In early 2018 we rolled out a new suite of services designed to leverage our expertise in cyber security, our experience with banks and credit unions security audits, a wicked-cool software solution for efficiency, and good old fashioned customer service, into an amazing package that takes the stress out of information security management. Our Virtual CISO suite of services is already transforming the way financial institutions view, and accomplish, security and compliance.
If you are concerned about your information security program, read on.
A pending visit from compliance officers doesn’t often breed a stress-free environment in any bank or credit union. An IT security audit demands a level of perfection challenging to organizations of all sizes – and since the passing of GDPR the penalties cited for anything less will only become more severe in the coming years.
According to a recent Deloitte study, 82% of financial executives and managers claim that making mistakes – or the possibility that mistakes could be made with them at the helm of the operation – is the number one stressor in the workplace. This factor of stress becomes increasingly more apparent in small to mid-sized banks and credit unions where executives are expected to wear so many hats.
After two decades of both bank and credit union cyber security experience, here at Rivial Security we’ve boiled down the three largest pain points that make IT security audits such a headache:
The tasks and responsibilities associated with each of these three categories tend to push the majority of IT managers and execs towards a total stress meltdown.
So we asked ourselves; how can this stress be reduced or completely eliminated?
The answer was to design a fully-customizable tool (not just a mere impersonal template) that streamlines the entire process for managers and C-level executives and lets them effectively wash their hands of compliance.
Our Rivial Managed IT Compliance service is a marriage between in-house automation and expert outsourcing, backed with our proven methodologies and all security audit best practices. Our biggest goal was to tackle the three pain points above and completely eliminate stress on the part of the user, effectively letting you wash your hands of compliance – as we like to say.
When it comes to gathering and presenting evidence, we’re excited at how efficient and user-friendly we’ve made things. Security task reminders for computer audits in banks and credit unions are automated throughout the year to spread the workload into manageable, bite-sized projects for you and your team using our web application software. Upon completion, evidence of these tasks are uploaded to your central repository using cloud storage technology.
We’ve laid out a labeled, organized system that we find most organizations enjoy, but have left full room to let you customize the tool to your specific business. All of your evidence is secure and accessible through your dashboard, and we’ve added a further automation that allows you to make updating that evidence part of your security culture.
Identifying and tracking control progress can be a tremendous challenge for organizations with a small to mid-sized IT team. These individuals are always stretched thin, making compliance tracking a nearly impossible addition to an already saturated workload.
This is where Rivial steps in to do the heavy lifting. Outsourcing your governance and compliance tracking to a team of information security experts alleviates the internal nightmare of delegation and allows you to focus your attention on what truly matters to your business.
Rivial’s Managed IT Compliance dashboard is where all the magic happens. It displays your compliance status over time and generates real-time reports for staff members, examiners, and executives. When the time rolls around for an audit, it’s just a matter of pressing “print” and getting on with your day. To us, this is what makes Rivial’s process and design so sought after.
It’s no real secret that finding qualified security personnel is becoming more and more difficult––and the Chief Information Security Officer position is no different. In fact, the role of CISO was the hardest tech position to fill in 2016. Coupling that with the massive rise of cybercrime in the last 18 months does not make finding the right person to helm your security operation any easier.
And this makes sense – an effective CISO cannot just have expert understanding of information security and be able to design and construct a security program. They must be business savvy, possess excellent communication skills, be able to convey complex information in terms their fellow executives understand, and fit the culture of your organization.
But, finding the correct person that fits the criteria of what a Chief Information Security Officer can offer a bank or credit union is really only half the battle. Hiring a CISO is no small investment for any bank or credit union, as their salaries can range anywhere from $130,000 to $380,000. If that wasn’t enough of a punch to the gut, the retention rate for a hired CISO does not boast longevity: these positions are so sought after by large companies that they often poach qualified, employed individuals by offering them higher salaries.
The fact remains, the CISO role is essential to designing and implementing an effective enterprise IT security program, and Rivial’s Virtual CISO service allows you to completely replace the need for a traditional hire at a much more appetizing price-point.
Rivial has been providing CISO as a service for our clients for the better part of a decade. We specialize in ensuring they comply with all GLBA, FFIEC, FDIC, NCUA, HIPAA, and PCI requirements. Our team of security experts performs all the planning and strategy that goes into implementing your security program in accordance with these laws, and exceeds all regulations with our proprietary risk and compliance categories. Your peace of mind is ensured via our online dashboard, which allows your team to track your compliance in real time.
On top of compliance, we manage your organization’s risk using our Managed IT Risk service, detecting threat variances in your internal and external security environment to give you accurate metrics of your risk.
The transparency provided to executives is something we find to be incredibly powerful about this service. Our online dashboard is a dynamic tool that shows the status of the program over time and can generate real-time reports for staff members, examiners, and executives. Since our Virtual CISO service includes Managed IT Compliance, Managed IT Risk, and Managed User Training, your online dashboard has all the same capabilities of those services as well, giving you complete visibility into the status of your security program.
