BSLogo_Horiz_SM_Orig
  • Home
  • Services
    • Virtual CISO Services
    • The CISO Assessment
    • CISO Projects
    • CISO Mentor
    • Frequently Asked
  • Free Resources
    • Educational Video Library
    • Whitepaper | Banking on Security: The Outsourced CISO Solution
    • Surviving The Post-Pandemic Landscape
    • Remote Access Risk Assessment
    • ISP Tasklist
    • Cybersecurity Assessment Tool
  • Blog
  • Careers
  • About Us
    • Meet Our Team
    • Contact Us

Get the help you need to proactively manage your information security program.

Proprietary CySPOT™ platform. Exclusive focus on banks and credit unions. Team approach with an unparalleled level of expertise.


Cybersecurity continues to be one of the highest risks that a bank or credit union faces.

If you’re like most community banks and credit unions you’re committed to reducing cyber risk, but you’re not sure what the best approach for your institution is. You might not have the full picture of your risk, or if you do, you don’t know whether you should accept it, or spend money to try to mitigate it. And it feels like just when you decide on a direction, circumstances change leading to frustration and uncertainty.

Regardless of what group you fall into, your bank or credit union needs to have someone proactively managing your cybersecurity program. You need to have someone providing oversight of your technology risk.

That person is a Chief Information Security Officer (CISO), or ISO depending on your institution's size, and every financial institution is required to have one.

.

Shortcuts

Where does a CISO fit into an Information Security Program?
What is a Virtual CISO (Virtual ISO)?
The Common Problem with the Virtual CISO Offering
Our Solution, vCISO Services powered by our CySPOT™ Platform
A Closer Look at our vCISO Modules
Why Bedel Security vCISO Services?
vCISO Services Pricing
Our Bedel Security Guarantee
Still not sure we can help?
Don’t wait for a cybersecurity incident to take action
.

The CISO

In national institutions, where resources seem almost unlimited, a full-time, in-house Chief Information Security Officer (CISO) is the starting point for that proactive management and expertise. The CISO fills the management and leadership role in cybersecurity. They set the policies, provide oversight, and communicate with the management team on risk-based decisions in order to run the financial institutions’ (FIs) information security program in an efficient, effective way.

They put a plan and processes in place to be proactive with cybersecurity, rather than reactive.

The CISO is one of the key components to an effective information security program, and an experienced one can range from $100K - $200K+ per year in salary.

 

.

Where does a CISO fit into an Information Security Program?

 

 

The Chief Information Security Officer makes up one of the 4 main roles of a healthy Information Security Program. Each role should work together but be independent of one another.

RolesOfInfoSecProg_InfoGraphic-03Those 4 main roles are:

  • IT & Operations- They make sure that your computers are working, software is up to date, and provide support to your end users. They also need to be the first to respond to a cyber incident.

  • Monitoring- These guys watch the firewall, SIEM, and other perimeter security alerts. They notify IT staff when something looks out of the ordinary.

  • CISO- This person works with the other 2 roles to manage and lead cybersecurity. They make suggestions to manage risk. The CISO helps to set policy, provides monitoring oversight, and is a resource in incident response.

  • Audit– The audit function tests the controls that have been designed and implemented to manage cyber risks. This includes general controls as well as technical assessments, like penetration testing.

Some institutions can keep all of these roles independent while still being 100% in-house. Other institutions find they need to outsource one or more of these roles to keep them all independent. There are a wide variety of possible combinations to best fit an institution’s needs. One of those possibilities is a virtual CISO or ISO.

 

.

What is a Virtual CISO (Virtual ISO)?

When some or all parts of the CISO role are outsourced, that’s what we refer to as a “Virtual CISO”. You may also hear it called CISO-as-a-service, outsourced CISO, or fractional CISO. You may also hear these terms use ISO instead of CISO. It’s a concept that is becoming more commonplace and there are a number of firms that offer this as a service.

