Best Practices for a Successful ISO Transition
It can be challenging for financial institutions to lose an information security officer (ISO)—particularly for smaller community banks and credit unions. Since ISOs have broad responsibilities relating to data security and other vital areas1, they play a critical role within the organization. Therefore, institutions must have a well-defined plan in place to keep an ISO’s transition or departure from adversely affecting their security posture.
There are many reasons an ISO may leave—retirement, a transfer to another role within or outside of the organization, or perhaps an unanticipated health issue. Whichever the circumstance, the reason for departure can significantly impact the transition process. For instance, if the position was vacated due to a planned retirement or staff reorganization, there can be a smooth transfer of duties between the outgoing and incoming ISOs. However, a sudden job change can result in a more complicated process.
There are two main facets of the ISO’s role that are critical to focus on during a transition: access to data and applications, and the continuity of the processes and responsibilities that the position encompasses.
1) Ensuring that access to data and applications is properly revoked, modified, and/or reallocated during an ISO transition is very similar to what happens when an IT Administrator leaves a financial institution. Although the IT and ISO roles (and their respective data access requirements) are different, the steps outlined in this article can help ensure information is protected when either role departs.
2) Some of the key areas of responsibility that must continue during an ISO transition include:
- Infosec compliance, including regulatory guidance, written policies, written procedures, and documented practices
- Oversight and coordination of data security efforts, including protecting the privacy and security of sensitive information belonging to the institution and its customers and members
- Business continuity management and incident response programs, including exercises and tests
- Third-party risk management (TPRM)
- Cybersecurity assessments, gap analysis, action plans, and
- Lead for steering committee meetings
- Information security program status updates to the board of directors
- IT audit and exam preparation, participation, and response
Planning Ahead
There are a number of strategies institutions can proactively implement to make an ISO’s job transition as successful as possible. A primary step to take is succession planning. This should be considered whether or not an ISO departure is anticipated. Regulators expect institutions to have a formal succession plan for all key leadership positions, and few roles are more critical than the ISO, as failing to maintain infosec continuity can leave an institution exposed and potentially more vulnerable to security issues.
Succession planning is often more problematic for smaller community banking institutions where employees typically wear multiple hats. Regulatory guidance requires that the ISO exist as a separate role within the institution. And while it is easy to designate an ISO successor on paper, an institution with limited staff may not have an employee with the appropriate knowledge, experience, and availability ready to step into the role. In addition, because of the potentially smaller talent pool in the geographic areas that community institutions serve, our experience is that smaller institutions often have difficulty finding good candidates.
However, if a solid succession plan is in place that includes both internal and external resources, the incoming ISO should at least have access to adequate experience and subject matter expertise to seamlessly step into the new role with minimal disruption. In a situation where there is seamless continuity, at least one of the following usually applies:
- The employee replacing the ISO has been given sufficient prior notice and preparation, including cross-training and job shadowing.
- Ideally, the incoming ISO has gained previous experience at a financial institution of similar size and complexity, or at minimum, managed information security in a regulated environment.
- The institution has partnered (or can partner) with a third-party provider to augment the role with a virtual ISO (vISO) solution.
Getting Help to Ensure a Seamless Transition
To be clear, transitioning between ISOs can be challenging whether the institution grooms an internal successor, hires a seasoned outsider, or partners with a third party (or a combination of the three). In all cases, there will be some type of learning curve. Either a promoted employee will need time to build proficiency in the position, or a hired replacement (individual or third-party provider) will need time to get familiar with the institution. Inevitably, the probability of security gaps will increase during this transition period, and IT auditors and examiners know this too. For this reason, employing a third-party provider is often an effective way to maintain infosec continuity during a transition, and ensure that all IT and information security tasks and related activities are completed on time and properly reported to the various stakeholders.
The bottom line: ISO transitions are inherently challenging—and seamless continuation is critical as they directly impact a financial institution’s audit and exam success as well as overall security posture. Whether the job change is planned or unexpected, institutions can apply effective succession planning to minimize the disruption. They can also address any deficiencies in their own internal knowledge and expertise by partnering with a third-party provider like Safe Systems. As an example, a bank in South Carolina used Safe Systems’ Virtual ISO service, ISOversight, to support succession planning for its retiring ISO. This resulted in multiple benefits, including an interrupted security posture, improved business continuity management, third-party management, and strategic planning.
1ISO responsibilities may consist of strategic planning, quality assurance, project management, InfoSec risk assessments, infrastructure and architecture security, end-user computing, and regulatory and legal compliance