How To Effectively Navigate The Role Of An Information Security Officer

June 5, 2019

The role of Information Security Officer at your financial institution is arguably one of the most important positions to hire. And it’s crucial to assign this position as soon as your organization allows, especially considering the current risk landscape.

Risk management is an important part of everyday responsibilities for managers and executives in financial institutions. These organizations face credit risks, liquidity risks, and strategic risks day in and day out. When selecting and hiring key managers, their competence in their chosen area of expertise, whether it’s loans, deposits, or retail is a primary factor in the selection process. These roles are the financial institution’s first line of defense; they keep banks and credit unions safe from losses in daily operations.

And in today’s cashless society, the risk to customer money is no longer physical, but electronic. Considering this, the Information Security Officer role is no less important than the Security Officer role, and is arguably more important, especially since financial institutions are required by regulation to address the security of their customers’ money through the Bank Protection Act.

The top 4 misconceptions about hiring an Information Security Officer:

  1. A Technology Officer can act as an Information Security Officer

An Information Security Officer needs rigorous training in the field and your Information Technology Officer may not have this expertise. Although a Technology Officer may be very good at keeping your network up and running while addressing user issues as they arise – they are not specifically trained in information security. The roles are not synonymous. They provide two different realms of expertise, both crucial to your business.

  1. An Information Security Officer is an adversary

The second misunderstanding when considering the role is that it is oppositional to the business, as some management tend to see the internal audit function, and this is untrue. An effective Information Security Officer role, while giving visibility to senior management, is very much a partner and resource to IT. This person is involved in designing a secure environment in addition to ongoing monitoring of the environment.

  1. The Information Security Officer should report to IT

While certain security operations fall within IT, it’s best that the role report to the risk or compliance department. This ensures that senior management has complete transparency to the issues that inevitably arise and the Information Security Officer has the ability to see the larger strategy of the executive team.

  1. An Information Security comes with a hefty price tag

And the most popular fallacy surrounds the cost of an Information Security Officer. While hiring an Information Security Officer can be expensive, you can minimize cost by hiring a third party. And hiring an Information Security Officer or the services they provide decreases your risk of security breaches to your institution, which could cost your bottom line even more.

Having debunked some common fallacies, we hope you have a better understanding of a crucial role for your organization. Konica Minolta’s IT Services division, All Covered, offers Virtual Information Security Officer services at a fraction of the cost to hire a full time employee. Feel free to check out your options here.

Tara E. Spencer
CCBTO, Director, Compliance Services, All Covered Financial Division

Tara Spencer leads the Compliance Services team at All Covered. She has 25 years of financial, operational, and compliance audit and risk management expertise in the community banking space. Ms. Spencer is a graduate of Muhlenberg College with a Bachelor of Arts in Accounting and Economics, a Certified Community Bank Technology Officer (ICBA), and is a member of the Financial Managers Society (FMS).

Prior to joining All Covered, Ms. Spencer was the SVP of Audit and Compliance at First Choice Bank and the Director of Internal Audit and Compliance at Two River Community Bank. In these roles she was responsible for leading teams charged with all aspects of risk management and compliance, including information technology compliance, consumer compliance, enterprise risk management, vendor management, GLBA risk assessments, business continuity planning and disaster recovery for financial institutions. She has authored and enhanced many policies and procedures to guide senior leadership and employees in implementing safe and sound compliance, operational, financial and risk management practices.

Additionally, as the Director of Risk Advisory Services at McGladrey LLP, Ms. Spencer led a client-focused team that provided risk assessments, internal audit, compliance, and Sarbanes Oxley (SOX) consulting services for financial institutions with asset sizes ranging from one hundred million to five billion dollars, including co-sourcing and outsourcing arrangements.