Safeguarding the privacy, integrity, and accessibility of information should be a top priority for any business today. A company’s in-house chief information security officer (CISO) can diminish the risk of a cyberattack or security breach. However good CISOs are in short supply and may stretch the budget capacity of many businesses, including financial institutions and fintechs. A viable option is a virtual CISO or vCISO.
Information security is complicated and constantly evolving. Staying up to date with dangers and vulnerabilities is frequently a 24/7 occupation. Developing an information security plan is complex. Many in-house IT departments may not have the resources to properly manage information security.
The Cyberthreats Are Real and Varied
Cybersecurity Ventures estimated cybercrime will carry a $10.5 trillion annual price tag globally by 2025. A Fortune article pointing to the rise of remote working, IT departments increasingly shifting workloads to the cloud and corporate devices, inadequate security measures in the supply chain and applications, the introduction of smart and IoT devices, and intellectual property accessible from the internet, as stress points for information security. For financial services add the integration of fintechs and application programming interfaces (APIs) into the security mixture.
Morgan Stanley’s revelation of a January 2021 data breach involving the personal information of some of its corporate clients is further evidence of an ongoing surge in phishing, ransomware, and supply chain attacks affecting organizations across various sectors, including financial services.
Sixty-three percent of cybersecurity professionals saw increase in cyberattacks and security breaches related to the pandemic. according to a recent Information Systems Security Association and Enterprise Strategy Group survey.
The Identity Theft Resource Center (ITRC) in its first half 2021 data breach analysis, noted data breaches were up 38% in 2021’s second quarter from this year’s first quarter. The ITRC suggested total data breaches could reach a new annual high on the current course. The total number of publicly reported data compromises accelerated in the second quarter, ending June 30, 2021 at 491; with total individuals impacted from reported incidents at 52.8 million. For the first half of 2021, compromises totaled 846, and victims added up to 118.6 million.
The ITRC also reported a trio of July 2021 incidents:
- A data breach of telecommunications company Mint Mobile occurred after some ported phone numbers had data accessed. The Mint Mobile event highlighted the risk of mobile breaches.
- Insurance company BackNine suffered a data compromise due to a misconfigured database, impacting 711,000 files with information including Social Security numbers (SSNs) and medical diagnoses. The data incident highlighted the risks of cloud databases.
- CNA Financial Corporation fell victim to a ransomware attack, leading to a data breach that impacted 75,349 people. Attacks like this, which involved SSNs, on businesses continue to rise.
Compliance Pressures Increase the Need for CISOs
The Federal Financial Institutions Examination Council (FFIEC) recently issued new guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems.
The guidance highlights the current cybersecurity threat environment including increased remote access by customers and users, and attacks that leverage compromised credentials; and mentions the risks arising from push payment capabilities; recognized the importance of the financial institution’s risk assessment to determine appropriate access and authentication practices; supports a financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication; and discussed how multi-factor authentication or controls can more effectively mitigate risks.
It is no wonder with all the significant threats and regulatory requirements that chief information security officers are now in high demand. Companies are hiring CISOs to establish and maintain the company’s data protection strategies and execute them to protect all the data and assets encompassing businesses technologies.
The fintech industry, in particular, is shifting into high gear because of internal initiatives and external pressures. Financial institution CISOs need to understand this as they investigate new partnerships, which sometimes includes trialing and implementing untested technologies.
The FFIEC Information Technology Examination Handbook Management, released in 2015, defined a chief information security officer’s responsibility as overseeing and reporting on the management and mitigation of information security risks across the financial institution and accountable for the results of this oversight and reporting.
Hiring a Virtual Chief Information Security Officer
Not every organization can afford or justify a fulltime chief information security officer. Plus, they may be hard to find. Forbes recently report on International Information System Security Certification Consortium, or (ISC)², revelation that there are currently four million unfilled cybersecurity positions. Cybersecurity leadership is even harder to find. Estimates indicate only 38% of Fortune 500 organizations have a CISO.
A vCISO, an outsourced infosec expert with management experience provides security awareness to an organization on a continuing basis and provides protection and flexibility of business resources. The position can start overseeing the information security footprint quicker and cheaper while still working thoroughly with management to produce a thorough infosec strategy. One that includes information security planning and management; controls and standards; regulatory guidelines and compliance; organizational and management infrastructure planning, business continuity proposals; and risk, database and supply chain management.
A vCISO’s core objective is not only functioning as a conduit to internal business and technology crews by furnishing a vigorous and malleable security plan and oversight, but also understanding the evolving information security threats.
For example, ThreatAdvice vCISO, NXTsoft’s flagship virtual CISO software solution, provides the cybersecurity oversight an organization needs. If a company has a cybersecurity issue, ThreatAdvice's vCISO service will provide ongoing risk assessment and vulnerability management and also alert the business and advise on required actions. More importantly ThreatAdvice vCISO ensures the proper solutions and protocols are in place to significantly reduced the likelihood of a cybersecurity event.
ThreatAdvice vCISO provides employee cybersecurity training and education, intelligence on potential threats and a comprehensive cybersecurity monitoring solution delivered through a proprietary virtual CISO dashboard. The vCISO dashboard allows organizations to communicate securely with the vCISO team, access completed reports and policies, view upcoming and completed tasks and more. ThreatAdvice vCISO also warehouses security information in one place with oversight and interpretation from a dedicated virtual CISO team.