Skip to Main Content
PCBB Banc Investment Daily March 15, 2018
Banc Investment Daily
March 15, 2018

Working Hard For A Top Notch CISO

Summary: As information security has become an increasingly important issue for banks, more community banks are looking into hiring experienced CISO talent. Ways to attract the right person for this role.
A Rooster Money survey finds children ages 4-14 received an average allowance of $454 in 2017. The top paying chores for kids were: washing a car ($12.49), babysitting ($12.44) and gardening ($9.93). At $454, you could have your cars, your neighbors' cars and your relatives' cars all washed. Not only that, but chores can also build character and start good money management habits for children. Given all of the cyber risk in banking these days, there are also plenty of chores for a chief information security officer (CISO).
At most community banks, IT teams wear multiple hats, so it isn't uncommon for the CISO job to exist within the chief information officer (CIO) position. However, the roles are distinctly different. The CIO handles all things technology systems and support around that, while the CISO is responsible for managing the security risks in and around these systems and what is inside them. The CISO focuses on protecting bank data and information, by actively managing risks around improper systems access, cybercrime and other evolving threats.
Over the years, as information security has become an increasingly concerning and important issue for banks, more are looking into hiring an experienced CISO. But, given the over-arching demand for information security professionals across all industries, hiring a solid CISO can be difficult. So, that puts many community banks in a bind.
Consider also the regulatory view of things. The latest FFIEC IT Management booklet calls for a more strategic role for the top information security professional at a bank. The booklet is designed to provide guidance to examiners and outlines principles of overall IT governance. Basically, since technology supports most of a bank's business, it requires a more robust risk management framework to support that risk profile.
Of note, while previous guidance saw the information security officer as more of a technology function, this version updates that to a role that is more strategic and an integral part of business.
At the same time, given the extreme shortage of cybersecurity talent and the widespread demand for these services, it can be difficult for a community bank to find someone to fit the role.
From a regulatory standpoint, the FFIEC says the CISO is typically responsible for the following: 1) implementing the information security strategy and objectives, as approved by the board; 2) implementing strategies to monitor and address current and emerging risks; 3) engaging with management in the lines of business to understand new initiatives, providing information on the inherent information security risk of these activities, and outlining ways to mitigate the risks; 4) working with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information; 5) monitoring emerging risks and implementing mitigations; 6) informing the board, management, and staff of information security and cybersecurity risks and the role of staff in protecting information; 7) championing security awareness and training programs; 8) participating in industry collaborative efforts to monitor, share, and discuss emerging security threats; and 9) reporting significant security events to the board, steering committee, government agencies, and law enforcement, as appropriate.
If your bank is looking for a CISO, the route you take will most likely be tough, but at least you have some fundamentals around the structure of it all. Hopefully, this information and your own research will pay off and keep your bank safe as your teams go about their existing list of chores each day.