Our Virtual CISO Services
A Tailored Solution
With decades of cybersecurity experience in financial institutions and 9+ years of vCISO work in banks and credit unions nationwide, we've developed a tailored solution that sets the standard for excellence—our Virtual CISO services, powered by the proprietary CySPOT™ platform.
With a personalized, high-touch approach, you’ll have a dedicated vCISO Senior Advisor and vCISO Specialist ready to work with your team from day one. Our services are modular, allowing for customization to fit your specific needs and budget—all powered by CySPOT™.
Want to know more about what makes our vCISO services stand out?
Visit our Why Bedel Security vCISO Services page for more details!
Let's Take a Closer Look at Our Virtual CISO Modules
Our base offering is the Virtual CISO, it can act as a standalone service or can be enhanced with any of our other modules in any combination.
You can expand any of the sections below to dive into the deliverables and details:
-
Base vCISO
Our base offering is the Virtual CISO module; it’s required to get any of the other modules. With this module, you get vCISO Specialist participation in your monthly IT or Information Security Meeting, and a monthly IS Update meeting with your vCISO Specialist and your vCISO Senior Advisor.
Deliverables:
- IT Meeting Participation
- IS Update Meetings
- Advice and Consultation on Information Security via meetings, phone, and email
- Threat Intelligence Sharing
- Information Security Strategic Plan
-
Governance
The Governance module provides general oversight and management to your cybersecurity program. We will work with you to create a strategic plan and build out your information security program annual tasklist and calendar. We’ll lead the monthly information security meetings, create the agenda, and keep the minutes. The Governance module also includes tracking of IS-related audit and exam findings. This is a great option to keep your information security program on track and moving forward.
Deliverables:
- Agenda and Minutes for Information Security Meetings
- Tracking of Audit & Exam Findings and Remediation Activities
- ISP Calendar Tracking and Updates
-
Incident Response Planning and Prep
The Incident Response Planning and Preparation module keeps you ready for cyber events and incidents. Your vCISO Specialist will work with you to create an Incident Response Plan. They will also hold an Incident Response Plan Tabletop Exercise to see how prepared your team is and determine where your plan can improve.
Deliverables:
- Incident Response Plan Review and Update
- Incident Response Tabletop Exercise & Report
- Discounted hourly rate for Incident Response Consulting
-
Risk Management
The Risk Management Module helps you understand where your cyber risks are and what controls you have in place to reduce that risk. Your vCISO Specialist will perform a Risk Assessment, along with a Cybersecurity Assessment Tool analysis, and will help you prioritize what you should work on and where you should focus. You also get up to three risk assessments of new technology being considered by your institution.
Deliverables:
- Risk Assessment Workbook & Management Report
- Cybersecurity Assessment Tool Analysis & Report
- Risk Appetite Statement Review & Update
- Up to 3 New Technology Risk Assessments
Optional:
- Additional New Technology Risk Assessments
-
Monitoring & Oversight
The Monitoring and Oversight module helps your institution get a high-level snapshot of your risk position with a Key Risk Indicator (KRI) Dashboard. Your vCISO Specialist will work with your institution to identify and regularly receive the most useful reports for monitoring key controls. They will then review reports and provide a monthly summary of statistics to management as a KRI dashboard. Your vCISO Senior Advisor can also provide guidance to your IT Staff on the resolution of your most pressing items identified from this review.
.Deliverables:
- Review of Monitoring Reports
- KRI Dashboard
DOES NOT INCLUDE
- 24x7x365, real-time security monitoring
- Daily log monitoring and initial response to log events or alerts
- Security asset administration (firewalls, IDS/IPS systems, antivirus systems, etc.)
-
Information Security Policies
The Information Security Policies module ensures that your policies are cohesive and up to date. Your vCISO Specialist will review your existing information security policies and identify the current structure of the FI Information Security Program. This information will be used to implement the BEDEL CySPOT™ Program Policy Templates for the FI, including an overarching Information Security Policy set and an accompanying Acceptable Use Policy. This also includes suggested enhancements to the policy set where necessary. From there, BEDEL will provide annual updates to the policies as needed.