A Virtual CISO or ISO provides banks and credit unions of all sizes with the following benefits:

  • Independent leadership and oversight.
  • High-level talent, regardless of location.
  • Cybersecurity experience and expertise added to your team quickly and easily.
  • Cost savings vs. a full-time employee.
  • Fast implementation time for updated program structure, policy, etc.
  • Outside perspective and group knowledge to help answer “what are other institutions our size doing?”
  • Reduced risk of turnover.
  • Advice and strategy that’s free from internal politics.
  • Time saved on training a new CISO.
  • Reduced management overhead.
  • Program framework that’s been audited and examined numerous times.
  • Less stress during audits and exams.
  • Scalability for growth of the institution.
  • Reduced paperwork for IT and Compliance staff.
  • Customizable solutions to fill the exact needs of the institution.
  • A team approach that brings continuity and additional perspectives to the table.

That's all great, but we still have a problem...

 

v

.

The Common Problem with the Virtual CISO Offering

The problem with many Virtual CISO or ISO offerings is that they are time-based, meaning that they are billed by the hour. The provider may tell you that you are getting a block of hours, or so many days per month, but the deliverables are vague, other than the time that they will spend on your organization.

You are literally getting a fraction of a contract employee. Some providers even call this “putting a butt in the seat”.

No doubt, this is a step in the right direction, but if you’re like most community financial institutions, you want something more tangible than just another hourly employee. You’re looking for deliverables. You want to know that certain aspects of your cybersecurity program are “covered”.

We get it. We’ve delivered our Virtual CISO services since 2015 and advised numerous banks and credit unions across the country, ranging from $20 Million to over $9 Billion in assets.

In that time, we’ve come to the realization that just putting a butt in the seat does nothing to solve the following problems:

  • Rising costs due to the cybersecurity skills shortage.
  • Turnover of employees (even when they are virtual or outsourced).
  • No clear definition of where the FI stands and the progress they are making.
  • No standardized process for management of the program.
  • No clear deliverables to know what you’re paying for and what might cost more.

 

What's the Right Level of Service for Us?

 

.

Introducing Our Solution, vCISO Services Powered by Our CySPOT™ Platform

We’ve taken our numerous years of cybersecurity experience in financial institutions, combined with our 7+ years of vCISO work in banks and credit unions across the country, and created the best solution available– our virtual CISO services powered by our new proprietary CySPOT™ platform.

First, let’s look at our virtual CISO services.

After years of intention, we’ve made our services:

  • Repeatable
  • Efficient
  • Resilient (protected from employee turnover)
  • Customizable
  • Scalable
  • Affordable

We’ve broken down these services into our Base vCISO offering and 13 additional modules that can be customized to fit your institution’s needs or budget whether that’s a few of our modules to fill in the gaps in your information security program, or it may be all fourteen.

Our services are also delivered to you with a high-touch, team approach. You get a dedicated vCISO Senior Advisor with a CISSP or equivalent certification and a dedicated vCISO Specialist, both ready to partner with your institution and hit the ground running from day one.

Using this methodology to deliver our services you get the best of all worlds. It’s standardized enough to give you consistent reliable results, yet you can customize your modules to fit your institution’s needs. It’s affordable but still delivers the unmatched quality that you’d expect from Bedel Security.

Next, let’s look at our new CySPOT™ Platform

Unlike a GRC system that an institution could buy to internally manage their own Information Security Program, the CySPOT™ Platform has been designed to be used by Bedel Security experts allowing us to efficiently and consistently manage the governance of a first-class Information Security Program for your financial institution.

It features repeatable, proven workflows for each CySPOT™ module and the ability to consolidate, prioritize, and track remediation efforts across the entire program for an institution, meaning that the security posture of the bank will always be improving.

When the cybersecurity landscape changes, Bedel Security customers will benefit from continual updates to the CySPOT™ Platform. This allows our customers to focus on being bankers instead of cybersecurity experts.

At Bedel Security, we don’t provide you with a login, we provide you with a partnership.

 

Let’s Take a Closer Look at Our Virtual CISO Modules

Our base offering is the Virtual CISO, it can act as a standalone service or can be enhanced with any of our other 13 modules in any combination.

