I’ve been spending some time digesting the proposed State of New York financial regulations that are due to go into effect in the new year. The new regulations are fairly prescriptive which has its good and bad points. But it is very clear that the regulators have had it with “opt out” security controls for banks. One of the areas of focus is on the role of the Chief Information Security Officer, or CISO. Let’s take a closer look at what the new regulation says about the CISO and what it means to your financial organization.
First, you have to have one of these.
Larger national and global institutions already have someone filling the CISO role. This won’t be anything new for them. The CISO is responsible for the overall security policy and practices of their organization. I think this will be a larger challenge for smaller regional banks and credit unions. Much of their IT infrastructure is probably outsourced and they depend on a network of vendors and service providers to fill their security needs. So these folks are going to have to on-board someone to fill the CISO role. And the experienced CISO is in hot demand. Hiring a qualified individual will be a challenge.
See below for a suggestion on how you can tackle this problem with a virtual CISO.
Second, the CISO now has to report to the board of directors or the equivalent level in your organization at least twice a year. And the report has to include a fair amount of detail on the security posture of the organization! This is going to be a major shift in almost every financial institution, and is probably a big shock for many! Currently the CISO typically reports to the CEO or similar level of executive management. It is going to be an uncomfortable change for the CEO to let go of this direct report and have unfiltered information going straight to the board of directors.
Why did the State of New York demand this change? I am just guessing here, but way too often I’ve seen the recommendations of a CISO stifled at the CEO level. Business line managers have a hard time understanding the relative importance of investing in security when there are so many demands for resources. Line of business needs often pre-empt security needs. For this reason many large companies are failing to invest in the way they should. I think the State of New York decided that the CISO needs to provide information directly to the board to improve governance, risk management, and compliance. Yeah, that GRC thing.
Lastly, too many financial institutions treat security as a checkbox item, rather than as an ongoing adaptive process. Without a level of seriousness about cyber security in the organization the right things are not prioritized and security investments aren’t made. Making sure that a qualified security professional is in the driver’s seat should help financial institutions become more secure, and thus the data of their customers better protected. A CISO can push this agenda forward.
Smaller institutions will certainly have some difficulty in acquiring the talent needed to meet the CISO role. I suggest that you consider a Virtual CISO (yes, that is a thing) to fill this need for the short or long term. The timelines for the new regulation are very short and you will have to meet some requirements within six months and all of them within one year. That is a very short timeframe for any financial institution.
Here are just a few suggestions:
If you are an IBM i (AS/400, iSeries) shop, look to an expert on this platform to help you. One that I work with on a regular basis is Botz and Associates. I’ve worked with Patrick Botz for many years and he is a long-time advocate for approaching security as a business process, just as this regulation mandates. He was the head of security for the IBM i platform for many years and can help you with his new Virtual CISO service.
Another security firm that I’ve worked with is Coalfire. I’ve always been impressed with their ability to really understand our needs and become that trusted advisor that you need. They also have a Virtual CISO service to help you meet the new regulations, and you get a good security friend in the process.
Here is where you can find the proposed State of New York regulations, it is a pretty easy read.
Financial institutions and their service providers have a big challenge ahead and very tight deadlines. Time to get cracking!