With increased cyber threats, why should smaller Financial Services firms turn to a virtual Chief Information Security Officer?
In today’s fast-paced digital landscape, businesses of all sizes are faced with an increasing number of cybersecurity threats, but financial services is the industry which is most targeted. This isn’t hard to work out why. Long before the information age, Willie Sutton, one of the FBI’s most wanted criminals, was asked in 1993 “Why do you rob banks?” He simply replied, “Because that’s where the money is.”
Thankfully, financial services firms aren’t the most likely to be breached as they spend more money on cyber security than anyone else. The need to invest in security of course is also driven by the fact they are highly regulated businesses. If they don’t have robust security measures in place, they will be subject to hefty fines or may potentially be put out of business.
Big or small, the same challenges exist
Small to medium financial service firms (e.g. boutique Assets Managers, Hedge Funds, Private Equity Firms etc) are no different to the larger financial institutions as they are subject to the same regulations and risks. In fact, smaller firms can often be seen as a simpler, more lucrative and softer target than the bigger firms. This is because they can have a small business mentality, where the CEO has decided he/she doesn’t want “corporate grade” security as it’s his/her business and doesn’t want the inconvenience or to spend the money.
Many firms, however, are really having to invest more in their cyber security, but being small means they are not large enough to fully justify the expense of employing their own cyber team. Their instinct is normally always to outsource, so they can keep focused on their core business. Within cyber security, this typically means using third-party managed security services such as a Security Operations Centre (SOC) service, perhaps also combined with an annual penetration test from an independent third party.
The issue with this is that it does not adequately manage the overall cyber risks which are facing their business. Big gaps may still exist in leadership, advice, governance, risk and compliance; ultimately ensuring an overall information security programme in place.
This is where firms should look to employ a “virtual” Chief Information Security Officer.
What does a “virtual” Chief Information Security Officer do?
There are many potential responsibilities, but for small firms, we would expect them to cover the following five areas:
- Developing and documenting the firm’s Cyber Strategy
- Performing cyber risk assessments
- Carrying our regular security testing with third parties
- Supporting the adoption of cyber security frameworks, such as Cyber Essentials or NIST
- Ensuring the company has the right policies and procedures in place
Also, the Board is accountable for Cyber Security, which means they need strong advice and executive-level reporting, which a “virtual” CISO will be experienced in and could help.
Why would I need a “virtual” Chief Information Security Officer?
Smaller Financial Services firms are not large enough to justify the expense of employing a full-time chief information security officer (CISO), in addition, they are unlikely to attract the right candidate due to their low complex requirement.
To fully protect themselves, firms must have an end-to-end robust information security system. It is not enough just to use third parties to manage technical security operations and perform the regular penetration tests as no internal staff will have the skills and experience to create this.
Information security is a very wide-ranging topic, so it is very easy to get lost trying to work out what elements should be applied to a business, often ending up with either too little or a massive sledgehammer to crack a nut. A “virtual” CISO can solve this problem by delivering an information security programme which is tailored to the business size, budget and risk appetite. This ensures regulatory compliance is met as the regulatory expects there is a clearly defined information security strategy and system in place and it’s documented.
Is it time to follow the trend?
In summary, a “virtual” CISO is now becoming very commonplace with small financial firms, perhaps even more common than “virtual” Chief Technology Officer roles. This is because the scope and scale of the information technology environment tends to be low, whereas the overall information security risk is high, given the sensitivity of information, amounts of money being managed, high-value targets, and the need to demonstrate to the regulator adequate controls are in place.