Welcome to the first of our eight-part content series based on data pulled from our 2021 State of Cybersecurity Report. Earlier this year, Tandem surveyed more than 230 financial institution cybersecurity professionals and built a report with the latest information on the industry's current state of cybersecurity. Security and compliance experts from Tandem evaluated data collected from the survey and encountered several significant findings.

Specifically, the "ISO Management and Staffing" portion of the survey showed some intriguing and diverse results. In this article, we will examine the current state of ISO management and staffing, reviewing topics such as:  

  • The level at which institutions outsource their cybersecurity programs. 
  • Education and experience within the ISO role.
  • Relationship between the IT and cybersecurity departments. 

Cybersecurity Outsourcing

The survey revealed only 22% of respondents manage their cybersecurity program fully in-house. The rest of the respondents reported their cybersecurity was, at least partially, managed by a third party. Based off data from the last two years, the number of financial institutions managing their cybersecurity fully in-house is gradually decreasing as more are outsourcing at least some of their cybersecurity work to third-party organizations.  

One possible reason for this could be the increase in the frequency and complexity of cyber attacks, which often leave a path of expensive destruction. As attackers become more capable, there is an overwhelming need for targeted institutions to ensure they are adequately prepared for defense. Another reason could be due to heightened regulatory expectations. As rules and regulations around information security and privacy continue to evolve, increasing levels of expertise are necessary to keep pace. 

Whatever the cause, financial institutions increasingly continue to outsource work to cybersecurity experts or bring in cybersecurity software solutions to both lighten the load and better position themselves when facing the unknown. 

ISO Education and Experience 

If you are an Information Security Officer or know one, you know this role requires its occupants to perform the duties of a superhero. A financial institution ISO often wears several hats in keeping the organization and its customers secure. 

The survey data shows that financial institution ISOs vary widely in their years of experience, knowledge, expertise, and credentials. However, more than 90% of surveyed ISOs stated they had at least two years of experience in their institution, and 77% of respondents stated they have more than 5 years' experience. This shows a longevity which may not be as common for individuals who hold an information security role in other industries, based on other studies.

A possible contributing factor to the longevity may be due to the different ways financial institutions fill the ISO role. For example, some institutions designate a team of individuals to fulfill the ISO duties, while others employ a single, full-time ISO, or employ a hybrid of the two through outsourcing. While no one solution is objectively better than another, it is important for financial institutions to choose a model which is tailored to their size and complexity, and suits their business goals and objectives. 

Technical certifications are a popular educational resource for cybersecurity professionals. According to the survey, the top certifications held by financial institution ISO's include: 

Interesting Find – 32% of survey respondents reported their institution's ISO or ISO committee members held a bachelor's degree outside of IT or cybersecurity. 

Relationship Between the IT and Cybersecurity Departments 

As the ISO role in financial institutions varies, so does the relationship between the IT and cybersecurity departments. Over the past two years, survey data has shown financial institution ISOs have become more independent of the IT department. This year's survey showed 35% of ISOs now report to the Board or a separate senior manager, up from 22% a year ago.  

Here's a closer look at what we found.

With the advancement and implementation of new technology comes additional cybersecurity concerns. This requires businesses, like financial institutions, to take measures to stay one step ahead of attackers. The data shows more financial institutions are seeing the value of independence in these two functions, which is connected to improvements in reporting and cybersecurity program investment.

Both the IT and the cybersecurity departments hold several responsibilities that often overlap, so many small-to-medium financial institutions have historically combined the two into one department. However, due to growing security challenges, financial institutions should continue considering measures to separate the two. 

Key Takeaways 

ISO management and staffing is a rapidly changing aspect in financial institutions. As cyber incidents increase in complexity and cost, organizations are having to invest in a more solid protection program. This looks different for each financial institution, based on levels of in-house expertise, structure, and budget. 

Interested in learning more about the 2021 State of Cybersecurity in the Financial Institution Industry? Read the full report at tandem.app/2021-full-cyber-report.