Preparing for the departure of an information security officer

By Zach Duke

Financial institutions face a pressing issue in terms of employee retention, especially when it comes to their information security officers. ISOs are in high demand leading to challenges in keeping cybersecurity talent amid high turnover rates. Banks and other institutions once only had to compete against the local business community for talent, but in today’s post-pandemic environment, where it is not uncommon for ISOs to work remotely, this challenge has been exasperated due to the expanded competition created from remote work.

Banks must understand what is causing the challenges of ISO retention, the critical steps to take when one departs, and the succession planning that can be implemented today to reduce risk and exposure.

ISOs are the linchpin of banks’ information security program governance. But holding onto these team members is becoming increasingly difficult. The allure of the job market, coupled with the high-stress nature of the position, often leads to burnout. Dealing with examiners and the over-reliance on manual, labor-intensive tasks only add to the strain.

Loss of an ISO can weaken a bank’s defensive stance and compliance framework, potentially exposing it to cyber threats and regulatory scrutiny. The American Bankers Association Banking Risk and Compliance Management 2023 Outlook Survey found that cybersecurity remains the top risk priority for community banks, with a significant 74 percent of responding institutions identifying it as such. Having a gap in that critical role can lead to catastrophic consequences.

When an ISO departs

To ease the stress of losing such a critical role, many financial institutions are turning to automated tools and solutions that are designed to streamline and simplify the compliance process and help banks navigate the complex landscape of information security and compliance.

With these tools in place banks experience:

Enhanced information security. Banks significantly improve their information security posture and meet compliance requirements.
Peace of mind. Bank executives can focus on strategic leadership with the confidence that information security governance is in capable hands.
Automated risk assessment. With automated risk assessment processes, manual effort is reduced, and a more comprehensive evaluation of risks is ensured.
Efficient oversight. Automated solutions empower banks to efficiently manage vendor relationships and assess controls.

When Franklin, West Virginia-based Pendleton Community Bank’s ISO left, the bank faced a significant void in its oversight capabilities. The bank realized it needed to establish an effective process for information security governance and cybersecurity oversight to ensure compliance and peace of mind.

The bank turned to an automated governance platform that gave it a proven blueprint for information security. With this solution, the bank is able to identify, assess and mitigate risks effectively.

“With this solution in place I can focus on leading the bank, secure in the knowledge that our cybersecurity and information security governance are being handled professionally,” said Bill Loving, CEO of Pendleton Community Bank.

Succession planning to implement today

There are certain issues banks should be thinking about proactively and processes they should implement in their institutions to ensure they are prepared for ISO departures:

Review the security tasks and policies from the last 12 months. Was anything missed? Do you have the approved documents and assessments centrally located?
Audit schedule. Note the dates of forthcoming audits and regulatory exams to ensure readiness. How soon are the dates? Information security is not a series of one-and-done events, but rather a consistent plan and process. By using the next exam or audit, you can create a plan to address challenges in a phased approach.
Innovate processes. Use this transition as a chance to improve or automate laborious, manual security tasks. What can be done more efficiently? It is not uncommon for innovation to be found with technology platforms and tools that streamline, innovate and empower your team.
Review documentation. Who are your vendors and what systems are implemented? How comprehensive and up to date is the data? Confirm that system maps and vendor information are current and accurate, as a large portion of information Security Governance is related to systems and vendor management.
Revoke access. Ensure that all accounts, credentials, and system access privileges associated with the former ISO are revoked or transferred to prevent unauthorized access.
Evaluate IT controls. Assess the documentation of implemented IT security controls. What controls haven’t been implemented? Are there documentation gaps where proof of how controls are implemented may be missing?
Cyber insurance coverage. Cyber insurance companies protect their financial exposure by leveraging the questionnaires for coverage. By reviewing the previous questionnaire, the institution can highlight gaps in answers that may put the institution at risk for coverage in the event of a breach.
Vendor communication. Notify relevant vendors and service providers of your personnel change, especially if the former ISO was the main point of contact. Request a complete briefing on ongoing security projects to ensure they are handed over without interruption.
Look for help. Information security for banking is specialized, but there are solutions with expertise, processes, and platforms that can help streamline and simplify the governance process.
Governance reporting. Scrutinize the executive and committee reporting for gaps or areas needing enhancement. What do the executive team and committee members think about the IT governance status reporting they receive? Is there an opportunity to make the reporting more actionable?

Be proactive

By leveraging the lessons learned, banks can be proactive in succession management before they lose an information security officer. Start with reviewing your existing team. What would happen if your ISO received a job offer for a significant pay raise? How prepared is your team to answer the questions above if your ISO were to leave suddenly, or is the ISO the only one who knows the answers? Think about the manual and labor-intensive tasks that may push your ISO to be open to talking with recruiters when they call.

Having a long-term, stable ISO is a blessing, yet one of the foundational challenges in compliance is that if you don’t have documentation to prove what you did, you don’t get credit for the work. If yours is one of the fortunate banks not affected by an ISO departure, think about documenting answers to these questions. Then create a write-up for your next technology steering committee meeting titled An Exercise in Succession Planning for Our ISO. Working through and documenting the process ensures you get appropriate credit with the examiners.

The departure of an information security officer can be a moment of vulnerability for a financial institution. However, it also presents a unique opportunity to bolster information security governance and refine cybersecurity practices. By embracing a proactive approach, leveraging expertise and integrating innovative solutions, banks can not only fill the immediate gap but also enhance their long-term resilience against cyber threats.

Zach Duke is CEO and Founder of Finosec.