Customer Portal

Customer Portal

Blog

Keep up to date with the trending topics
from our industry experts

What is a “virtual” CISO Service and do I need it?

virtual CISO

by

Friday, 10 November, 2023

Webinar on-demand: Thanks to SharePoint – Intranets are back in vogue

Discover how to use Microsoft SharePoint to its full potential and quickly build your own modern intranet for your financial services business.

View now

With increased cyber threats, why should smaller Financial Services firms turn to a virtual Chief Information Security Officer?

In today’s fast-paced digital landscape, businesses of all sizes are faced with an increasing number of cybersecurity threats, but financial services is the industry which is most targeted. This isn’t hard to work out why. Long before the information age, Willie Sutton, one of the FBI’s most wanted criminals, was asked in 1993 “Why do you rob banks?” He simply replied, “Because that’s where the money is.”
Thankfully, financial services firms aren’t the most likely to be breached as they spend more money on cyber security than anyone else. The need to invest in security of course is also driven by the fact they are highly regulated businesses. If they don’t have robust security measures in place, they will be subject to hefty fines or may potentially be put out of business.

Big or small, the same challenges exist

Small to medium financial service firms (e.g. boutique Assets Managers, Hedge Funds, Private Equity Firms etc) are no different to the larger financial institutions as they are subject to the same regulations and risks. In fact, smaller firms can often be seen as a simpler, more lucrative and softer target than the bigger firms. This is because they can have a small business mentality, where the CEO has decided he/she doesn’t want “corporate grade” security as it’s his/her business and doesn’t want the inconvenience or to spend the money.

Many firms, however, are really having to invest more in their cyber security, but being small means they are not large enough to fully justify the expense of employing their own cyber team. Their instinct is normally always to outsource, so they can keep focused on their core business. Within cyber security, this typically means using third-party managed security services such as a Security Operations Centre (SOC) service, perhaps also combined with an annual penetration test from an independent third party.

The issue with this is that it does not adequately manage the overall cyber risks which are facing their business. Big gaps may still exist in leadership, advice, governance, risk and compliance; ultimately ensuring an overall information security programme in place.

This is where firms should look to employ a “virtual” Chief Information Security Officer.

What does a “virtual” Chief Information Security Officer do?

There are many potential responsibilities, but for small firms, we would expect them to cover the following five areas:

  1. Developing and documenting the firm’s Cyber Strategy
  2. Performing cyber risk assessments
  3. Carrying our regular security testing with third parties
  4. Supporting the adoption of cyber security frameworks, such as Cyber Essentials or NIST
  5. Ensuring the company has the right policies and procedures in place

Also, the Board is accountable for Cyber Security, which means they need strong advice and executive-level reporting, which a “virtual” CISO will be experienced in and could help.

Why would I need a “virtual” Chief Information Security Officer?

Smaller Financial Services firms are not large enough to justify the expense of employing a full-time chief information security officer (CISO), in addition, they are unlikely to attract the right candidate due to their low complex requirement.

To fully protect themselves, firms must have an end-to-end robust information security system. It is not enough just to use third parties to manage technical security operations and perform the regular penetration tests as no internal staff will have the skills and experience to create this.

Information security is a very wide-ranging topic, so it is very easy to get lost trying to work out what elements should be applied to a business, often ending up with either too little or a massive sledgehammer to crack a nut. A “virtual” CISO can solve this problem by delivering an information security programme which is tailored to the business size, budget and risk appetite. This ensures regulatory compliance is met as the regulatory expects there is a clearly defined information security strategy and system in place and it’s documented.

Is it time to follow the trend?

In summary, a “virtual” CISO is now becoming very commonplace with small financial firms, perhaps even more common than “virtual” Chief Technology Officer roles. This is because the scope and scale of the information technology environment tends to be low, whereas the overall information security risk is high, given the sensitivity of information, amounts of money being managed, high-value targets, and the need to demonstrate to the regulator adequate controls are in place.

Want to see if a virtual CISO is right for your firm?

Speak to an expert

Our services

Our 4 pillars for a complete choice of managed IT services - all tailored to the needs of financial services firms in London and the UK.

Finance Forward 365 - Microsoft 365 cloud services supported by experts

Finance Forward 365

Microsoft modern workplace & cloud technology for digital transformation.

Learn more
Compliant Teams - Microsoft Teams phone system with call recording and archiving

Compliant Teams

Increased productivity & collaboration with call recording whilst reducing costs.
Learn more
Cyber security solutions for financial services

Cyber Security

Keep your data secured against rapidly changing threats within Financial Services.

Learn more
Responsive IT managed services for financial services

Power BI

Business Intelligence transformation and support tailored for Financial Services.

Learn more

Follow us:

Pin It on Pinterest

Share This