Frequently
Asked
Questions

A Virtual Chief Information Security Officer (vCISO) is filling the role of the CISO with an outside practitioner or team of experts.

It gives banks and credit unions the ability to add expertise and structure to their information security program at a fraction of the cost of a conventional full-time employee.

Some other names for this type of service include:

• Fractional CISO
• CISO-as-a-Service (CISOaaS)
• Outsourced CISO
  
  

Normally, virtual CISOs provide similar services to other customers along with your financial10 institution, so it’s a shared resource. This can have pros and cons like that of any other shared model (like a service bureau, or managed IT services), that should be taken into consideration based on your situation and needs.

The consideration of a vCISO can be dependent on a combination of need and circumstance at your financial institution.

Need

• You don’t have a CISO (You’ve either never had one, or the position is currently open).
• Your CISO is leaving or retiring in the near future.
• Your CISO is not independent from IT.
• Your CISO is underqualified or not well suited for the needs of the position.
• Your CISO is overwhelmed or overworked.
  
  

Circumstance

• You want to resolve deficiencies or strengthen your program quickly. 
• You don’t want to have to train a CISO.
• You want less management burden that an in-house CISO may require.
• Your institution has budgetary limits that make a full-time hire difficult.
• Your geographic location limits the number of potential CISO candidates.
• High demand in your local job market has inflated CISO salaries or made retention difficult.
• Your institution is small enough that it does not warrant a full-time CISO position.

Pros

There are numerous advantages of a Virtual Chief Information Security Officer for community financial institutions, including:

• Work with high-level talent, regardless of location
• Add cybersecurity experience and expertise to your team quickly and easily
• Potential cost savings vs. a conventional CISO
• Fast implementation time for updated program structure, policy, etc.
• Outside perspective and group knowledge to help answer “What are other institutions our size doing?”
• Reduced risk of turnover
• Free of internal politics
• Saves time on training a new CISO
• Reduced management overhead
• Independent from IT Operations
• Program framework that’s been audited and examined numerous times
• Less stress for audits and exams
• Scalable for growth of the institution
• Reduced paperwork for IT and Compliance staff
• Customizable solutions to fill the exact needs of the institution
• Our team approach brings additional perspective and experience to the table
  
  

Cons

While a Virtual CISO has many benefits, there can be some pitfalls:

• Poor communication. Because the vCISO is not in-house, members of your staff will have to be intentional about including them in email threads or conference calls. Having and keeping standing, recurring meeting schedules helps with this a lot. Another issue can be withholding information from the vCISO. For an engagement like this to be successful, it needs to be a partnership of trust and open communication.
• Unrealistic Expectations of a Shared Resource. By nature, a vCISO is a shared resource, meaning they will have other customers or clients to take care of along with your institution. In organizations with a reactionary culture, this can create friction, as they expect the resource to “available” when they “need” them. Aside from an incident, most discussions with your Virtual CISO can be done in a very proactive way during scheduled meetings or upon request for additional meetings.
  
  

To avoid this we've taken measures to establish communication cadence and thresholds to make the relationship successful.

Virtual CISO services are not new to regulators. Many have come to the realization that financial institutions are in need of help in filling the CISO role and have accepted the vCISO as a solution to do so.

They will expect that you perform proper due diligence on the provider and that appropriate relationship management is in place, as with any other service provider.

It is a good idea, upon the start of an IT examination, to be upfront with examiners about your vCISO relationship. Let them know that you would like the vCISO to be in kick-off calls and other meetings to help address questions and concerns. It’s much easier to do this at the start of the exam than later on.

There are a few things that help you get the most value from the partnership:

• An IT staff, either in-house or outsourced, managed by the financial institution, that can have direct communication and coordination with your vCISO.
• Logging and monitoring capabilities, either in-house or outsourced, with reports delivered regularly to your vCISO.
• An assigned point person with bandwidth to meet at least 2x monthly and work on information security projects.
  
  

If you don’t have these things, you can still benefit from our services, but you should indicate that during the proposal stage to ensure you get the proper service level.

Other members of your team will still need to be involved in risk assessments, approving policies, various testing exercises, as well as other meetings.

We have success working with financial institutions all the way from De Novo up to multi-billion-dollar institutions. 

We find that the specific needs of the institution, staff availability, and overall willingness to embrace a culture of security impact the fit more than size. 

If you haven't already visited our Virtual CISO Services and Why Bedel Security vCISO Services? pages that may be helpful.

We also have an incredibly helpful whitepaper you can download, Banking on Security: The Outsourced CISO Solution.

Or you can always schedule an introductory call and let us know what you're looking for and what questions you have.