Here’s a quick overview, but you can expand any of the sections below to dive into the deliverables and details:

  • Virtual CISO
  • Governance
  • Incident Response Planning & Preparation
  • Risk Management
  • Monitoring Oversight Program
  • Information Security Policies
  • Third-Party Risk Management
  • Board Cyber Awareness
  • User Testing & Training
  • Business Continuity Planning
  • Audit & Exam Prep
  • ID Theft Red Flags
  • IT Change Management
  • Privileged User Activity Review

Virtual CISO

Our base offering is the Virtual CISO module; it’s required to get any of the other modules. With this module, you get vCISO Specialist participation in your monthly IT or Information Security Meeting, and a monthly IS Update meeting with your vCISO Specialist and your vCISO Senior Advisor.

Deliverables:

  • IT Meeting Participation
  • IS Update Meetings
  • Advice and Consultation on Information Security via meetings, phone, and email
  • Threat Intelligence Sharing 
  • Information Security Strategic Plan

 

Expand any of the sections below to find out more:

The Governance module provides general oversight and management to your cybersecurity program. We will work with you to create a strategic plan and build out your information security program annual tasklist and calendar. We’ll lead the monthly information security meetings, create the agenda, and keep the minutes. The Governance module also includes tracking of IS-related audit and exam findings. This is a great option to keep your information security program on track and moving forward.

Deliverables:

  • Agenda and Minutes for Information Security Meetings
  • Tracking of Audit & Exam Findings and Remediation Activities
  • ISP Calendar Tracking and Updates

The Incident Response Planning and Preparation module keeps you ready for cyber events and incidents. Your vCISO Specialist will work with you to create an Incident Response Plan. They will also hold an Incident Response Plan Tabletop Exercise to see how prepared your team is and determine where your plan can improve.

Deliverables:

  • Incident Response Plan Review and Update
  • Incident Response Tabletop Exercise & Report
  • Discounted hourly rate for Incident Response Consulting 

Does not include:

  • Participation in response to actual incidents
 

The Risk Management Module helps you understand where your cyber risks are and what controls you have in place to reduce that risk. Your vCISO Specialist will perform a Risk Assessment, along with a Cybersecurity Assessment Tool analysis, and will help you prioritize what you should work on and where you should focus. You also get up to three risk assessments of new technology being considered by your institution.

Deliverables:

  • Risk Assessment Workbook & Management Report
  • Cybersecurity Assessment Tool Analysis & Report
  • Risk Appetite Statement Review & Update
  • Up to 3 New Technology Risk Assessments

Optional:

  • Additional New Technology Risk Assessments

The Monitoring and Oversight module helps your institution get a high-level snapshot of your risk position with a Key Risk Indicator (KRI) Dashboard. Your vCISO Specialist will work with your institution to identify and regularly receive the most useful reports for monitoring key controls. They will then review reports and provide a monthly summary of statistics to management as a KRI dashboard. Your vCISO Senior Advisor can also provide guidance to your IT Staff on the resolution of your most pressing items identified from this review.

.Deliverables:

  • Review of Monitoring Reports
  • KRI Dashboard

DOES NOT INCLUDE

  • 24x7x365, real-time security monitoring
  • Daily log monitoring and initial response to log events or alerts
  • Security asset administration (firewalls, IDS/IPS systems, antivirus systems, etc.)

The Information Security Policies module ensures that your policies are cohesive and up to date. Your vCISO Specialist will review your existing information security policies and identify the current structure of the FI Information Security Program. This information will be used to implement the BEDEL CySPOT™ Program Policy Templates for the FI, including an overarching Information Security Policy set and an accompanying Acceptable Use Policy. This also includes suggested enhancements to the policy set where necessary. From there, BEDEL will provide annual updates to the policies as needed.

