Virtual CISO Services for Financial Institutions. The word financial institutions cover a wide spectrum of businesses under the umbrella of the financial industry. When we think of financial institutions, we can think of anything from banking, to investment banking, to financial advisors.
The scope of this conversation is really focused on financial institutions that hold client privacy information or perform financial transactions. These types of businesses typically are driven by SEC regulations. Cybersecurity controls are under the umbrella of regulatory requirements.
The focus of the cybersecurity risk management strategy for financial institutions centers around the availability of financial systems, the privacy of client and vendor financial data, and the confidentiality of their proprietary investments or trading systems. When we think of how Virtual CISO Services are unique to financial institutions, we should really center on a couple components of what those financial institutions do. Usually, a banking organization will have an internal resource staff fully for cybersecurity.
Organizations within the financial institutions that will typically outsource cybersecurity or invite a virtual CISO to participate in cybersecurity controls include investment banks and financial investment platform companies. The risk management strategies for a financial institution really are centered around intellectual property of either that financial application, that financial investment strategy, the proprietary training mechanisms or data around those processes. The second thing is the risk management strategies are driven by financial regulatory requirements.
Regulatory Requirements
Most financial industries, companies that trade or invest money are under the regulatory guidance of the SEC. That requires participation of the cybersecurity team in conjunction with other risk stakeholders in the business to comply with and complete documentation and questionnaires and attestations to ensure that proper regulatory approval is given to that financial institution. The second way a financial institution can benefit from a virtual CISO is around the specific financial systems and platforms that that institution uses.
Usually this means third-party applications or internally hosted applications that have some type of financial impact. They are usually integrated with other systems. So, we see cross integration with other platforms which require network connectivity, encryption, service account provisioning and proper authorization and identity management.
Segmentation
We also can benefit from virtual CISO services in financial institutions, specifically around the segmentation of financial systems and trading systems or client accessible systems. So whenever you have clients externally accessing financial information, they’re typically going to do that through an application. That application is typically available on the internet as what we call a SaaS platform or a hosted application.
Mobile Device and Applications
And there’s usually a mobile version of that application. So those applications need to be inspected for cybersecurity controls, ideally penetration tested and comply with an application cybersecurity framework such as the CIS Top 20. We also want to segregate those systems from other internal systems which we call like infrastructure systems so that even a breach within those systems would not correlate to a companywide breach.
Network Access Controls
The other way virtual CISO can segment networks is internally. So really an expertise in VLANs and what we call NAC, network access controls to ensure that internal employees, internal guests do not have improper access to core financial systems, anything from the general book and records to trading or banking or reconciliation systems or external systems to the stock trading records or stock trading platforms. The fourth way that a CISO can benefit a financial institution is really through those vendor relations, training and experience.
Vendor Relations and Risk
There’s a lot of financial institution specific cybersecurity opportunities around some of the points that we’ve covered previously in this article but who are the major vendors within the financial institution space? How do they integrate into a company’s IT program? And how do you architect those systems for the best cybersecurity? And what are those vendors security best practices? Take for example, a Salesforce, they have a recommended best practice cybersecurity list that should be implemented by a cybersecurity professional working with the Salesforce administrator. That cybersecurity practice should be added to an ongoing governance list so that those controls can be checked on a regular basis. Lastly, a virtual CISO can help a financial institution align with the security frameworks.
Measuring Maturity
There’s going to be a lot of demand on that financial institution externally to prove that they have cybersecurity controls in place. Again, the major driver is going to be requirements from the SEC, but those typically don’t go far enough. The financial institutions will typically still try to measure their cybersecurity maturity they historically don’t want another cybersecurity certification or attestation unless they’re primarily client focused.
Sometimes they can outsource those other cybersecurity attestations, but from an internal standpoint, they still want to measure their cybersecurity without getting a certification or attestation. You’re going to want to pick a cybersecurity framework that is universal and measurable and trackable. You want to take the very wide and very deep requirements of cybersecurity and organize them in a way that they can be prioritized, documented and tracked no matter who that cybersecurity resource is and ensure that someone that comes into that role in the future can pick right up, maintain what’s previously been done with what I call backsliding or deterioration of the cybersecurity program through the transition of cybersecurity resources.
I hope that helps understand how virtual CISO can benefit a financial institution. If you have other ideas or questions, please leave them in the comments below.
Recent Comments