Community banks often face the dilemma of designating their CIO, CTO, IT Officer, IT Manager, or even a Managed Service Provider (MSP) as the Chief Information Security Officer (CISO). It’s a solution that seems to make sense—these individuals or entities already understand the technology and the bank’s infrastructure. But while this approach may appear convenient, it’s not ideal from a security or regulatory perspective.
The rationale is simple: community banks need someone qualified to manage cybersecurity. Unfortunately, talent is limited, and finding a qualified CISO can be tough in these environments. As a result, banks often default to assigning the role to the IT department or their managed IT vendor.
Examiners agree that having your IT leader double as your CISO isn’t a best practice. But beyond regulatory feedback, there are broader issues at play. An independent and qualified CISO isn't just about checking a regulatory box; it’s about optimizing the roles and responsibilities within your bank to ensure robust cybersecurity.
Let’s explore what each of the roles and how they compare to one another:
CIO, CTO, IT Officer, MSP Vendor |
CISO |
|
Focuses on innovation |
Focuses on risk management |
|
Technology integration with other business units |
Cybersecurity ambassador for other business units |
|
Executing on digitization for customers |
Ensuring secure digitization for customers |
|
Support for end users |
Security awareness for end users |
|
Operations (patching, configurations, engineering, SLAs, backups, etc.) |
Governance (policies, vendor management, board reporting, audits/exams, etc.) |
|
First line of defense in incident response and remediation |
Second line of defense in incident response and oversight of IT |
These roles have distinctly different objectives, and attempting to merge them creates conflicts.
It’s nearly impossible for IT to oversee its own work effectively. IT and Information Security need a balanced tension—like a well-tuned guitar string: not too loose, not too tight, but just right. In today’s rapidly evolving cyber landscape, gaps in oversight can’t be afforded.
Cybersecurity is complex, requiring diverse perspectives and skill sets. Placing all responsibility on one individual or firm can restrict your bank’s cybersecurity approach, making it less adaptable to new threats.
It’s difficult to drive innovation while also managing risk—these are often competing forces. If the focus is too risk-averse, digitization can stall; if too risk-hungry, it leads to a lack of control. There must be a balance that enables collaboration between IT and security.
IT operations are often urgent and reactive, while information security tends to be proactive and less urgent. This inherent difference describes two entirely separate roles that demand different mindsets and strategies.
For the reasons above, regulators have and will continue to push banks toward separating IT and information security roles. It’s a question of when, not if, they’ll ask you to make the shift.
Your bank needs a qualified and independent CISO.
There’s no one-size-fits-all answer. Your bank’s specific needs and resources will determine the best path forward. However, if you’re considering the virtual CISO option, we offer a whitepaper that delves into the pros and cons, FAQs, and the steps to start the selection process.