Deliverables:

  • CySPOT™ Information Security Policy Set Template
  • CySPOT™ Acceptable Use Policy Template
  • Information Security and Acceptable Use Policy Review and Update
 

Previously the Vendor Management Module, the Third Party Management Module ensures the proper risk management of your most important vendors. In this shared responsibility approach, your vCISO Specialist will work with someone on your staff to set up your Vendor Management Program. This includes templates and basic training. Your vCISO Specialist will provide ongoing support of the program and will also perform IS due diligence reviews for up to 7 existing critical vendors each year. You’ll also get due diligence reviews for up to 3 new vendors each year if you ever need to make a change. The entire program is summarized and reported to the board annually.

Deliverables:

  • Establish the Third-Party Risk Management Program, including Policy, Risk Thresholds, Tracking Sheets, Requests Lists, Review Checklists, Etc. (for internal use)
  • SOC2 reviews for up to 7 Critical Third Parties 
  • Review up to 7 Critical Third Party Contracts for GLBA requirements***
  • Third Party Management Board Report 

Optional:

  • Additional Critical Third Party SOC2 (or questionnaire) review
  • Additional GLBA Contract reviews ***

***We are not lawyers and cannot provide legal advice. Contract Reviews are meant to assess the regulatory compliance of a contract only and should be a part of your larger contract review process, including legal review by your lawyer.

The Board Cyber Awareness Module keeps your Board up to speed on your Information Security Program. Your vCISO Senior Advisor will present the annual ISP Update and will develop meaningful Board training based on current cybersecurity topics and trends. The presentation is done remotely, but onsite options are available at an additional fee.

Deliverables:

  • Information Security Program or GLBA Board Report delivered virtually
  • Board Cyber Training delivered virtually



The User Testing and Training Module keeps your institution's employees on the lookout for cyber threats. Your vCISO Specialist will work with your institution to implement and manage KnowBe4. They will administer monthly phishing campaigns and training. They will then track training and compile results from testing in a report for management. KnowBe4 licenses are required and may require an additional fee.

Deliverables:

  • Phishing Testing
  • Training Modules
  • Updates to Management on Testing and Training

The Business Continuity Planning Module helps your institution get a plan in place to get back on its feet when the unexpected happens. Your vCISO Specialist will work with your institution to identify critical processes and components and the desired RTO and RPO for each component through the Business Impact Analysis (BIA). From there, you’ll get the BEDEL Business Continuity Plan template that is structured and prioritized around systems identified in the BIA. Finally, your vCISO Specialist will work with your team to Table Top Test up to 2 scenarios annually and provide a report on the results and action items.

Deliverables:

  • Business Impact Analysis
  • CySPOT™ Business Continuity Plan Template
  • Business Continuity Table Top Test and Report (up to 2 scenarios)

DOES NOT INCLUDE

  • Functional Business Continuity or Disaster Recovery Testing
  • Response to actual business continuity disruptions


The ID Theft Red Flags module fulfills the regulatory requirements of maintaining an ID Theft Red Flags Program. Our vCISO Specialist will work with you to develop or enhance the financial institution’s ID Theft Program including an ID Theft Red Flags Policy, Risk Assessment, and annual Board Report.

Deliverables:

  • ID Theft Red Flags Policy
  • ID Theft Red Flags Risk Assessment of Covered Accounts
  • ID Theft Red Flags Program Board Report

The Audit and Exam Prep module simplifies preparing your financial institution for one IT audit and one IT Exam annually. Our vCISO Specialist will work with your institution to gather, organize, and coordinate the requested materials before and during your audit and exam. We will also work with you to develop responses to findings. This module integrates with the Governance deliverable of Tracking Audit/Exams findings.

Deliverables:

  • One IT Audit Preparation, Organization, and File Delivery of Audit Request Items
  • Coordination of Final IT Audit Report with Management Responses
  • One IT Exam Preparation, Organization, and File Delivery of Exam Request Items
  • Proactive Audit and Exam Collection with Governance Module

**We will not collect any items that contain PII.

The IT Change Management module establishes and maintains an oversight program for managing changes to your IT environment. Our vCISO Team will work with your team to develop and implement the policy, procedures, and processes to appropriately manage the risk of IT Changes. We will also provide ongoing management and facilitation of the Change Management Committee.

