With increased cyber-attacks, shared data with third-party vendors, and strict regulatory requirements, community banks and credit unions have high standards to meet for information security. Adequate oversight and network reporting on the information security program is needed to ensure the proper controls are in place and that all stakeholders have visibility into the network.
In a recent webinar, Safe Systems shared some key observations on the need for financial institutions to have better communication and reporting between IT staff, the compliance department, and senior management. Here are a few key points to consider:
- Gaps Between IT Staff and ISO/Compliance Teams
In many financial institutions, there is a lack of synergy and communication between the IT department and the information security/compliance team. Many ISOs simply do not have the technical background to fully understand how information is being protected. They tend to be more focused on vendor management, business continuity management, and performing risk assessments and less familiar with how systems are getting patched; if machines have antivirus; or if backups are updated consistently. It can be difficult to communicate effectively if ISOs don’t understand the IT world or don’t have visibility into network reports and the necessary information to do their job.
- Oversight to Better Manage Controls
Because bank and credit union IT staff are human, sometimes errors will occur. While financial institutions have many technology solutions that automate IT functions and controls, oversight is required to ensure that the controls are adequate, working, and therefore mitigating risks. Without appropriate oversight, any gaps in the network can lead to a successful cyber-attack. Similarly, a finding during an exam that shows certain controls were implemented ineffectively can also leave the institution vulnerable.
- Limited Access to Reports
Too often, when ISOs conduct a review of the information security program, the reports they receive are vague or too technical to decipher the key insights most important to the ISO role. Other key stakeholders, like the Board and senior management, also may need more access to high-level reports to better identify threats, assess risk, and make decisions on the appropriate controls to implement.
Without access to adequate reports, the ISO and other stakeholders can become overly reliant on the IT team to explain what is happening on the network without having the ability to verify that information independently.
To learn more about information security reporting and get a demo of our NetInsight cyber risk reporting tool, watch our webinar, “NetInsight: Trust But Verify.”