Overworked and underappreciated? Common pitfalls for financial institution ISOs
In consulting with financial institutions, we’ve seen a lot of the pitfalls that can prevent a security program from being successful. Information security officers (ISOs) face any number of pain points and frustrations that can hinder their ability to protect their organizations.
Managing to overcome these obstacles requires influence, determination and a commitment to continuous improvement. No risk-management program is perfect from day one. But ISOs who recognize these limitations, and strive to shepherd their organizations forward anyway, will eventually find less frustration — and smoother audits — ahead.
Lack of management or board support
Sometimes ISOs are put in place as a sort of “check the box” function to meet regulatory mandates. These professionals can find themselves up against leaders who don’t understand cybersecurity or the need to provide the resources or training to get the organization up to speed.
Of course, ISOs need more than monetary support from leadership; they need cultural support as well. They need leaders who will advocate on their behalf — leaders who will actively support initiatives like multi-factor authentication, website lockdowns or tighter password policies.
Building buy-in can be a long-term process of communication and repetition. Outside cybersecurity advisors can play a role here, using their wide scope of experience to communicate risk and influence leadership.
No formal job description
The ISO role is complex, and organizations may differ in how they interpret an ISO’s responsibilities. While regulatory guidelines are clear that financial institutions must designate an ISO, organizational culture, resources and buy-in can all impact how that role gets executed on a day-to-day basis.
A thorough job description provides valuable clarity around what the job entails and what the ISO needs to execute. That kind of clarity becomes especially important in smaller financial institutions, where professionals often juggle ISO duties with other roles.
A formal job description also helps establish expectations throughout the organization. This is where you can begin to lay some groundwork for issues of independence, authority and collaboration that can be pivotal to the ISO role.
Lack of independence
The ISO needs to operate free of conflict of interest and should report directly to the board or senior management.
Imagine the IT administrator is dually charged with the ISO role. They may not want to reveal security issues that they’ve created or haven’t been proactive in fixing. Or, the IT admin may have a bias around the risks they’d most like the organization to address. Similarly, operations and security are naturally at odds, and it’s not uncommon for operations to prioritize ease of use over tighter security controls.
Properly segregating the duties of an ISO can be a real challenge for community financial institutions. But regulators are looking at this dynamic and pushing organizations to ensure their ISOs can provide unfettered, unbiased guidance to the board.
Not enough time
The reality is that many community banks and credit unions don’t have a dedicated, fulltime ISO on the team. That’s okay, as long as their job allows adequate time to balance the ISO role.
When the ISO wears too many hats, things can fall through the cracks. Necessary reviews and reports might not happen on schedule, and the organization can lose focus on what’s important. You may not have a lot of options in your organization, but it’s important that leadership understands there are inherent risks when ISOs carry too many other responsibilities.
Lack of knowledge
An effective ISO knows enough about technology to partner with IT and has the confidence to challenge reports and testing activity when necessary. They also need to understand examiner expectations as well as the assurance options available in the industry. And, they need to stay on top of emerging threats.
Finding the right person to fill all these roles is a big challenge for any organization. To help, financial institutions can partner with outside cybersecurity advisors to augment in-house knowledge and help the organization stay current on regulatory changes and cybersecurity best practices.
Lack of documentation
From a regulatory standpoint, if you didn’t document it, it didn’t happen. Financial institutions should be able to provide documentation that demonstrates routine controls, tests and reviews are taking place. Documentation could include checklists, reports, logs, meeting minutes, etc.
This can be a tedious task, but it’s how you prove to auditors that you are in compliance. What’s more, documentation can prove an invaluable part of your defense should a security incident occur and trigger legal action.
Incomplete or unfocused programs
When we look at the lifecycle of information, we need to make sure we think through every component — how we receive it, store it, secure it, destroy it and how we share it with our third parties. Usually what we see is that some component is missing.
ISOs are challenged to integrate cybersecurity into all aspects of the organization, but it takes time and attention to create a comprehensive risk management program — one that addresses real, reasonable risks rather than the “too long to be wrong” approach we see at some organizations.
Controls should not be implemented arbitrarily but should flow out of a well-defined risk management process, which begins with the board of director’s appetite for risk.
Unfortunately, it’s easy for ISOs to become overwhelmed or unfocused when they don’t have adequate support and time. Here again, ISOs may find that educating leadership on their needs is an ongoing part of the role.
Support for financial institution ISOs
The role is challenging, but committed ISOs understand the mission-critical part they play in protecting their organization and their customers. If barriers are preventing you from developing an effective risk management program, reach out.
Many financial institutions are turning to outside advisors for regulatory compliance and risk management services. Wipfli can help with task management, independent testing, board presentations, user training and more.
Wipfli’s financial institution cybersecurity advisors will coach and support you, helping you meet regulatory requirements and grow your impact on organization security.
For more insight, check out these posts: