The financial industry is under attack. Cyber attackers continueto up the game by preying on individuals, small businesses andfinancial institutions, hoping to gain a more substantial payofffor their crime. One of the most comprehensive security breachstudies, The Verizon Data Breach Investigations Report, revealsthat worldwide fraud motives are most commonly financial (76%),followed by only espionage (21%), with the remaining 6% being FIG(fun, ideology and grudge).

This shift toward attackers reaching for a more significantpayoff is evident; look at the numbers. The Symantec InternetSecurity Threat Report shared that new ransomware attacks tripledin 2016, as the average value demanded spiked from $294 to $1,077.And, Juniper Research reported that data breaches are estimated toreach a cost of $6.1 trillion dollars by 2021, only three yearsfrom now.

Expenses aside, institutions risk their reputation and faceregulatory scrutiny if they do not take the proper precautions.However, with a problem as large as cyber fraud, it's difficult toknow where to start. For instance, hacking and malware attacksaccount for the most breaches, but social engineering attacks arerising to an almost equal threat. Of the hacking vectors reportedfor 2016, 51% were malware, while 43% were socially engineered,like phishing and pretext calling. The most comprehensivecybersecurity program in the world isn't going to eliminate therisk of an attack or compromised data.

Institutions must shift their focus from cybersecurity to cyberresiliency, which bundles protection and detection with a plan forincident response and recovery. This effort includes a heavyemphasis on multi-factor authentication, early incident detectionsolutions and breach protocols that are constantly expanding inscope and adapting to the changing threats. This delicate balanceof rapidly evolving factors is challenging, and its responsibilityis often undefined among credit unions. Who should be responsiblefor cyber resiliency, and how much will it cost?

The FFIEC has taken a stance on this, stating that first,financial institutions are responsible for having a writteninformation security program. The board must review and approvestrategic IT plans that include security strategies for addressingongoing and emerging threats; second, management of aninstitution's information security program should be delegated toan independent information security officer. And third, managementof the program by the ISO must be separate from IT operations.

States are becoming involved as well. New York recentlyintroduced a regulation that requires financial institutions toretain a chief ISO, report cybersecurity incidents within specifictimeframes, use multifactor authentication and implement encryptionfor data at rest. Regulators on a state and national level areexpected to continue solidifying their requirements for a dedicatedISO that functions independently from IT.

The challenge is that today's markets have almost a 0%unemployment rate in information security, which demonstrates thetype of insatiable demand for expertise in this space – a trendthat is expected to last for at least 10 years, conservatively. Dueto the demand and the expertise required, the average salary of anISO is well into the six figures, which can be cost prohibitive insmaller organizations with limited resources. This expense, coupledwith the challenge of identifying, attracting and retainingemployees with the appropriate expertise, makes it difficult forcredit unions to continuously employ proper ISOs.

In response, an alternative to an in-house ISO is trending.Credit unions are partnering with third-party trusted advisors toserve as their virtual ISO. This model leverages the economies ofscale to provide institutions with certified experts who have theskillset, knowledge and experience to help them develop, implementand maintain scalable information security programs.

The Martinez, Calif.-based 1st Nor Cal Credit Union chose tooutsource its information security program after feedback fromstate and federal regulators suggested that the credit union neededa certified ISO with the required security knowledge to ensuremember data was adequately secured.

David M. Green, president/CEO of 1st Nor Cal, explained, “Due tothe shortage of information security expertise in the market, it'sa challenge for us to find someone qualified to be an ISO for anorganization that is heavily regulated like ours, and the few thatare out there are taking jobs with larger organizations. We turnedto outsourcing the position as an alternative way to develop andrun information security programs that are reliable and consistentwith our business practices while maintaining compliance with theFFIEC.”

The competition that 1st Nor Cal faces is not unique to the SanFrancisco Bay area; credit unions of all sizes and locations arereporting the same challenge. Many institutions have their ISOduties spread too thin across multiple business segments andregulators are noticing. Regulators are increasingly calling onfinancial institutions to deepen the breadth of knowledge andexpertise on their information security team, while adding a layerof independence between information technology and informationsecurity activities.

Institutions that have required information security officers towear multiple hats, including managing IT, are leading the earlymajority of institutions leveraging virtual ISO services in orderto ensure proper compliance. Then, considering that the averagetenure of a CISO is two to five years, institutions seeking toestablish reliable and consistent cybersecurity leadership willcontinue the trend. Some credit unions are proactivelyincorporating the virtual ISO solution into their successionplanning to ensure a smooth transition.

The security controls required of financial institutions arebecoming more technical and are demanding higher levels ofoversight. As this demand increases, so does the cost. A virtualISO can improve a credit union's output by validating informationsecurity programs, providing clear and concise visibility intoinformation controls and bolstering management's oversight ofsecurity. Lowering the expenses of an ISO while increasing thecapabilities is a sound business decision that can be custom fit toa credit union's unique business policies. Investing in anoutsourced ISO presents a more economical and efficient way toaccess top-of-the-line talent that can better protect your members'data and your credit union's reputation.

Viviana Campanaro, CISSP is a Security &Compliance Sales Engineer for Gladiator Technology, aProfitStars solution. She can be reached at 856-983-2649or [email protected].