Our Virtual CISO Services
A Tailored Solution
With decades of cybersecurity experience in financial institutions and 9+ years of vCISO work in banks and credit unions nationwide, we've developed a tailored solution that sets the standard for excellence—our Virtual CISO services, powered by the proprietary CySPOT™ platform.
With a personalized, high-touch approach, you’ll have a dedicated vCISO Senior Advisor and vCISO Specialist ready to work with your team from day one. Our services are modular, allowing for customization to fit your specific needs and budget—all powered by CySPOT™.
Want to know more about what makes our vCISO services stand out?
Visit our Why Bedel Security vCISO Services page for more details!
Let's Take a Closer Look at Our Virtual CISO Modules
Our base offering is the Virtual CISO, it can act as a standalone service or can be enhanced with any of our other modules in any combination.
You can expand any of the sections below to dive into the deliverables and details:
-
Virtual CISO
The CySPOT™ Program's core offering is the Virtual CISO, essential for accessing other modules. It includes basic consulting services, participation in monthly IT or Information Security meetings, and a monthly IS Update meeting.
Deliverables:
- Advice and Consultation on Information Security via meetings, phone, and email
- IT Meeting Participation
- IS Update Meetings
- Threat Intelligence Sharing
- Participation in Audit and Exam Meetings
- Cyber Insurance Review
- Ransomware Self-Assessment Tool
- Information Security Strategic Plan
-
Governance
The Governance module offers oversight and management for your cybersecurity program. This includes developing an annual task list and calendar for the information security program, leading monthly information security meetings, setting the agenda, and documenting the minutes. Additionally, the module tracks IS-related audit and exam findings. This option helps maintain progress and organization within the information security program.
Deliverables:
- Agenda and Minutes for Information Security Meetings
- Tracking of Audit & Exam Findings and Risk Remediation
- ISP Task List and Updates
-
Incident Response Planning and Prep
The Incident Response Planning and Preparation module ensures readiness for cyber events and incidents. An Incident Response Plan is developed, and an Incident Response Plan Tabletop Exercise is conducted to assess team preparedness and identify areas for plan improvement.
Deliverables:
- Incident Response Plan Review and Update
- Incident Response Tabletop Exercise & Report
- Discounted hourly rate for Incident Response Consulting (billed separately as needed)
-
Risk Management
The Risk Management Module aids in the identification of cyber risks and the evaluation of controls designed to mitigate these risks. This module includes an Information Security Risk Assessment, an Access and Authentication Risk Assessment, and our CySPOT™ CSF+ which is built on the NIST Cybersecurity Framework 2.0. These processes assist in prioritizing areas for improvement and focus. Additionally, your institution may receive up to three risk assessments for new technologies under consideration.
Deliverables:
- CySPOT™ IS Risk Assessment & Management Report
- CySPOT™ CSF+ Analysis & Management Report
- Risk Appetite Statement Review & Update
- Up to 3 New Technology Risk Assessments
Optional:
- Additional New Technology Risk Assessments
-
Monitoring & Oversight
The Monitoring and Oversight module facilitates your institution's ability to gain a comprehensive understanding of its risk profile through the Key Risk Indicator (KRI) Dashboard. We will collaborate with your institution to acquire essential monitoring reports. These reports will then be analyzed, and management will be provided with a monthly summary of statistics presented in the form of a KRI dashboard. Additionally, guidance can be offered to your IT staff concerning the resolution of critical issues discovered during this review.
Deliverables:
- Review of Monitoring Reports
- KRI Dashboard
DOES NOT INCLUDE
- 24x7x365, real-time security monitoring
- Daily log monitoring and initial response to log events or alerts
- Security asset administration (firewalls, IDS/IPS systems, antivirus systems, etc.)
-
Information Security Policies
The Information Security Policies module keeps your policies cohesive and updated. The existing security policies will be reviewed, the current structure identified, and BEDEL CySPOT™ Program Policy Templates implemented, including an overarching Information Security Policy and an Acceptable Use Policy. Suggested enhancements will be included where necessary, with annual updates provided by BEDEL.
Deliverables:
- CySPOT™ Information Security Policy Set Template
- CySPOT™ Acceptable Use Policy Template
- Information Security and Acceptable Use Policy Review and Update
-
Third-Party Risk Management
The Third-Party Management Module ensures effective risk management of your key third parties. In a shared responsibility model, BEDEL will collaborate with your staff to establish your Third-Party Management Program. This includes providing templates and fundamental training. BEDEL will offer ongoing support for the program and conduct information security due diligence reviews for up to seven existing critical third parties annually. Additionally, you will receive due diligence reviews for up to three new third parties each year if there is a need for a change. The entire program is summarized and reported to the board on an annual basis.
Deliverables:
- Establish the Third-Party Risk Management Program, including Policy, Risk Thresholds, Tracking Sheets, Request Lists, Review Checklists, Etc. (for internal use)
- SOC2 reviews for up to 7 Critical Third Parties
- Review up to 7 Critical Third-Party Contracts for GLBA requirements***
- Third-Party Management Board Report
Optional:
- Additional Critical Third-Party SOC2 (or questionnaire) reviews
- Additional GLBA Contract reviews ***
***We are not lawyers and cannot provide legal advice. Contract Reviews are meant to assess the regulatory compliance of a contract only and should be a part of your larger contract review process, including legal review by your lawyer.