Deliverables:

  • Develop a Change/Acquisition Management Program, including policies, procedures, and processes to define thresholds of changes and appropriate workflows depending on risk
  • Form a Change Control Committee
  • Maintain and update the Change Management Program
  • Facilitate Change Management Meetings

Privileged accounts present the highest risks to the FI. Having an independent review process of administrative activity is a key control in reducing this risk but can be a challenge. This module provides independent oversight by the vCISO team in a collaborative manner through monthly activity review meetings.

Deliverables: 

  • Identification of Critical Systems Requiring Review
  • Request and Review Log Reports for Critical Systems (up to 7)
  • Administrative Activity Review Meeting
  • Tracking of Remediation Items Requiring Action or Investigation

t

.

Why Bedel Security vCISO Services?

You still may be wondering why this is any different than any other Virtual CISO service out there, as you should. Here’s how Bedel Security vCISO Services stands apart from the rest:

'

What Bedel Security vCISO Services Offer:

How it can help you:

Focused services

We are dedicated to delivering vCISO services exclusively to community financial institutions.

Proven process

You get consistent, high-quality deliverables that have been examined and audited numerous times.

High-touch service

You get a partner to work with. Not a platform, not a checklist, but human beings that are there to answer your questions and help where you need it most

Efficient by design

You get those deliverables at an affordable cost.

Team approach

Each client is assigned both a vCISO Senior Advisor and a vCISO Specialist to work with.

 

You feel less impact if turnover occurs and get outside perspective on industry trends.

High-level expertise

Every vCISO Senior Advisor on our staff has their CISM, CISSP, or equivalent certification.

Modular design

You only pay for what you need and you can start making improvements immediately. Our modules are customizable to fit around other outside contractual services or in-house staff, and scalable to meet your changing needs

Grouped by asset size

You get the essentials of what is appropriate for the size and complexity of your financial institution, rather than a “one-size-fits-all” solution.

Straightforward pricing

Our proposals are transparent and easy to understand so you know exactly what you’re paying for.

 

What questions do you have?

 

 

.

vCISO Services Pricing

Along with being repeatable, efficient, resilient, customizable, and scalable, we’ve designed our vCISO services to be affordable and have transparent pricing that’s easy to understand.

We do this by grouping our offerings by asset size. This means that we can confidently deliver the appropriate level of expertise and services for the size and complexity of your bank or credit union.

It also means that you can mix and match vCISO Modules to fit the exact needs and budget of your financial institution.

Each vCISO Module includes a one-time upfront investment, along with affordable monthly fees, all billed in quarterly installments.

While our vCISO Services aren’t “cheap” they can be very affordable relative to the alternatives. Especially considering the value and quality of services are unmatched in the industry.

The table below outlines some of the costs associated with the 2 conventional options for filling the CISO role compared to Bedel Security Virtual CISO services. Option 1 is to hire a full-time experienced CISO with a CISSP. Option 2 is to save on costs and assign the role to someone with little or no experience. While both can be a viable solution, you can see that there are significant cost savings in utilizing our virtual CISO services powered by our CySPOT™ platform.

 

 

In-house CISO – CISSP w/ 5+ years experience 

In-house CISO – little or no experience 

Bedel Security Virtual CISO – CISSP w/ 5+ years experience. For institutions under $1B in assets.

Bedel Security Virtual CISO – CISSP w/ 5+ years experience. For institutions $1B-$2B in assets.

Base Cost

$135,000

$85,000

$55,000

$87,000

Training & Certification

$1,500

$1,500

N/A

N/A

Insurance (health, vision, dental, life)

$6,000

$6,000

N/A

 N/A

Taxes (7% of base)

$9,450

$5,950

N/A

 N/A

Retirement (4% match of base)

$5,400

$3,400

N/A

 N/A

Onboarding Cost

$13,200 – assumes a 4 week period to acclimate 

$33,950 – assumes a 16 week period to acclimate due to less experience 

$20,000

 $20,000

Year 1 Cost

$183,750

$135,800

$75,000

$107,000 

Year 2 Cost

$170,550

$101,850

$55,000

 $87,000

2 Year Total

$354,300

$237,650

$130,000

 $194,000


*For larger institutions or to get pricing based on your specific and unique needs, please reach out to us at support@bedelsecurity.com!



