Regulations and Downturn Spell Challenges for Finserv CISOs

Regulations and Downturn Spell Challenges for Finserv CISOs

The regulatory landscape for financial services companies is tightening, and not so discreetly. Several recent examples of new impending legislation bring this issue into clear focus and highlight the need for sound leadership and ever-evolving information security measures.

Cyber Attacks Cost Millions

On November 9, 2022, the New York State Department of Financial Services (NYDFS) proposed an amendment to its current cybersecurity regulations, and New York typically paves the way for subsequent legislation across the country. This amendment requires businesses to “assign a Chief Information Security Officer (“CISO”) which oversees, implements, and enforces cybersecurity policies.” The cost of non-compliance can be severe.

The updated Safeguards Rule of the Gramm-Leach-Bliley Act will be effective on June 9, 2023. The mandate requires financial services institutions to “designate a qualified person to oversee their information security program, develop a written risk assessment, encrypt all sensitive information, train security personnel, develop an incident response plan, and implement multi-factor authentication.” 

Add to this the need to meet stringent cybersecurity insurance policy requirements, and the world of cybersecurity readiness is challenging, to say the least.

Collectively, compliance with new regulations and cyber liability insurance providers mandates robust information security measures centered around endpoint detection and response (EDR), extended detection and response (EXR), multi-factor authentication, IT security and privacy training, identify and access management (IAM), event notification, privileged access and password vaulting; security orchestration, automation, and response (SOAR), secure access service edge (SASE), and so much more.

What this means is that regulated entities need to be nimble and forward-looking with their cybersecurity protection measures. Information security leaders need a mind shift away from mere prevention and toward resilience, because attacks will occur, and your livelihood depends upon how your business responds to them.

Recent statistics show ransomware attacks occur every 14 seconds, 300,000 pieces of new malware are created every day, and there are over eight million cyber-attacks annually.

What’s more, experts are predicting an impending economic downturn, and this is great news for bad actors. They thrive when organizations are weakened and vulnerable, and cyber-attacks are sure to increase in the new environment.

All this gloom and doom means you need a strong, very strong CISO in your organization. You cannot survive without one. If you find yourself in a situation without a permanent CISO, you must now hire a virtual CISO (vCISO) until you fill the role. Simply biding your time until you find the right CISO is no longer an option. The ongoing shortage of information security expertise does not help the situation any. In fact, it strengthens the need to fill the hole now.

A vCISO fulfills your CISO requirements remotely on a contractual basis and can actually bring some very nice benefits to your organization. As a contractor, they likely have years of industry expertise working with other clients in your sector and beyond, and with organizations large and small. They can bring this depth of knowledge and experience to your organization and can put all their put best-practice learnings into play for you right away.

The right vCISO should provide leadership to the board, the executive team, and to your organization on a number of information-security-related issues including risk management, governance, compliance, incident response, disaster recovery, and business continuity.

vCISO Value

“A seasoned vCISO can come in, provide value in reviewing the current cybersecurity strategy and help recruit, select and transition to a full-time CISO.1

Your vCISO helps protect your infrastructure, people, data and customers in the absence of a permanent CISO. Top vCISOs focus on the following activities:

  • Fulfilling your CISO Requirement – fills your open CISO role (and meets any new regulations requiring a CISO) while you take your time searching for the best permanent replacement.
  • Putting a Plan in Place – conducts a cybersecurity audit of your organization and then develops an appropriate information security plan (ISP) consisting of availability, confidentiality, integrity (AIC) programs to ensure business continuity and compliance.
  • Increasing Protection and Remediation – puts the right technologies, team, and protocols in place to prevent attacks and recover quickly when they do occur.
  • Designing the Right Cybersecurity Team – develops an organizational construct of roles that need to be filled either with internal staff or new hires to protect your business and its data.

As you can see, the role of the virtual Chief Information Security Officer is a crucial one. They can start your information security planning, devise your organizational structure so you can begin hiring, employ risk management and compliance policies and procedures, and more, all while you take your time and search for the right permanent CISO to run your information security program down the road.

Don’t leave your business vulnerable to attacks or compliance infractions while you search. Start filling your cybersecurity gaps today and lay the groundwork for a safe and secure future. Consider hiring a vCISO today.


1 “What is a Virtual CISO”, AT&T, Nov. 9, 2020.

Latest From the Blog

angle-right-solidcohere-fins-bg envelope-regularlinkedin-brandsphone-regularyoutube-brands