What keeps credit union executives up at night when it comes tocybersecurity? Is it the threat of a breach or the challenges of meeting regulatordemands? For most executives, the answer is both.

However, not all credit unions have the resources to hire afull-time chief information security officer to safeguard memberinformation and resources – thus making their executives' nightsmore restful.

That's why the Washington-based business continuity CUSO OngoingOperations just began offering CISO as a Service, also known asCISOaaS.

“We learned credit unions are spending tons of compliancedollars and time, and some 90% of their pre-IT resources on justpatching and keeping things running,” OGO President/CEO Kirk Drakesaid. “It's really hurting their ability to be more functional inthe more business aspects of the credit union.”

The actual genesis for Ongoing Operations' CISOaaS began growinga couple of years ago out of the CUSO's client advisory boardprocess. Clients said since OGO is a cloud provider, it hadaccess to both protection expertise and tools, which manycredit unions can't even begin to afford. So they asked the CUSO toextend its capabilities to include cybersecurity tools.

“We started down a path two years ago where we added a series ofmanaged service provider tools around antivirus, desktop patching,asset control … all of those pieces, which are really the localenvironmental concerns that would align with the cloud,” Drakeexplained. “So whether they were doing things local or offsite,those tools would be the same.”

OGO later increased its capabilities by adding a series ofperimeter defense pieces.

This year, the CUSO decided on a full-blown manifestation of itsclients' suggestion by developing the shared security expertservice. Drake explained CISOaaS is a tool many credit unions hopedfor, as it helps bridge their security and compliance gaps andmeets a major need.

“This combination of events gave birth to the idea of a systemicapproach or process to managing the IT security lifecycle for thecredit unions and giving them access to best in class resources andmanagement techniques,” Drake said.

This piece helps individual credit unions afford technical andexecutive expertise to communicate the breadth and depth of theirIT security issues to boards and auditors, Drake noted. It alsoensures credit unions using OGO's CISOaaS are aware of changes inthe market, the necessities to remain compliant, and availableresources and tools.

OGO also plans to give credit unions appropriate procurementservices, with the shared CISO serving as a personal securitytechnology liaison along the way.

“We know where to find value, what works and what often fails,”Drake said. “We will cut through the marketing and technologyjargon to help you understand the true costs and benefits ofavailable organizational solutions.”

Three credit unions quickly signed on as CISOaaS pilots: The$2.9 billion, Laurel, Md.-based TowerFederal Credit Union, the $574 million, Rockville, Md.-basedNationalInstitutes of Health Federal Credit Union and the $87 millionWashington-based Departmentof Labor Federal Credit Union. CISOaaS officially launches inearly September.

The service is expected to provide access to securityinformation gathered from the CUSO's enterprise-wide view as wellas industry-wide trends and resources specific to disasterrecovery, telecom, IT security and distributed denial of servicemitigation. Drake said he anticipates a toolkit component to theservice.

CISOaaS also provides clients with all the benefits of anin-house CISO without the overhead costs and assists with itemsthat would otherwise cause stress for management and staff. As partof the service, credit unions will have access to:

• An expert, independent and unbiased view of their risk,compliance and security postures;

• An information security liaison to auditors, assessors and thirdparties;

• Oversight and management of day-to-day security activities,reporting and events;

• Coordination of security breach and incident investigations;

• Policy development and recommendations that are in line withNCUA/FFIEC requirements and best practices;

• A cybersecurity roadmap with strategic guidance in companygrowth, risk management and service offerings;

• Long- and short-term strategic planning discussions designed tocoordinate and align with cybersecurity plans;

• An independent review of audit and assessment reports includingassistance with prioritizing issues and tracking resolution;

• An assessment of their personnel's information security skillsand implementation of a multi-media education and cross-trainingprogram designed to arm staff with the skills necessary to protectinformation.

• Guaranteed 24/7/365 access in case of a security event or othersignificant issue.

The shared CISO offers a full menu of areas of expertise. Theyinclude: Network segmentation, DDoS mitigation and clean pipesolutions, secure architecture and configurations, encryption andtokenization, cryptographic key management and performance,end-to-end and point-to-point encryption, holistic anti-malware androotkit detection, secure messaging, mobile device management,anti-virus and anti-spam, data loss prevention,archiving/journaling, application security, access control andprivilege auditing, security information and event management, fileintegrity monitoring, intrusion detection and prevention, incidentresponse, risk assessment, and security policies and processes.

“On top of that we will take the credit union's individualizedpolicy components and methodology, and philosophical components oftheir IT security, and blend those levels together into a fulllifecycle piece,” Drake explained.

CISOaaS does not require credit unions to use all of thosetools.

Drake said while the CUSO is open to having conversations withcredit unions that are not OGO customers, its priority is toonboard existing investors and credit union clients.

“This is one of those things in which collaboration can helpsubstantially in improving credit unions' approach andmethodology,” Drake noted. “It is also something I don't think theycan magically solve on their own. As an industry, if we pooled ourresources together, this would not be an issue or a distraction,but because we are also ad-hoc, it creates a lot of challenges.This is something CUSOs can do to help credit unions.”

OGO, formed in 2005 as a business continuity CUSO by a group ofcredit unions, has grown from serving a handful of localorganizations to more than 500 clients nationwide due to thegrowing complexities of disaster recovery planning. Over time, itacquired three companies: CU Recover – Business ContinuityPlanning, Teneros Email Replication and Cloudworks, a secure andredundant cloud computing platform.

As credit union disaster recovery and business continuity hasevolved, so have OGO's solutions. Beyond traditional solutions suchas business continuity planning, data vaulting and businesscontinuity appliance, it added cloud solutions to become both abusiness continuity and cloud CUSO.