Pub. 16 2021-22 Issue 1

NEBRASKA BANKERS ASSOCIATION 17 critical cybersecurity needs. An experienced vCISO service solution utilizing an established methodology can close the response gap and reduce the impact of future employee turnover and future information security gaps while improving examination and audit results. 5. Establishing an Information Security Culture — The vCISO can be a central part of your leadership team and provide insight to develop the organization’s information security culture. Contingent on the company you choose to partner with, the consultant may be available for IT committee and board meetings. 6. Training Staff to Safeguard the Organization’s Information — An important responsibility of a vCISO includes strengthening employee understanding of cyber risk. This can include holding workshops to establish basic cybersecurity etiquette, communicating important security tips, making sure employees are using adequate passwords, and training employees on the proper use of multifactor authentication (MFA). What to consider before choosing a vCISO provider? Prior to entering into an outsourcing arrangement, an organization should perform due diligence to ensure that the consulting firm has sufficient expertise and qualified staff members to perform the intended work. Since the arrangement is a professional services contract, the organization should be confident in the competence of the consulting firm and staff. The proposal of service should: • Define the expectations and responsibilities for both parties. • Set the scope, frequency, and cost of work to be performed by the consulting firm. • Set responsibilities for providing and receiving information, such as the manner and frequency of reporting to senior management and the board of directors about the status of contract work. • Establish the protocol for changing the terms of the service contract, especially for expansion of consulting work if significant issues are found. • State that any information pertaining to the organization must be kept confidential. • Specify the locations of deliverables. • Specify the period that deliverables will be maintained. • State that services provided by the consulting firm may be subject to regulatory or audit review and that examiners or auditors will be granted full and timely access to the deliverables and related work papers prepared by the consulting firm. • Define whether the consulting firm will or will not perform management functions, make management decisions, act or appear to act in a capacity equivalent to that of an employee or a member of management of the organization, and comply with applicable professional and regulatory guidance. A Complete Solution Organizations cannot pursue partial solutions to solve multifaceted issues such as regulatory compliance or cybersecurity risk and expect success. A well-designed vCISO approach will permit an organization to fulfill or complement information security management without burdening current staff, enabling the organization to grow the business, stay ahead of threats, address annual compliance needs and exceed regulatory expectations. As you scrutinize whether or not a vCISO solution is an appropriate fit for your organization, keep in mind that the security and protection of your organization’s and your customer’s information are ultimately up to you. However, a good vCISO can truly guide you to make better cybersecurity decisions and do what is right to protect your organization.  For more information, contact Reece Simpson at 605-270-3916 or reece.simpson@sbscyber.com. SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, auditing, network security and education. Learn more at sbscyber.com. As you scrutinize whether or not a vCISO solution is an appropriate fit for your organization, keep in mind that the security and protection of your organization’s and your customer’s information are ultimately up to you.