Today, community banks and credit unions face a constant barrage of challenges: growing cybersecurity threats, expanding technological requirements, and ever-evolving government regulations and expectations.
Meeting these and other demands can be quite challenging for information security officers (ISOs) at many financial institutions. In fact, smaller community financial institutions often struggle with a lack of segregation of duties; time constraints; over reliance on third parties; and inadequate expertise. This can strain internal resources and potentially undermine the security of the institution’s operation. ISOs typically juggle a mounting list of duties, from network security issues to cybersecurity to business continuity and regulatory compliance. Therefore, the ISO has one of the most valuable roles in a financial institution. In fact, it is one of the few positions that are required by guidance.
All of this serves to illustrate the usefulness of a virtual ISO (VISO) to assist with understanding and addressing the multitude of ISO responsibilities. A VISO platform serves as a risk management solution that addresses the regulatory expectations and important tasks the ISO must oversee. Because of this, the concept of a virtual ISO has gained popularity lately in the banking and credit union space, as well as other industries. Here are three key reasons community banks and credit unions should consider augmenting and enhancing their Information Security team with a virtual ISO:
- Separation/Segregation of Duties
Separation of duties is a common examination finding and addressing this issue should be a major consideration for banks and credit unions. The FFIEC addressed this very topic in the Management Handbook, stating: “ISOs should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management.”
The “concentration (or separation) of duties” requirement stems from a legitimate concern that the ISO must serve in an oversight role to the network administrator. This oversight dynamic is compromised if the ISO has administrative capabilities, which can often be the case with smaller financial institutions. Outsourcing the responsibility for maintaining the ISO checklist of responsibilities is a viable solution for banks and credit unions that lack the internal resources to keep up with these multiple activities. In short, a virtual ISO can help financial institutions provide the appropriate “arms-length” separation of duties between the ISO and the IT staff roles.
- Succession Planning
Succession planning is vital to ensuring the longevity of a community financial institution, particularly whenever and wherever there is overreliance on key personnel. Since the ISO plays a vital role in any bank or credit union, one of the biggest benefits to staff augmentation through outsourcing is continuity, or more specifically, succession planning. Making sure the many critical functions of the ISO will continue uninterrupted in the event the in-house ISO is unable to perform their duties is key to a successful information security program.
A VISO can address this issue by effectively augmenting an existing ISO, making sure that all responsibilities are addressed and properly documented. And continuity is never an issue with VISOs because they don’t take vacations, get sick, or wear multiple hats like their in-house counterparts. Consequently, a virtual ISO can help an institution ensure that all information security related concerns are continually addressed—regardless of the availability of the in-house ISO.
- Stakeholder Reporting
ISO’s have accountability to several separate and distinct stakeholders; the IT Steering Committee, the Board, and the IT auditors and examiners, and each stakeholder group has unique reporting requirements. The level of granularity required for the IT Committee is different from the detail required for the Board. The committee needs a “ground-level” summary of all information security related activities on an on-going basis, while the Board may only require a single, annual, high-level snapshot. Additionally, any ISO can tell you that pre-audit questionnaires and pre-exam questionnaires are completely different as well. Understanding what to report to each stakeholder, and how best to report it, is another way the VISO can help the in-house ISO.
In summary, the FFIEC states that “A financial institution capable of aligning its IT infrastructure to support its business strategy adds value to the institution and positions itself for sustained success.” Virtual ISO services are intended to enhance and augment your existing ISO capabilities by assuring that all responsibilities are addressed and properly documented, and that all stakeholders are kept properly informed. Ultimately, virtual ISO services can ensure greater accountability for the diverse responsibilities of the individual filling this critical role, while demonstrating a high level of information security maturity.