Deliverables:
- CySPOT™ Information Security Policy Set Template
- CySPOT™ Acceptable Use Policy Template
- Information Security and Acceptable Use Policy Review and Update
-
Third-Party Risk Management
Previously the Vendor Management Module, the Third Party Management Module ensures the proper risk management of your most important vendors. In this shared responsibility approach, your vCISO Specialist will work with someone on your staff to set up your Vendor Management Program. This includes templates and basic training. Your vCISO Specialist will provide ongoing support of the program and will also perform IS due diligence reviews for up to 7 existing critical vendors each year. You’ll also get due diligence reviews for up to 3 new vendors each year if you ever need to make a change. The entire program is summarized and reported to the board annually.
Deliverables:
- Establish the Third-Party Risk Management Program, including Policy, Risk Thresholds, Tracking Sheets, Requests Lists, Review Checklists, Etc. (for internal use)
- SOC2 reviews for up to 7 Critical Third Parties
- Review up to 7 Critical Third Party Contracts for GLBA requirements***
- Third-Party Management Board Report
Optional:
- Additional Critical Third Party SOC2 (or questionnaire) review
- Additional GLBA Contract reviews ***
***We are not lawyers and cannot provide legal advice. Contract Reviews are meant to assess the regulatory compliance of a contract only and should be a part of your larger contract review process, including legal review by your lawyer.
-
IT Change Management
The IT Change Management module establishes and maintains an oversight program for managing changes to your IT environment. Our vCISO Team will work with your team to develop and implement the policy, procedures, and processes to appropriately manage the risk of IT Changes. We will also provide ongoing management and facilitation of the Change Management Committee.
Deliverables:
- Develop a Change/Acquisition Management Program, including policies, procedures, and processes to define thresholds of changes and appropriate workflows depending on risk
- Form a Change Control Committee
- Maintain and update the Change Management Program
- Facilitate Change Management Meetings
-
Privileged User Activity Review
Privileged accounts present the highest risks to the FI. Having an independent review process of administrative activity is a key control in reducing this risk but can be a challenge. This module provides independent oversight by the vCISO team in a collaborative manner through monthly activity review meetings.
Deliverables:
- Identification of Critical Systems Requiring Review
- Request and Review Log Reports for Critical Systems (up to 7)
- Administrative Activity Review Meeting
- Tracking of Remediation Items Requiring Action or Investigation
-
Audit & Exam Prep
The Audit and Exam Prep module simplifies preparing your financial institution for one IT audit and one IT Exam annually. Our vCISO Specialist will work with your institution to gather, organize, and coordinate the requested materials before and during your audit and exam. We will also work with you to develop responses to findings. This module integrates with the Governance deliverable of Tracking Audit/Exams findings.
Deliverables:
- One IT Audit Preparation, Organization, and File Delivery of Audit Request Items
- Coordination of Final IT Audit Report with Management Responses
- One IT Exam Preparation, Organization, and File Delivery of Exam Request Items
- Proactive Audit and Exam Collection with Governance Module
**We will not collect any items that contain PII.
-
ID Theft Red Flags
The ID Theft Red Flags module fulfills the regulatory requirements of maintaining an ID Theft Red Flags Program. Our vCISO Specialist will work with you to develop or enhance the financial institution’s ID Theft Program including an ID Theft Red Flags Policy, Risk Assessment, and annual Board Report.
Deliverables:
- ID Theft Red Flags Policy
- ID Theft Red Flags Risk Assessment of Covered Accounts
- ID Theft Red Flags Program Board Report
-
Business Continuity Planning
The Business Continuity Planning Module helps your institution get a plan in place to get back on its feet when the unexpected happens. Your vCISO Specialist will work with your institution to identify critical processes and components and the desired RTO and RPO for each component through the Business Impact Analysis (BIA). From there, you’ll get the BEDEL Business Continuity Plan template that is structured and prioritized around systems identified in the BIA. Finally, your vCISO Specialist will work with your team to Table Top Test up to 2 scenarios annually and provide a report on the results and action items.
