role to the IT department or their managed IT vendor.
Why It’s Not Ideal
Examiners agree that having your IT leader double as your CISO isn’t a best practice. But beyond regulatory feedback, there are broader issues at play. An independent and qualified CISO isn't just about checking a regulatory box; it’s about optimizing the roles and responsibilities within your bank to ensure robust cybersecurity.
Defining Key Roles in Your Bank
Let’s explore what each of the roles and how they compare to one another:
CIO, CTO, IT Officer, MSP Vendor |
CISO |
|
Focuses on innovation |
Focuses on risk management |
|
Technology integration with other business units |
Cybersecurity ambassador for other business units |
|
Executing on digitization for customers |
Ensuring secure digitization for customers |
|
Support for end users |
Security awareness for end users |
|
Operations (patching, configurations, engineering, SLAs, backups, etc.) |
Governance (policies, vendor management, board reporting, audits/exams, etc.) |
|
First line of defense in incident response and remediation |
Second line of defense in incident response and oversight of IT |
These roles have distinctly different objectives, and attempting to merge them creates conflicts.
5 Reasons Why You Need an Independent CISO
- Oversight is Essential
It’s nearly impossible for IT to oversee its own work effectively. IT and Information Security need a balanced tension—like a well-tuned guitar string: not too loose, not too tight, but just right. In today’s rapidly evolving cyber landscape, gaps in oversight can’t be afforded.
- Relying on One Perspective Limits Effectiveness
Cybersecurity is complex, requiring diverse perspectives and skill sets. Placing all responsibility on one individual or firm can restrict your bank’s cybersecurity approach, making it less adaptable to new threats.
- Innovation vs. Risk Management
It’s difficult to drive innovation while also managing risk—these are often competing forces. If the focus is too risk-averse, digitization can stall; if too risk-hungry, it leads to a lack of control. There must be a balance that enables collaboration between IT and security.
- IT Operations vs. Information Security Needs
IT operations are often urgent and reactive, while information security tends to be proactive and less urgent. This inherent difference describes two entirely separate roles that demand different mindsets and strategies.
- Regulatory Pressure
For the reasons above, regulators have and will continue to push banks toward separating IT and information security roles. It’s a question of when, not if, they’ll ask you to make the shift.
So, What Can You Do?
Your bank needs a qualified and independent CISO.
- Qualified: The individual should understand threats, technology, risk management, and regulatory requirements, and have strong communication skills to lead in these areas.
- Independent: The CISO must be separate from IT operations to maintain objective oversight.
Options for Meeting These Requirements
- Hire or Promote a Dedicated CISO
- Pros: Fully dedicated resource.
- Cons: Hard to find, expensive, may not be necessary for banks under $3-$4 billion in assets.
- Name Someone Outside of IT as the CISO (e.g., Compliance Officer, CFO, COO, CRO)
- Pros: Internal resource, familiarity with the bank.
- Cons: May not be fully qualified; requires significant training and time to adapt to the role.
- Partner with a Virtual CISO Firm
- Pros: Less expensive than a full-time CISO, experienced and certified experts, independent from IT operations.
- Cons: May require cultural adaptation to work with external partners effectively.
Tailoring the Right Solution for Your Bank
There’s no one-size-fits-all answer. Your bank’s specific needs and resources will determine the best path forward. However, if you’re considering the virtual CISO option, we offer a whitepaper that delves into the pros and cons, FAQs, and the steps to start the selection process.