For cybercriminals, financial services institutions (FSIs) lie perfectly at the intersection of maximum profit and impact because of their access to money and stores of highly valuable data. This combination makes the financial sector a prime target for ransomware and other cyberattacks. However, smaller financial services organizations often lack the resources to improve their security posture by hiring a Chief Information Security Officer (CISO) to provide a strategic vision to protect the organization, its data, and customers from attack. To support and protect these companies, a new kind of cybersecurity expert is growing in demand: the virtual CISO.
Virtual CISOs, or vCISOs, provide on-demand security insights in a fractional delivery model, meaning that the contract length and services are flexible and can be customized to fit a company’s budget and needs. vCISOs are established cybersecurity leaders who offer not only comprehensive technical skillsets, but also business acumen and have experience developing strategy and a company’s security culture. Engagements with vCISOs are typically long-term, rather than project-oriented, making them an appealing option for organizations, like FSIs that are constantly navigating cybersecurity challenges and changing compliance and data security requirements.
As well as engaging an experienced security expert, vCISO’s are often attractive to financial services organizations because of cost and resource savings. For example, vCISOs are estimated to cost between 30-40 percent of a full-time CISO, and they can move into the role without the need for training. “Nowadays, a lot of these organizations’ cybersecurity teams are very short-staffed and have limited time to manage the many security challenges their organizations are facing,” said [NAME] from Atlantic Data Security. “A vCISO can help ensure that the limited funding they have is used with the right focus and priority, whether by providing a roadmap for cybersecurity gap closure, or by helping to prepare for an upcoming audit or certification.” vCISOs also bring with them a network of contacts and industry partners. For example, vCISOs at Atlantic Data Security work with partners like Fortinet, that provide services that help evaluate risk and inform cybersecurity strategy.
While small and mid-size financial services organizations are typically considered the main audience for vCISOs, companies of any size can benefit from their services. FSIs that are moving their operations to the cloud can employ a vCISO to support the move and develop a cybersecurity strategy to reduce security risk and use the new environment to its full potential. Other transitional phases can be good scenarios for which to consider a vCISO, as they can assist in consolidating systems and strategies in a merger or acquisition or fill the gap between two full-time CISOs.
Another reason a financial services company might engage a vCISO is to ensure compliance with industry and governmental requirements. Meeting industry standards for client information security is essential for not only continuing operations, but also maintaining customers’ trust. vCISOs can help companies to not only protect sensitive information from compromise, but to develop response plans if a breach does occur. “The ultimate goal is to stop attacks before they happen,” said Michael Brown, Field CISO, Financial Services from Fortinet, “but hackers are creating new malware and viruses and identifying new vulnerabilities as quickly as we are working to locate and eliminate them. It’s important to be able to demonstrate that you are both maintaining robust security to detect and neutralize threats and that there are measures in place for anything that manages to slip through the cracks.”
Maintaining a robust security posture with limited resources at a time when targeted attacks against FSIs are on the rise might seem like an overwhelming task. However, with the skills of a vCISO available, small and mid-size companies can easily find a trusted partner to accomplish myriad tasks from ensuring compliance to attack prevention, to delivering on a digital transformation strategy.