When I was consulting I knew the best relationships I had because they would call me at any hour with random questions where they needed an immediate response. They valued the opinion and the intellectual capital supporting it. They were not embarrassed to ask and were always curious to learn. With this type of working relationship the client contact was comfortable putting me in front of the board of directors, because they were confident that I would interact with the board in the same capacity that they would.
Financial institutions’ board members and executive management teams have a responsibility in protecting their client’s customer non-public personal information. Although there are varying degrees of knowledge sitting around the table, information security controls and governance are typically not the resounding skillset. Having a vISO with an ability to interface with these key team members is crucial. The ability to educate and answer difficult questions in a manner that makes sense, even if the audience is not overly technical, is essential to the ISO role. Having a strong, stable, transparent relationship is not only valued, it is mission critical when you work with a vISO.
As a layered security approach is a somewhat dated concept at this point, the tools used to support it are constantly evolving and seem like a moving target. Having realistic expectations and understanding your current and future needs are paramount when building out your framework. Even seemingly simple things like choosing the correct tools to secure an environment can be a challenging task. Automation can prove to be both a positive and negative, especially when trying not to break key pieces of software vital to your institution, such as your core applications. Reporting capabilities and user impact are also key variables for the correct choice in tools that will help in your compliance efforts.
Working with a vISO that knows what to look for when validating controls can assist your institution in many ways. Most cybersecurity tools are capable of producing a tremendous amount of useless information. By knowing what to look for, you can keep a pulse on the things that matter most. Most tools have the ability to create custom reports in order to best suit the institution’s needs and keep the oversight time appropriate and acceptable. Even something as mundane as being able to provide a scope of what to look for helps to eliminate confusion and streamline the process. Once you have this clear understanding of what is needed from an oversight standpoint, it is easy to evaluate your current toolset, or an outsourced provider’s deliverables to determine if they fit your current needs.
How many times have you heard about countless challenges when peers attempt to educate a board of directors as to why a penetration test or vulnerability scan typically does not come out clean? It’s a tough, but necessary expectation to set. When IT auditors provide eight-hundred-page documents to bank executives, the finger immediately points to the IT department with a firm expectation of explanations and better yet, an inquiry into how the IT department will rectify the process so it doesn’t happen again.
According to CVE Details, over 14,600 vulnerabilities were reported in 2017, compared to 6447 in 2016. That is approximately 40 new vulnerabilities a day and growing. So to put it into perspective for your board; let’s say the report was clean when they ran the scan last month. Now that 30 days have passed and the institution has 1,200 new potential vulnerabilities facing it that may, or may not, have valid solutions. This introduces a paradigm shift to potentially have vulnerabilities that may need to be labeled as an acceptable risk. For example, there is no current patch to mitigate a given vulnerability or the fear associated with breaking an application and/or its integrations. Additionally, our Finance Practice has seen updates having to be held on purpose, due to certain applications not being approved for the update.
Working with the right vISO allows you to set realistic expectations for the effectiveness of controls and your risk tolerance. A competent ISO, working in tandem with your technology team, will serve to promote a state of constant cyber-hygienic practices for your institution. As many of us have found, working with a vISO can mitigate many of an institution’s challenges. The key is to work with your vISO to the best of your institution’s ability. By forging a strong transparent relationship, understanding that there is an ever-changing world of vulnerabilities and by setting realistic expectations your institution can maximize the value and benefits of working with a vISO.