I want to focus today's topic on improving the information security program at your bank or credit union. But keep in mind, that these two things are key to improving anything in your life.
It can be in your relationships, health, professional development, and overall organizational performance.
I was recently working with a mentor of mine, and he pointed out that there are two things that are required to improve anything.
And they are desire and self-awareness.
Desire has to come first, even if it’s merely enough desire to become self-aware. But it has to come first. (example: even by reading this article, you are exhibiting some desire to improve your information security program, whether you know it or not)
Nothing happens without first the desire to have it happen. It’s not something we can give each other, we have to each come to it on our own, often with different motives for doing so. Regardless, the desire has to be there.
And there’s a difference between just saying we want something and true desire. Desire happens when we want something more than the cost of getting it.
Let me repeat that. You have to want it more than the cost of getting it. Again, that goes with getting in shape, having a successful marriage, and having an effective information security program.
And it's amazing what we as human beings can accomplish when we do have the desire to make a change or make an improvement.
Once we establish desire, we can move on to the next step in improving anything in our lives, and that’s self-awareness.
Self-Awareness is really difficult. To truly be self-aware is a state that many of us will take our entire lives to achieve.
It’s so hard because it can be really difficult to admit an area of weakness, or an area of needed improvement.
But we can’t move to an improved state without understanding where we currently are.
When it comes to your information security program and your cybersecurity maturity level, desire is looking ahead to a future state.
It's envisioning a future for your bank or credit union that doesn't yet exist. It might be better reporting & communication, enhanced oversight, improved policies, or being better prepared for an incident.
In the information security industry, we offer hear this referred to as the “desired state”.
Because it's the place on the map where we want to drive our organization to.
It’s like the blog post I wrote last week. If you don't have a vision for where you're going, there's no way you're ever going to get there. The same holds true here. We have to have the desire to get there and be able to visualize what that desired state looks like.
So, if we know our goal, where are we on the spectrum of meeting that goal? Just like any journey, if the “desired state” is our end destination on the map, we have to know where we are starting from to establish a set of directions.
This is self-awareness, and as I said before, this is extremely difficult for people to do.
Self-awareness can sometimes feel like a weakness or a failure, but it should instead be viewed as growth opportunities. It can be uncomfortable, but remember when I said desire meant that you had to want it more than the cost?
If you want to grow and improve your information security program, you have to go through this difficult process. This can be in the form of self-assessments, gap analyses, etc.; more on that later.
From there, it's really a matter of creating an information security strategy, which simply becomes the roadmap to get from our current state (that we've become self-aware of) to the desired state.
From an information security standpoint, these two components should ideally be handled by your CISO. This type of leadership is exactly what that role should be providing to your institution.
I promise that if you turned to your CISO and asked them to set a desired state, assess where you stand, and create a roadmap to bring the two together, they would gladly accept the challenge, if they haven’t done so already.
If you don’t have a CISO, there are numerous options in the financial industry to contract with a virtual CISO to fill that role. They can do the above things at a fraction of the cost of a full-time employee.
And the outside perspective can sometimes be more effective at assessing where you currently stand than someone who is much closer to the situation.
That’s why the vCISO concept is not so novel anymore. It is becoming more and more of a viable option for banks and credit unions of all sizes.
Sometimes you just want to know where you stand. And the desire to change can come from that new self-awareness. Like the desire to get in shape because your doctor made you aware that your health is rapidly declining.
That is completely understandable, and many community banks and credit unions that I speak to are in the same shoes.
If that's the case, my advice is simple: get some outside help. Have you ever heard the saying: “it’s hard to read the label from inside the bottle”?
As I said before, it’s really hard to self-assess your own Information Security Program. I recommend talking to your auditors or other information security consultants, someone who understands what your desired state should look like.
Because we hear this all the time, I want to make myself available to you.
If you're reading this, and you just don't know if you should be putting more focus on your Information Security Program, I want to help.
I'm offering a one-hour needs assessment, no charge, to banks and credit unions only. There's no pressure and no obligation. It’s merely intended to help you understand where you stand today.
Just email me directly at chris@bedelsecurity.com and I’ll send you my meeting link where we can set up a time that works for both of us.