-
Privileged User Activity Review
Privileged accounts present the highest risks to the FI. Having an independent review process of administrative activity is a key control in reducing this risk, but can be a challenge. This module provides independent oversight by the BEDEL team in a collaborative manner through monthly activity review meetings.
Deliverables:
- Identification of Critical Systems Requiring Review
- Collaborative Review of Log Reports for Critical Systems
- Tracking of Remediation Items Requiring Action or Investigation
-
Audit & Exam Prep
The Audit and Examination Preparation module facilitates the readiness of your financial institution for one IT audit and one IT examination annually. BEDEL will collect, organize, and coordinate the required materials prior to the audit or examination. Additionally, assistance will be provided in formulating responses to any findings. This module seamlessly integrates with the Governance deliverable for tracking audit and examination findings.
Deliverables:
- One IT Audit Preparation, Organization, and File Delivery of Audit Request Items
- Coordination of Final IT Audit Report with Management Responses
- One IT Exam Preparation, Organization, and File Delivery of Exam Request Items
- Proactive Audit and Exam Collection with Governance Module
**We will not collect any items that contain PII.
-
ID Theft Red Flags
The ID Theft Red Flags module meets the regulatory requirements for maintaining an ID Theft Red Flags Program. This module helps to develop or improve the financial institution’s ID Theft Program, including creating an ID Theft Red Flags Policy, conducting a Risk Assessment, and preparing an annual Board Report.
Deliverables:
- ID Theft Red Flags Policy
- ID Theft Red Flags Risk Assessment of Covered Accounts
- ID Theft Red Flags Program Board Report
-
Business Continuity Planning
The Business Continuity Planning Module assists your organization in developing a comprehensive recovery plan for unforeseen disruptions. BEDEL will work with your institution to identify critical processes and components, as well as determine the desired Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each component through the Business Impact Analysis (BIA). Subsequently, you will receive the CySPOT™ Business Continuity Plan template, organized and prioritized based on systems identified in the BIA. Additionally, annual Tabletop Tests for up to two scenarios will be facilitated, accompanied by a detailed report on the results and actionable items.
Deliverables:
- Business Impact Analysis
- CySPOT™ Business Continuity Plan Template
- Business Continuity Table Top Test and Report (up to 2 scenarios)
DOES NOT INCLUDE
- Functional Business Continuity or Disaster Recovery Testing
- Response to actual business continuity disruptions
-
User Testing & Training
The User Testing and Training Module helps employees detect cyber threats. Monthly phishing campaigns and training sessions will be implemented and managed using KnowBe4. Progress will be tracked, and reports compiled for management. KnowBe4 licenses are required and may incur additional fees.
Deliverables:
- Phishing Testing
- Training Modules
- Updates to Management on Testing and Training
-
Board Cyber Awareness
This module ensures that your Board stays updated regarding your Information Security Program. The annual GLBA Board Report will be prepared and presented remotely, along with relevant Board training on current cybersecurity topics and trends. Onsite presentations can be arranged for an additional fee.
Deliverables:
- Information Security Program or GLBA Board Report delivered virtually by BEDEL
- Board Cyber Training delivered virtually by BEDEL
vCISO Services Pricing
Our vCISO services are designed to be repeatable, efficient, resilient, customizable, scalable, and most importantly, affordable with transparent pricing. We've simplified things by grouping our services based on the asset size of your bank or credit union, ensuring you get the right level of expertise for your institution’s size and complexity.
While our vCISO services aren’t the cheapest option, they offer incredible value when compared to alternatives. For example, hiring a full-time CISO or assigning the role to an inexperienced staff member may be options, but they often come with significantly higher costs or risks. By choosing our Virtual CISO services, you can achieve the same high level of security expertise at a fraction of the cost.
Check out the table below as an example!
In-house CISO – CISSP w/ 5+ years experience |
In-house CISO – little or no experience |
Bedel Security Virtual CISO – CISSP w/ 5+ years experience. For institutions under $1B in assets. |
Bedel Security Virtual CISO – CISSP w/ 5+ years experience. For institutions $1B-$2B in assets. |
|
Base Cost |
$135,000 |
$85,000 |
$55,000 |
$87,000 |
Training & Certification |
$1,500 |
$1,500 |
N/A |
N/A |
Insurance (health, vision, dental, life) |
$6,000 |
$6,000 |
N/A |
N/A |
Taxes (7% of base) |
$9,450 |
$5,950 |
N/A |
N/A |
Retirement (4% match of base) |
$5,400 |
$3,400 |
N/A |
N/A |
Onboarding Cost |
$13,200 – assumes a 4-week period to acclimate |
$33,950 – assumes a 16-week period to acclimate due to less experience |
N/A |
N/A |
Year 1 Cost |
$183,750 |
$135,800 |
$75,000 |
$107,000 |
Year 2 Cost |
$170,550 |
$101,850 |
$55,000 |
$87,000 |
2 Year Average Total |
$354,300 |
$237,650 |
$130,000 |
$194,000 |
*These numbers are based on the average number of modules we see clients in these ranges select. For larger institutions or to get pricing specific to your unique needs, please schedule an introductory call.