.

Our Bedel Security Guarantee

Although we have a 99% renewal rate, we understand there’s still some risk in starting a relationship with a new vendor. Our guarantee is pretty simple. If in the first 60 days of using our vCISO Services you don’t feel like your cybersecurity program is making the progress that it should, let us know and we’ll give you a full refund.

We want to change the way community banks and credit unions are managing cybersecurity, and we’re confident enough in our team and our CySPOT™ platform that we don’t want you to feel like you're taking a risk by working with us. 

 

What questions do you have?

 

 

.

Still Not Sure We Can Help?

We know we can help improve your information security program, but don’t take our word for it, here’s what our customers have to say:

“Working with Chris and the team at Bedel Security has been a great experience for us. When we first considered outsourcing our ISO duties we were a little hesitant, as we've always been an "in house" organization when it comes to this aspect of business. They have been a pleasure to work with and have taken the time to coordinate our ISO reporting needs to our Board, our vendors, and have patiently trained us along the way. I highly recommend considering this team for your virtual ISO needs!”

Eric L. | President, | Indiana

 

“Our team couldn’t be happier with the services provided by Bedel Security. Our bank was looking for a virtual Chief Information Officer as well as assistance revamping our existing information security strategy. Bedel Security has more than delivered on both accounts.

Bedel Security provided us with a clear and concise roadmap to an improved information security program, including updated policies, procedures, and risk assessments. We now have a dedicated virtual Chief Information Security Officer who is actively engaged in our overall risk management program and meets regularly with our information security committee, including providing information about the current trends and threats in the marketplace. I appreciate the professionalism and capability with which Bedel Security approaches information security and risk assessment. Our information security program is now clearly defined, fully documented, and easily followed by internal employees, board members, and external auditors.”

Diane E. |SVP, Technology Services Manager | Washington

 

“Bedel Security has been a great partner to our bank with their virtual CISO services. They do an excellent job and it gives me confidence that we are doing all we can in this extremely important area. They allow me to focus on my other responsibilities at the bank.”

Steve V. | Chief Financial Officer | Illinois

 

“Bedel Security does an amazing job ensuring our Financial Institution is doing what is required for the extensive regulatory requirements at the State and Federal levels. We rely on their knowledge and understanding of complex systems and they have not let us down.”

Frank S. | AVP, CAO | New York

 

 

.

Don’t Wait for a Cybersecurity Incident to Take Action

If you’ve read this far, you know that this could be a good fit for you. Think about what it would be like to have a team of experts guiding your information security program. Think about how reassuring it would feel to have a partner to turn to in the event of a cyber incident at your bank or credit union.

So what happens next? There are a variety of ways you can proceed.

  • You can email any questions you have for us to support@bedelsecurity.com.

  • If you’re looking for more of a dialogue to talk through your ideas and strategy, give us a call. We’ll chat with you on your situation with ZERO obligation on your end. We’ll even tell you if our program is not a good fit for you at this time.

  • If you’re curious whether your information security program could benefit from working with us, download Our Whitepaper to get more information.


  • If you’re not sure our vCISO services are the right fit, check out some of our other services:
    • The CISO Assessment
    • CISO Mentor

  • OR maybe now isn’t the best time. You’re in the middle of a contract or it’s not in your budget, but you’d like to stay in touch. We completely understand. Sign up for our weekly newsletter or look through our site to check out our free resources.

If you’re anything like us, settling for just “okay” cybersecurity isn’t good enough. Any of these actions is better than no action because they’re a step in the right direction. We can’t wait to hear from you!

© 2024 Bedel Technology, LLC | 833-297-7681| Support@bedelsecurity.com