Deliverables:
- Business Impact Analysis
- CySPOT™ Business Continuity Plan Template
- Business Continuity Table Top Test and Report (up to 2 scenarios)
DOES NOT INCLUDE
- Functional Business Continuity or Disaster Recovery Testing
- Response to actual business continuity disruptions
-
User Testing & Training
The User Testing and Training Module keeps your institution's employees on the lookout for cyber threats. Your vCISO Specialist will work with your institution to implement and manage KnowBe4. They will administer monthly phishing campaigns and training. They will then track training and compile results from testing in a report for management. KnowBe4 licenses are required and may require an additional fee.
Deliverables:
- Phishing Testing
- Training Modules
- Updates to Management on Testing and Training
-
Board Cyber Awareness
The Board Cyber Awareness Module keeps your Board up to speed on your Information Security Program. Your vCISO Senior Advisor will present the annual ISP Update and will develop meaningful Board training based on current cybersecurity topics and trends. The presentation is done remotely, but onsite options are available at an additional fee.
Deliverables:
- Information Security Program or GLBA Board Report delivered virtually
- Board Cyber Training delivered virtually
vCISO Services Pricing
Our vCISO services are designed to be repeatable, efficient, resilient, customizable, scalable, and most importantly, affordable with transparent pricing. We've simplified things by grouping our services based on the asset size of your bank or credit union, ensuring you get the right level of expertise for your institution’s size and complexity.
While our vCISO services aren’t the cheapest option, they offer incredible value when compared to alternatives. For example, hiring a full-time CISO or assigning the role to an inexperienced staff member may be options, but they often come with significantly higher costs or risks. By choosing our Virtual CISO services, you can achieve the same high level of security expertise at a fraction of the cost.
Check out the table below as an example!
In-house CISO – CISSP w/ 5+ years experience |
In-house CISO – little or no experience |
Bedel Security Virtual CISO – CISSP w/ 5+ years experience. For institutions under $1B in assets. |
Bedel Security Virtual CISO – CISSP w/ 5+ years experience. For institutions $1B-$2B in assets. |
|
Base Cost |
$135,000 |
$85,000 |
$55,000 |
$87,000 |
Training & Certification |
$1,500 |
$1,500 |
N/A |
N/A |
Insurance (health, vision, dental, life) |
$6,000 |
$6,000 |
N/A |
N/A |
Taxes (7% of base) |
$9,450 |
$5,950 |
N/A |
N/A |
Retirement (4% match of base) |
$5,400 |
$3,400 |
N/A |
N/A |
Onboarding Cost |
$13,200 – assumes a 4-week period to acclimate |
$33,950 – assumes a 16-week period to acclimate due to less experience |
N/A |
N/A |
Year 1 Cost |
$183,750 |
$135,800 |
$75,000 |
$107,000 |
Year 2 Cost |
$170,550 |
$101,850 |
$55,000 |
$87,000 |
2 Year Average Total |
$354,300 |
$237,650 |
$130,000 |
$194,000 |
*These numbers are based on the average number of modules we see clients in these ranges select. For larger institutions or to get pricing specific to your unique needs, please schedule an introductory call.
The Bedel Security Guarantee
Although we have a 99% renewal rate, we understand there’s still some risk in starting a relationship with a new vendor. Our guarantee is pretty simple. If in the first 60 days of using our vCISO Services you don’t feel like your cybersecurity program is making the progress that it should, let us know and we’ll give you a full refund.
We want to change the way community banks and credit unions are managing cybersecurity, and we’re confident enough in our team and our CySPOT™ platform that we don’t want you to feel like you're taking a risk by working with us.
Not having the internal resources necessary to adequately manage our information security program, we knew we needed to seek out third-party assistance. Bedel Security came highly recommended to us by another community bank, and after speaking with them about the services they provide, contracting with them for vCISO services was an easy decision. Their expertise and guidance have been instrumental in helping us develop a top-notch information security program. They are our partners, and that partnership is invaluable to us.
