Support: (615) 499-7801

Hiring a vCISO – is it right for your bank?

Is your team stretched too far in meeting regulatory IT requirements? Are you concerned about your bank’s IT security posture? Are you having trouble assessing the security measures used by your vendors?

Then you may need the services of a Chief Information Security Officer (CISO.) This C-level executive typically drives policies and projects tied to an organization’s security maturity. However, finding and hiring a qualified CISO is difficult. There is great demand for this type of executive, and there are not enough CISOs for open positions.

That means they are scarce, expensive (average salary is $250,000, according to some reports), and potentially difficult positions to fill. Meanwhile, your bank needs this expertise to move forward with initiatives.

Enter the “virtual” CISO – a position based on a fractional share model. For a fraction of the cost of hiring this executive, your bank can hire a vCISO to accomplish specific projects.

Typical vCISO services

You can start small by tasking your vCISO to perform a monthly security health check. The health check may include reviewing network activity and network and critical banking applications access.

You can get help creating and maintaining the Information Security Program documentation that regulators require.

A vCISO can also assist with annual reports required by your regulatory authority and facilitate annual Information Technology and Information Security audits – both internal and external along with annual penetration testing.

A vCISO can take an active role in your Vendor Management Program, maintaining a Master Vendor List, assisting with contract reviews, performing potential new vendor due diligence, and developing Vendor-related policies.

A vCISO could also assist your bank with IT strategic planning, budgeting, and development.

Elements of a successful engagement

Clearly-defined scope: All parties in the relationship should be clear on what the vCISO will work on – and so should the contract.  The scope should also include a timeframe for completing the work as well as a clearly defined governance reporting structure.

Organization buy-in: A vCISO will work with and be a champion for your bank’s IT team. The vCISO can add board-level credibility to IT team initiatives and potentially improve processes and team assignments. But if your IT team sees the vCISO as a threat, trouble could arise in the form of roadblocks and obfuscation. Good communication around the hiring of a vCISO is imperative.

Executives also need to remember that simply hiring a vCISO to handle projects is not enough. The contracted executive also must have the necessary budget and authority to execute their role.

It’s a waste of time and resources to hire a vCISO simply to fulfill an audit requirement or to write policies that end up gathering dust on a shelf.

Industry expertise: Choose a vCISO who understands your industry – and your bank’s needs, whether you are a community bank or a publicly-traded one.  A vCISO who understands your market trends and challenges can truly enhance your bank’s security posture.

To explore how a vCISO might benefit your bank, contact us today.