Pub. 15 2020-2021 Issue 4

WWW.NEBANKERS.ORG 16 Jeff Spann, SVP Information Security Consultant/Regional Director - SBS CyberSecurity, LLC The Board of Directors Proactive Cybersecurity Mindset Board of Directors Responsi- bilities Financial institutions are eco- nomic engines that drive our com- munities. At the headof eachfinancial institution is a Board of Directors, who oversee and provide direction for the institution to ensure the operation and meet its customer needs. The re- sponsibility for such oversight ismas- sive and has evolved greatly over the last 10 years to include investments in technology and cybersecurity. The Board is held accountable to the institution’s shareholders, employ- ees, depositors, the community they serve, and the regulators for the operations of an efficient, safe and sound institution. Each institution is examined and measured on the capital, asset quality, management, earnings, liquidity and sensitivity to market risk, which is known as the CAMELS rating. An institution’s Information Security Program (ISP) is measured in themanagement component of the CAMELS rating and, whenmanaged proactively, provides safe and sound risk management practices for the operations of the institution. Managing the ISP is a team effort and includes all operational areas of the institution. To establish an organization that proactively man- ages the ISP, the Board annually appoints an Information Security Officer (ISO) to oversee the day ac - tivities involved in maintaining a well-managed ISP. Though the Board is ultimately held responsible for the ISP, the ISO oversees day-to-day information security activities and reports to the Board at least annually on the overall status of the ISP. Additionally, the Board appoints an Information Technology (IT – or similarly named) Committee to oversee the day-to-day IT operations and information security risk management. The Board reviews and offers credible challenges to IT Committeeminutes and reports provided, and as oversight, pro- vides an acceptance or approval. Much of proactive management is del- egated to the ISO and the IT Committee; however, the Board sets the organizational culture regarding security (mindset) and provides the direction for investing in technology and protecting that invest- ment. The Board ultimately determines, intentionally or unintentionally, whether an institution has a reactive or a proactive cybersecurity mindset. Reactive Mindset versus Proactive Mindset Each institution chooses – knowingly or unknowingly – to take a stance when it comes to its cybersecurity mindset. The different types of mindsets, typically driven by a “sudden need,” include: • Passive: taking the compliance- driven approach by choosing only to meet regulatory standards, which does not offer protection from to - day’s cyber threats. • Reactive: a step beyond passive, but only to include reacting to findings and recommendations from IT ex- ams and audits, which can provide some additional protection, but not enough to prevent or properly respond to a cyber incident. • Proactive: strategic thinking that moves beyond basic compliance to understand today’s threats and build an ISP that can get out in front of today’s cyber threats and still meet regulatory compliance. • Innovative: using IT and information security risk assessments to make better, more-informed decisions that can quantify risk and deploy the right controls to mitigate the most risk of a cyber incident. TECH TALK