The FFIEC Management Handbook and best practices note that Information Security Management is critical to the overall success of the financial institution.  The ‘M’ (Management) function of the CAMELS rating system continues to expand into information security and cybersecurity.  The Management Handbook highlights the need for a Chief Information Security Officer (CISO), or for smaller institutions an information security officer.  “To ensure independence, the CISO should report directly to the board, a board committee, or senior management and not IT operations management.”  For community financial institutions finding the right candidate for managing information security is not easy.  These 12 roles highlight what your institution should prioritize in your internal or virtual information security officer. Note the links provided go straight to the sections referenced in the handbooks.

1)    Independence - There is a natural conflict between IT / Operations and Information Security / Cybersecurity.  The goal of IT / Operations is to service customers and employees as efficiently and with minimal to zero downtime, and Information Security / Cybersecurity focuses on protecting critical information and access from cyber threats.  These contrasting views require independence in the governance of information security. “The Institution should separate information security management and monitoring from the daily duties of IT operations.” FFIEC Management Handbook – Information Security

 2)   Ability to Prioritize - Information security and cybersecurity management has an “information problem” as in overload of information….  Institutions are supposed to monitor FS-ISAC alerts (thousands of emails), review vendor management packets (hundreds of pages), cyber threats and actions (daily, weekly, monthly, and quarterly reports), perform cybersecurity self-assessments, and then communicate the findings to senior management and the board. To further complicate the matter, senior management and the board do not typically have a technical background.  Effective management of information security requires the ISO to be able to prioritize and communicate what is the most important at the right time and frequency.

 3)   Empower Them to Find the Crown Jewels - Understanding where customer information and non-public information is located is the first step in information security.  Getting up to speed on customer information storage locations allows for streamlining the information security officer functions.  Does your management team and board know all of the “crown jewels” and their locations?

 4)   Understands What Protects the Crown Jewels? - Once the crown jewels are located, providing data flow diagrams of the assets is the next step.  Data flow diagrams help teams visualize the crown jewels and the protections in place.  The information security officer should manage these diagrams for board and customer use, creating a less complex view into the systems for oversight.

 5)   Understands the Examiner Expectations - We have had a steady increase in examiner expectations on protecting cybersecurity over the last couple of years including, updates to the Information Security and IT Management Handbooks for the first time in over 10+ years, the release and update of the Cybersecurity Assessment Toolkit, and enhanced IT Exams with inTREx.  I recently wrote an article that summarizes the 10 examiner focus areas.

 6)   Aware of New and Evolving Threats - The FFIEC recommends tracking threats and responding to them. FFIEC Information Security Handbook   If you or your institution is signed up for these alerts (FS-ISAC, CERT, Homeland Security) there are typically overwhelming amounts. How often are they reviewed? How are the alerts managed?  It is not uncommon in my conversations to have bankers have a folder created for threat intelligence feeds and to have thousands if not tens of thousands of unread emails.

 7)   Treats Cybersecurity as When Not If There Will Be an Event - Effective cybersecurity management doesn’t end with Identify, Protect, and Prevent.  The next two steps are Respond and Recover.  The NIST Framework on cybersecurity highlights the relationship between these five areas.  It is unfortunate, but in today’s world, there is not a silver bullet to protect against cyber threats.  Examiners are getting on board with this concept, issuing a recent statement on Cyber Insurance. (NIST Respond and Recover).

 8)   They Understand the Unique Configurations of Banking Applications – Banking applications have complexity, especially when they integrate into core processing systems.  Every application is configured differently and understanding the software purpose combined with the flow of customer information allows for managing the risks of customer information throughout the process.  Some often-overlooked systems that have customer information are telephone banking, OFAC reporting systems, loan systems, and even teller stations (offline teller transactions).

 9)   Well Informed on Technical Configurations – An effective Information Security Officer needs to know enough about technology to challenge reports from providers and internal IT teams.  The goal of the reports from providers and internal IT are to highlight their value, but they may not show the full picture the ISO needs to understand.

 10) Integrates Cybersecurity into Everything at the Institution – All too often cybersecurity has been a priority for IT and Operations, but for effective Information Security and Cybersecurity Management every employee, process, and vendor needs to be part of the protection for the institution.

 11) Manages Vendors as if They Were Internal - Financial institutions cannot outsource responsibility, and practical information security requires review and oversight of all critical information including information that is located with vendors.

 12) Leads Employee Training – People are and always will be the weakest link with cybersecurity.  The institutions ISO should manage and create specific content for all employees.   Additionally, the education should be tailored to job role, IE: Customer Service, IT and Operations, Senior Management and Board, ETC.

Having an information security officer that can fill and manage these roles effectively will reduce the impact and risks of cyber threats, but unfortunately, it will not completely remove them.

Finosec is dedicated to helping our customers better manage and navigate cybersecurity, by assisting with Information Security Officer (ISO) support and Virtual ISO. To learn more about Finosec, you can follow our company or reach out to us at