The Bedel Security Guarantee
Although we have a 99% renewal rate, we understand there’s still some risk in starting a relationship with a new vendor. Our guarantee is pretty simple. If in the first 60 days of using our vCISO Services you don’t feel like your cybersecurity program is making the progress that it should, let us know and we’ll give you a full refund.
We want to change the way community banks and credit unions are managing cybersecurity, and we’re confident enough in our team and our CySPOT™ platform that we don’t want you to feel like you're taking a risk by working with us.
Not having the internal resources necessary to adequately manage our information security program, we knew we needed to seek out third-party assistance. Bedel Security came highly recommended to us by another community bank, and after speaking with them about the services they provide, contracting with them for vCISO services was an easy decision. Their expertise and guidance have been instrumental in helping us develop a top-notch information security program. They are our partners, and that partnership is invaluable to us.
Bedel Security has been an incredible asset to our bank. Their team has done agreat job.
I appreciate the professionalism and capability with which Bedel Security approaches information security and risk assessment. Our information security program is now clearly defined, fully documented, and easily followed by internal employees, board members, and external auditors.
Bedel Security has turned out to be an excellent partner for the Bank. Our Bedel team is very knowledgeable and industry-savvy. They are supportive of, collaborate with, and have been the perfect complement to, the Bank’s IT team. Their involvement has greatly enhanced our information security program and made it much more robust. They continue to help the Bank perform well in audits and help the IT team shine in our presentations to Management and the Board of Directors.
Bedel Security has a grassroots-level understanding of the security challenges faced by a community bank, so it was very easy to work together and their real-world experience was evident as we considered possible options to address the challenge. I look forward to working with Bedel Security on future projects as the threat landscape continues to evolve.
From the beginning of our relationship, Bedel has proven to be an even greater asset than I could have hoped. Their attention to detail and organizational cadence have allowed us to make significant strides in our IT governance in short order. We appreciate their approach as a partner and sincerely welcome working with them going forward.
The company... the service... the staff have exceeded our expectations. Our senior and specialist have been great to work with. We sincerely appreciate the service they provide and the great working relationship. I really feel good with the directionwe are headed.
I appreciate Bedel Security’s passion and drive to help us stay ahead of Cybersecurity issues that banks face. They recommend solutions that make sense for community banks. Bedel Security is experienced, dedicated, service-oriented, and an asset to our bank.
Working with the team at Bedel Security has been a great experience for us. When we first considered outsourcing our ISOduties we were a little hesitant, as we’ve always been an “in-house” organization when it comes to this aspect of business. They have been a pleasure to work with and have taken the time to coordinateour ISO reporting needs to our Board, our vendors, and have patiently trained us along the way. I highly recommend considering this team for your virtual ISO needs
Our team couldn’t be happier with the services provided by BedelSecurity. Our bank was looking for a virtual Chief Information Officer as well as assistance revamping our existing information security strategy. Bedel Security has more than delivered on both accounts. Bedel Security provided us with a clear and concise roadmap to an improved information security program, including updated policies, procedures, and risk assessments. We now have a dedicated virtual Chief Information Security Officer who is actively engaged in our overall risk management program and meets regularly with our information security committee, including providing information about the current trends and threats in the marketplace.
A few years ago, our ISO and SVP retired. Our bank looked into promoting within the bank or hiring a company to be our virtual ISO. After some discussions both inside & outside the bank, we decided to outsource the ISO position. Bedel Security quickly rose to the top of the list of companies that provide vISO services. Having security in our corner has been a great experience. Their knowledge, expertise, & thoroughness is unmatched. We have not had any FDIC or state examiners ever question the documentation that wereceive from Bedel. I expect our relationship with them to continue for a long time.
Bedel Security has been a great partner to our bank with their virtualCISO services. They do an excellent job and it gives me confidence that we are doing all we can in this extremely important area. They allow me to focus on my other responsibilities at the bank.
Don't Wait for a Cyber Incident to Take Action
Think about what it would be like to have a team of experts guiding your information security program. Think about how reassuring it would feel to have a partner to turn to in the event of a cyber incident at your bank or credit union.
So what happens next? There are a variety of ways you can proceed.
Schedule an Introductory Call
We’ll chat with you about your situation with ZERO obligation on your end. We’ll even tell you if our program is not a good fit for you at this time.
Download our Whitepaper
If you’re curious about the virtual CISO concept and would like to know more about how it could benefit your bank, download our whitepaper, Banking on Security: The Outsourced CISO Solution
Learn About our Other Services
If you’re not sure our vCISO services are the right fit, check out some of our other services.
Sign up for our Newsletter
Maybe now isn’t the best time. You’re in the middle of a contract or it’s not in your budget, but you’d like to stay in touch.
Check out our Resources
We've created some great resources for you to use. From downloadable templates to educational videos, we have a little something for everyone.