The Bedel Security Blog

Your Information Security Program Needs Focus

Written by Chris Bedel | Oct 23, 2020

I recently had the chance to speak with Cyrene Wilke, SVP Operations & Technology at Investors Community Bank in Wisconsin on the need for community banks to put more focus on the role of the ISO.

Our conversation got me thinking about how one simple word can often be the root of the problem when it comes to managing information security: focus.

This blog post calls out where that focus needs to be and what your financial institution can do about it.

 

The Need

Financial institutions come to us looking to improve their information security program, specifically in areas of governance and risk management.

When we talk to them, they're looking for:

  • A governance program that can keep up with the growth of their organization
  • Repeatable risk management processes
  • Clear, concise, communication to the board

They want to be proactive, not reactive. And that’s what it’s going to take to be secure as the exposure and threats continue to increase.

But we often find that there’s just not the resources focused on cybersecurity to do so. Or as Wilke put it:

“Some try to manage security from the ‘corner of their desk’ while also managing the growing general tech support needs and juggling a million other tasks. This is simply not sustainable.”

 

The Problem

I was looking at the BankDirector.com 2020 Risk Survey recently that summarized this need for focus very nicely.

They ask the question: “Does your bank employ a full-time chief information security officer (CISO)?”

One of the answers that was chosen by 49% of all the institutions surveyed was:

“Yes, but that officer also focuses on other areas of the bank.”

That’s not just the small banks, 49% of banks $1B-$10B in assets answered this way.

This is the root of almost all of the issues we come across when we go into a financial institution looking for help: their CISO is not able to focus on managing cybersecurity.

You can see the breakdown in the image below.

 

The Key Word is Focus

Many motivational speakers use the phrase “you get what you focus on” and that's no different for your information security program.

Wilke more specifically put that concept into context with this quote:

"Organization leaders show support by taking appropriate steps to ensure workload is manageable and provide opportunities for continuous education.”


To expand on that thought, you need to commit to 2 things to improve the management of your information security program:

  1. Your chief information security officer needs to have time to focus on completion of the tasks required for ongoing upkeep of your information security program. It's not 2010 anymore. You can't spend three weeks before an audit or an exam to take care of these things and call it good. Someone needs to be working on cybersecurity on a regular basis, and that’s really hard to do if they have a hundred other responsibilities.

  2. Your chief information security officer also needs to focus on becoming a continuous student of cybersecurity, governance, risk, and trends. This means working towards certifications, speaking with peers, and reading content on an almost daily basis.

 

What Can You Do About It?

If you have an in-house Chief Information Security Officer, now might be the time to ask yourself if they have the time to focus on information security.

If the answer is no, you need to commit to adding staff, moving resources, or whatever else is necessary to free up space for them to do so.

I would also suggest reading this post for tips on managing your CISO. 

But don’t expect it to be easy, as Wilke advises:

“Building a solid cyber risk management program requires significant time and energy."


For some, that’s why a Virtual Chief Information Security Officer or CISO-as-a-Service can be a good alternative to an in-house ISO. Services of this nature can provide the focus necessary at a fraction of the cost.

When I asked Wilke about the Virtual CISO option, she simply replied:

“That’s where services like [a vCISO] are valuable.”


If you're curious, if a Virtual Chief Information Security Officer might helpful to your organization, check out our whitepaper.

Or give us a call; we'd be happy to walk you through how it works and discuss if it could be a good fit for you.

Special thanks to Cyrene Wilke for her input on this blog post. Thank you for your passion on the topic and the willingness to help!

 

Additional Resources:

The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper

Bank Management: 5 Ways a CISO Can Help Drive Innovation
https://www.bedelsecurity.com/blog/5-ways-your-ciso-can-drive-innovation 

If Everything is Important, Then Nothing Is.
https://www.bedelsecurity.com/blog/if-everything-is-important-then-nothing-is 

The Fundamental Roles of an Information Security Program
https://www.bedelsecurity.com/blog/the-fundamental-roles-of-an-information-security-program 

How to Manage a Chief Information Security Officer in your Financial Institution
https://www.bedelsecurity.com/blog/how-to-manage-a-chief-information-security-officer-in-your-financial-institution