5 minute read
Rise of the vCSO: A New Profession Emerges in the Effort to Fight Cybercrime
by Toni Lapp
As cybercrimes become increasingly prevalent, especially in highly regulated industries such as banking and finance, remaining complacent is becoming riskier. No business is immune, with such high-profile organizations as JPMorgan Chase, Wells Fargo, the Bank of America, and even the FDIC and IRS experiencing breaches. “Business leaders watch the news and they know the threats are out there,” said Scott Logan, technical director of security for IT consulting firm NetGain Technologies. “They know they need protection but they just struggle with where to start.” The place to start may be with staffing, according to financial industry regulators. In August, the New York State Department of Financial Services began implementing cybersecurity regulations that are expected to become a model for financial institutions everywhere. Chief among the measures is a call for each organization to designate a qualified individual to oversee its cybersecurity program and enforce cybersecurity policy. THE RISKS FACING FIs Community banks and credit unions, particularly those lacking a dedicated cybersecurity professional on the executive team, are vulnerable. More than two-thirds of financial service institutions (FIs) have faced at least one cybersecurity attack in the last year, according to MetricStream’s The State of Cybersecurity in the Financial Services Industry Survey. Furthermore, said Logan, the fastest growing segments being targeted within financial institutions are small banks and credit unions. Hackers are increasingly targeting smaller financial institutions with less robust data security systems and
26 The Arkansas Banker | October 2017 personnel than larger banks. According to Beazley, a leading provider of data breach response insurance, banks and credit unions with less than $35 million in annual revenue accounted for 81 percent of hacking and malware breaches at financial institutions in 2016, compared with the 54 percent of incidents they represented in 2015. Beyond financial consequences, the reputational damage of a cyber attack for a community financial institution can cause harm beyond repair, particularly for community banks that pride themselves on their strong commitment to their local communities. Once a bank is attacked and it becomes public knowledge, the organization often faces financial losses as the result of customer attrition. It is crucial for financial institutions to establish a solid cybersecurity program. However, unlike large financial
institutions with seemingly unlimited resources for security, community banks often face numerous obstacles, including minimal hiring budgets for security personnel, when developing a security program. THE RISE OF THE vCSO The New York cybersecurity guidelines have called for developing and maintaining a written cybersecurity policy and incident response plan. The policy must be based on the risk assessment, and the guidelines require designating an individual to be responsible for these activities. The guidelines state that a third party can be used, and given the cost of adding to staff, this might be the best approach. In the banking industry, the average salary for a chief security office is $225,000, according to Baseline Magazine. A recent trend in regulated organizations is to fill the gap by contracting a virtual
Chief Security Officer (vCSO) as an outsourced service, said Logan, who has written an e-book about the rise of this new role: Why the vCSO is the
newest member of the C-suite. The vCSO functions alongside—but independently of—an existing I.T. manager or managed services provider (MSP) to manage an organization’s cybersecurity defenses. Having this resource enables institutions to effectively take a sustainable and scalable approach to cybersecurity. Indeed, all signs point to the need to have an individual dedicated to security. Companies often assume these responsibilities fall under the aegis of an I.T. staff person or outsourced I.T. vendor’s daily support role, said Logan. However, dedicated I.T. support staff lack the time and resources to keep up with the challenges of modern cybersecurity, without falling behind on their assigned tasks to support the data network, applications, and end users.
WHERE TO START Cisco describes a four-step plan to prevent, detect, and mitigate threats and minimize risk as the template for vCSO services: Make security a business priority: Executive leadership must own and evangelize security and fund it as a priority. Measure operational discipline: Review security practices, patch, and control access points to network systems, applications, functions, and data. Test security effectiveness: Establish clear metrics. Use them to validate and improve security practices. Adopt an integrated defense approach: Make integration and automation high on the list of assessment criteria to increase visibility, streamline interoperability, and reduce the time to detect and stop attacks. Security teams then can focus on investigating and resolving true threats. According to Logan, the vCSO will be responsible for helping assess and define an organization’s security posture with the goal of improving I.T. security controls and safeguarding data assets. He or she will assess current technical system controls, ensuring they are consistent with the organization’s strategic plans and overall governance framework. The vCSO will work with the management team to help prioritize cyber threats and determine recommended security needs. A well-qualified vCSO will then oversee the development of appropriate security controls based on the organization’s financial constraints and directives. Organizations of all sizes can tackle such an approach—with the right people on board, said Brendan Jacobson, president of NetGain Technologies, which recently began offering vCSO services to SMBs. The vCSO role appeals to a specific corporate demographic. “We target small and medium businesses, anywhere from 30 to 300 computer users,” said Jacobson. “When you’re a company that size, it is hard to justify hiring a CSO. As a service provider, we can provide a high-quality expert. It’s a great solution that allows these firms to have expertise that they couldn’t otherwise afford.” By all indications, cyber attacks will only increase; financial institutions cannot rest in their fight against breaches.
A recovering journalist and bemused observer of American life, Toni Lapp graduated from University of MissouriColumbia with a degree in journalism. Previously, she worked for the Federal Reserve Bank of Kansas City, where she covered topics ranging from entrepreneurship to payments to economic policy. Her writing credits include the Chicago Tribune and St. Louis Post-Dispatch, BankNews magazine, Unity Magazine, and The Journal on Active Aging. ABOUT THE AUTHOR
