Generalities aside, the “it” referenced is representative of the constant and difficult movements financial institutions (FIs) must accomplish. Movements that protect the FI and its customers from a wide array of current cyber-criminal threats, evolving threats, and the constant evolution of regulatory compliance for direction in how to manage these potentially devastating attacks.
The menace of cyber-crimes against FIs and their customers continues to evolve in frequency, on-the-surface simplicity, and behind-the-scenes complexity. Ransomware, malware, and phishing tactics are now new lines of business for criminals. In fact, criminals like to call their victims “customers,” and they work hard to provide great service to their customers in order to receive payment/ransom for returning stolen data.
Now that FIs are required to address the role of Information Security Officer (ISO), the hero-of-the-day role is filled.
This role is not your typical IT job, and it requires a cape and the ability to leap tall buildings in a single bound. ISOs address information security (INFOSEC) requirements driven by regulatory guidance, stay ahead of cyber threats, assess annual INFOSEC needs, provide senior management with direction, and implement accepted INFOSEC best practices. It will require separation from the Chief Information Officer (CIO) and Chief Technology Officer (CTO). Sound like another full-time employee (FTE) each FI must hire to meet the requirements? Not so fast. This is a position that can easily be contracted for and thus requires an existing FTE to absorb a small portion of the requirements.
Before diving into the deep end – which means investing time and resources in hiring a qualified ISO – consider dipping your toes in and contracting for a virtual Information Security Officer™ (vISO). A vISO will leverage pools of certified experts to implement and maintain a scalable program and do so cost-effectively compared to hiring a FTE that needs constant professional development.
A complete and rounded vISO should provide detailed Information security asset-based risk assessments (ISABRA) to clearly identify your current security posture. This should explain strengths, weaknesses, and threats to your classified assets and information protection. They should be able to clearly identify and recommend next practices for on-going protection and risk mitigation. A proper vISO will always be current on the latest threats and how to mitigate those threats using technology, education, and other resources. Someone also needs to pull together and keep an updated IT Management Manual - critical administrative function. This includes policies, procedures, and other required documentation. Finally, a well-rounded vISO will be able to craft and provide ongoing management of eBanking policies according to the FI’s unique needs within FFIEC guidance.
If there was a single piece of advice relative to perpetuating the answer to the question, “When does it end?” it would be “don’t go it alone.” Finding a partner to help navigate difficult business opportunities or challenges is similar to finding a close, personal friendhelp your FI succeed against potential cyber-crimes and threats? I certainly do!
Craig Laures is an Account Executive on the ProfitStars' Account Management team.