The financial industry is under attack. Cyber attackers continue to up the game by preying on individuals, small businesses and financial institutions, hoping to gain a more substantial payoff for their crime. One of the most comprehensive security breach studies, The Verizon Data Breach Investigations Report, reveals that worldwide fraud motives are most commonly financial (76%), followed by only espionage (21%), with the remaining 6% being FIG (fun, ideology and grudge).

This shift toward attackers reaching for a more significant payoff is evident; look at the numbers. The Symantec Internet Security Threat Report shared that new ransomware attacks tripled in 2016, as the average value demanded spiked from $294 to $1,077. And, Juniper Research reported that data breaches are estimated to reach a cost of $6.1 trillion dollars by 2021, only three years from now.

Expenses aside, institutions risk their reputation and face regulatory scrutiny if they do not take the proper precautions. However, with a problem as large as cyber fraud, it's difficult to know where to start. For instance, hacking and malware attacks account for the most breaches, but social engineering attacks are rising to an almost equal threat. Of the hacking vectors reported for 2016, 51% were malware, while 43% were socially engineered, like phishing and pretext calling. The most comprehensive cybersecurity program in the world isn't going to eliminate the risk of an attack or compromised data.

Institutions must shift their focus from cybersecurity to cyber resiliency, which bundles protection and detection with a plan for incident response and recovery. This effort includes a heavy emphasis on multi-factor authentication, early incident detection solutions and breach protocols that are constantly expanding in scope and adapting to the changing threats. This delicate balance of rapidly evolving factors is challenging, and its responsibility is often undefined among credit unions. Who should be responsible for cyber resiliency, and how much will it cost?

The FFIEC has taken a stance on this, stating that first, financial institutions are responsible for having a written information security program. The board must review and approve strategic IT plans that include security strategies for addressing ongoing and emerging threats; second, management of an institution's information security program should be delegated to an independent information security officer. And third, management of the program by the ISO must be separate from IT operations.

States are becoming involved as well. New York recently introduced a regulation that requires financial institutions to retain a chief ISO, report cybersecurity incidents within specific timeframes, use multifactor authentication and implement encryption for data at rest. Regulators on a state and national level are expected to continue solidifying their requirements for a dedicated ISO that functions independently from IT.

The challenge is that today's markets have almost a 0% unemployment rate in information security, which demonstrates the type of insatiable demand for expertise in this space – a trend that is expected to last for at least 10 years, conservatively. Due to the demand and the expertise required, the average salary of an ISO is well into the six figures, which can be cost prohibitive in smaller organizations with limited resources. This expense, coupled with the challenge of identifying, attracting and retaining employees with the appropriate expertise, makes it difficult for credit unions to continuously employ proper ISOs.

In response, an alternative to an in-house ISO is trending. Credit unions are partnering with third-party trusted advisors to serve as their virtual ISO. This model leverages the economies of scale to provide institutions with certified experts who have the skillset, knowledge and experience to help them develop, implement and maintain scalable information security programs.

The Martinez, Calif.-based 1st Nor Cal Credit Union chose to outsource its information security program after feedback from state and federal regulators suggested that the credit union needed a certified ISO with the required security knowledge to ensure member data was adequately secured.

David M. Green, president/CEO of 1st Nor Cal, explained, “Due to the shortage of information security expertise in the market, it's a challenge for us to find someone qualified to be an ISO for an organization that is heavily regulated like ours, and the few that are out there are taking jobs with larger organizations. We turned to outsourcing the position as an alternative way to develop and run information security programs that are reliable and consistent with our business practices while maintaining compliance with the FFIEC.”

The competition that 1st Nor Cal faces is not unique to the San Francisco Bay area; credit unions of all sizes and locations are reporting the same challenge. Many institutions have their ISO duties spread too thin across multiple business segments and regulators are noticing. Regulators are increasingly calling on financial institutions to deepen the breadth of knowledge and expertise on their information security team, while adding a layer of independence between information technology and information security activities.

Institutions that have required information security officers to wear multiple hats, including managing IT, are leading the early majority of institutions leveraging virtual ISO services in order to ensure proper compliance. Then, considering that the average tenure of a CISO is two to five years, institutions seeking to establish reliable and consistent cybersecurity leadership will continue the trend. Some credit unions are proactively incorporating the virtual ISO solution into their succession planning to ensure a smooth transition.

The security controls required of financial institutions are becoming more technical and are demanding higher levels of oversight. As this demand increases, so does the cost. A virtual ISO can improve a credit union's output by validating information security programs, providing clear and concise visibility into information controls and bolstering management's oversight of security. Lowering the expenses of an ISO while increasing the capabilities is a sound business decision that can be custom fit to a credit union's unique business policies. Investing in an outsourced ISO presents a more economical and efficient way to access top-of-the-line talent that can better protect your members' data and your credit union's reputation.

Viviana Campanaro, CISSP is a Security & Compliance Sales Engineer for Gladiator Technology, a ProfitStars solution. She can be reached at 856-983-2649 or [email protected].