The operations of an IT security risk assessment are often mistakenly associated closely with those of an IT audit. And we totally get it; both are federally required, and both examine the ability of your controls to mitigate risk.
However, it is the common misinterpretation of the purpose of a risk assessment that leave so many organizations feeling like they paid too much for something that offers little value.
An IT risk assessment should really be a business decision-making tool; it is the foundation on which an effective information security risk management framework for credit unions and banks is built. It should analyze threats and vulnerabilities, prioritize steps to mitigate risk, and inform the way you allocate security funds.
The process of how cyber security risk assessments are conducted and are interpreted by executives has been in need of a major redesign for several years. Despite conducting a yearly risk assessment and passing all audit requirements, nearly two-thirds of all organizations lack the adequate resources in their current security program to manage the growing cyber security threat landscape.
Viewing your risk assessment as a once-yearly solution to gather data regarding information and technology assets and the vulnerabilities posed to them is no longer an effective process. If you continue to rely on only this out-dated process and passing your annual audit, your organization will soon be on the news as the latest victim of a data breach. This is because the increased sophistication of malware attacks, the industry trend of involving numerous third-party service providers, and the pure motivation of cyber attackers have birthed the need for a continual assessment of your business’s information assets and what you’re doing to protect them.
At Rivial, we’ve recognized this evolution of the threat landscape and have designed a service to mitigate the risk you face on a daily basis.
We call this service Managed IT Risk, and the breakthrough solution comes with our creation of “key risk indicators”. These key risk indicators are a set of continuous metrics that show the strengths and weaknesses in your IT risk landscape. We’ve divided these into two sections: internal and external.
The internal key risk indicators monitor what’s going on in your environment. We track things like in-depth user access controls, the frequency and comprehensiveness of your patch management program, and the overall defense-in-depth practices you are implementing. The same methodology is continued into our external key risk indicators, which monitor what is going on outside your organization. We use our expertise and research team to determine what types of attacks are becoming more prevalent, what systems and vendors are seeing higher targeting levels, and how best to remain protected.
By tracking variances to these metrics, we develop ways to bring your risk back to an acceptable level. Via the user dashboard, your security team and executives can quickly identify where risk is changing and see exactly how to normalize it.
The most significant and value-adding portion of Rivial’s Managed IT Risk service is that it quantifies the risk you face, instead of providing a vague, qualitative measurement. This allows your board of directors to make informed decisions about building an effective security program and gives your security team justifications for budget requests.
Technical advancements in IT security software have followed the constant trend of identifying, targeting, and defeating new malware attacks as they are designed and implemented by hackers. Most regulations revolve around ensuring your organization has the proper computer defenses capable of withstanding an attempted penetration of your network.
But strength in software is only half the battle.
Attackers, with the purpose of avoiding sophisticated firewalls and complex control systems, now rely heavily on the use of social engineering to obtain your sensitive information. Social engineering is different than traditional attacks as it targets your employees rather than your systems, taking advantage of customer service and human error. Worst of all, attacks can take place in person, over the phone, or even online.
Over 80% of hackers leverage social engineering in an attack; it is imperative your squad is adequately trained to fend off these attempts.
Rivial’s Managed User training gives your team the upper hand.
We’ve seen our clients greatly reduce their susceptibility to a social engineering attack in just a short few months. One of our clients, a mid-sized credit union in the Northeast with around 100 employees, was concerned at the score of their baseline test; over one quarter, they saw a massive 14% change in phish-prone users; by the third quarter, every employee passed the simulated social engineering attack. Our process of education using both information and real-world tactics is absolutely effective and quick moving.
First, your team becomes the subject of a controlled social engineering attempt conducted by our in-house social engineering experts. The test serves as a baseline indicator of the state of awareness and vulnerability of your team. We approach this attack with full force, simulating the persistence and degree of sophistication a real attacker would employ.
With this baseline established, the training begins.
You and your staff participate in enterprise security awareness training and receive ongoing consulting guidance. Throughout this process, Rivial will simulate a variety of phishing situations and conduct social engineering campaigns. Providing your staff with exposure to these types of attacks will keep them conscious of the information they are asked to give out and be able to identify which sources are legitimate and which are fraudulent. All of the training sessions are documented and accessible through your online dashboard. This is where you and your Board can view the in-depth improvement analytics. These analytics, coupled with the evidence of these training sessions kept stored in a central repository, can be shown to your compliance officer when your IT security audit rolls around.
Our goal is to make sure your team continues to make your company a safe place for your customers’ and members’ information and money. That’s why we also make it a point to include an extended Happy Clicker training in our service model.
Assessing your security once-yearly is not an effective way to mitigate risk. We’ve recognized the evolution of the threat landscape and have designed our services to provide visibility on and mitigate the risk you face on a daily basis.
After two decades of experience, our goals at Rivial Security have remained the same – to make sure your company remains a safe place for your customers’ and members’ information and money, and to make your job less stressful.