Imagine that a law just passed requiring you to have a qualified CISO assigned with managing and overseeing your cybersecurity program. Imagine that the deadline for having that in place is March 1st, 2018, less than 11 months away.
Sounds far fetched? It's not.
The financial institutions in New York state have found themselves in that very situation with the implementation of 23 NYCRR 500, or Reg. 500 for short. The new law put in place by the New York Department of Financial Services (NY DFS) lays out a framework of required cybersecurity practices and having a qualified Chief Information Security Officer is one of them.
While Reg. 500 has fallen under some scrutiny, many industry leaders and security experts estimate that this will just be the first of many state laws for financial institutions that will be put in place over the next several years. And Reg. 500 will be the benchmark that all the other states will use as a starting point.
So although you may not be in New York State, this question could be very applicable to your financial institution in the not-so-distant future:
"How do you get a qualified CISO in less than a year?"
One answer would be to post the position, interview candidates, hire a full-time CISO, pay them over 6 figures with benefits, train them, and hope they don't find a better job elsewhere (in a job market with high demand for this skill set).
Or maybe a simpler answer would be to contract with an outsourced CISO service or virtual CISO, or as the NY DFS likes to call it, a "third party service provider".
Yes, that's right. Reg. 500 actually suggests a virtual Chief Information Security officer as a viable option when filling the CISO role (see excerpt below). And they even outline, almost verbatim, a structure that we've advised all along (see FAQs).
This is promising for several reasons:
- Qualified candidates for a full-time CISO are in short supply
- The CISO role at financial institutions is highly specialized and probably not a full-time position in most organizations under $2-3 Billion.
- Even regulators are starting to understand #1 & #2 and realize that FI's will need to be creative in filling the CISO position and that a virtual, or outsourced, or third party relationship can work well in a wide variety of situations.
So if you are in New York, or if you are just looking to put a CISO in place, I would highly recommend considering a vCISO, and as Reg. 500 states, so would NY DFS.
For more information on Virtual CISO services:
Virtual CISO
Whitepaper: 14 Things to Consider Before Hiring a Virtual CISO
More about the virtual CISO
For our free 23 NYCRR 500 Tracking Tool click the button below
Excerpt from 23 NYCRR 500:
Section 500.04 Chief Information Security Officer.
(a) Chief Information Security Officer. Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”).
The CISO may be employed by the Covered Entity, one of its Affiliates or a Third Party Service Provider. To the extent this requirement is met using a Third Party Service Provider or an Affiliate, the Covered Entity shall:
(2) designate a senior member of the Covered Entity’s personnel responsible for direction and oversight of the Third Party Service Provider; and
(3) require the Third Party Service Provider to maintain a cybersecurity program that protects the Covered Entity in accordance with the requirements of this Part.
(2) the Covered Entity’s cybersecurity policies and procedures;
(3) material cybersecurity risks to the Covered Entity;
(4) overall effectiveness of the Covered Entity’s cybersecurity program; and
(5) material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.