Bedel Security has been an incredible asset to our bank. Their team has done agreat job.
I appreciate the professionalism and capability with which Bedel Security approaches information security and risk assessment. Our information security program is now clearly defined, fully documented, and easily followed by internal employees, board members, and external auditors.
Bedel Security has turned out to be an excellent partner for the Bank. Our Bedel team is very knowledgeable and industry-savvy. They are supportive of, collaborate with, and have been the perfect complement to, the Bank’s IT team. Their involvement has greatly enhanced our information security program and made it much more robust. They continue to help the Bank perform well in audits and help the IT team shine in our presentations to Management and the Board of Directors.
Bedel Security has a grassroots-level understanding of the security challenges faced by a community bank, so it was very easy to work together and their real-world experience was evident as we considered possible options to address the challenge. I look forward to working with Bedel Security on future projects as the threat landscape continues to evolve.
From the beginning of our relationship, Bedel has proven to be an even greater asset than I could have hoped. Their attention to detail and organizational cadence have allowed us to make significant strides in our IT governance in short order. We appreciate their approach as a partner and sincerely welcome working with them going forward.
The company... the service... the staff have exceeded our expectations. Our senior and specialist have been great to work with. We sincerely appreciate the service they provide and the great working relationship. I really feel good with the directionwe are headed.
I appreciate Bedel Security’s passion and drive to help us stay ahead of Cybersecurity issues that banks face. They recommend solutions that make sense for community banks. Bedel Security is experienced, dedicated, service-oriented, and an asset to our bank.
Working with the team at Bedel Security has been a great experience for us. When we first considered outsourcing our ISOduties we were a little hesitant, as we’ve always been an “in-house” organization when it comes to this aspect of business. They have been a pleasure to work with and have taken the time to coordinateour ISO reporting needs to our Board, our vendors, and have patiently trained us along the way. I highly recommend considering this team for your virtual ISO needs
Our team couldn’t be happier with the services provided by BedelSecurity. Our bank was looking for a virtual Chief Information Officer as well as assistance revamping our existing information security strategy. Bedel Security has more than delivered on both accounts. Bedel Security provided us with a clear and concise roadmap to an improved information security program, including updated policies, procedures, and risk assessments. We now have a dedicated virtual Chief Information Security Officer who is actively engaged in our overall risk management program and meets regularly with our information security committee, including providing information about the current trends and threats in the marketplace.
A few years ago, our ISO and SVP retired. Our bank looked into promoting within the bank or hiring a company to be our virtual ISO. After some discussions both inside & outside the bank, we decided to outsource the ISO position. Bedel Security quickly rose to the top of the list of companies that provide vISO services. Having security in our corner has been a great experience. Their knowledge, expertise, & thoroughness is unmatched. We have not had any FDIC or state examiners ever question the documentation that wereceive from Bedel. I expect our relationship with them to continue for a long time.
Bedel Security has been a great partner to our bank with their virtualCISO services. They do an excellent job and it gives me confidence that we are doing all we can in this extremely important area. They allow me to focus on my other responsibilities at the bank.
Don't Wait for a Cyber Incident to Take Action
Think about what it would be like to have a team of experts guiding your information security program. Think about how reassuring it would feel to have a partner to turn to in the event of a cyber incident at your bank or credit union.
So what happens next? There are a variety of ways you can proceed.
Schedule an Introductory Call
We’ll chat with you about your situation with ZERO obligation on your end. We’ll even tell you if our program is not a good fit for you at this time.
Download our Whitepaper
If you’re curious about the virtual CISO concept and would like to know more about how it could benefit your bank, download our whitepaper, Banking on Security: The Outsourced CISO Solution
Learn About our Other Services
If you’re not sure our vCISO services are the right fit, check out some of our other services.
Sign up for our Newsletter
Maybe now isn’t the best time. You’re in the middle of a contract or it’s not in your budget, but you’d like to stay in touch.
Check out our Resources
We've created some great resources for you to use. From downloadable templates to educational videos, we have a little something for everyone.