We often get asked, "what are the most important things a Chief Information Security Officer (CISO) should be doing in an organization, particularly a financial institution?"
While the tactics can vary from organization to organization, the key objectives should be very similar across the board. This is the case whether you have a full-time employee filing the CISO role, or if you're outsourcing these duties.
Regardless of who fills the role, the key objectives for the CISO should always include these elements (and if you find yourself needing help or guidance in any of these area be sure to check out our additional resources listed at the bottom of the page):
- Manage Risk
A CISO should have a handle on what information assets are in the environment and where the risks are for those assets. Based on the risk, the CISO should work with management to create a plan for mitigation. A good CISO understands how to prioritize this action plan. - Communication
A CISO should communicate to management and the board, in plain English, on how the business could be affected by various threats and advise on possible solutions. A CISO needs to be an educator on information security and cybersecurity to the various stakeholders throughout the organization. - Incident Response
A CISO should help develop, train, and lead the incident response program in the organization. Cyber resiliency, or being able to withstand and recover from a cyber attack, is a must in every financial institution. The CISO doesn't have to be the first responder or a forensics expert, but they need to set the tone for how decisions will be made and to be sure that everyone is on the same page. - Compliance
Being in a heavily regulated industry, banks and credit unions have to be on top of regulatory requirements and trends. While you want your CISO focusing more on risk and security, they have to be aware of and adept at handling compliance with various governing bodies. This will continue to grow as everyone seems to want to be in on the mix, including state, federal, and international laws affecting cybersecurity and privacy. - Strategy
A CISO should be able to see the big picture. and how all the pieces tie together. A CISO should develop goals and plans that align with the overall business objectives of the financial institution. At Bedel Security, we call this "making cybersecurity a business enabler", and it may be the most important objective your CISO can have.
Additional Resources:
Want more information on the Chief Information Security Role and how it relates to the other roles in your Information Security Program? Check out this video!
Curious how your information security program is managing these elements with or without a CISO? Download our CySPOT Health Index™ and see for yourself!