Whether driven by budgetary concerns or lack of local talent, more and more credit unions are opting to outsource C-level security roles.
“We could not find adequate talent in our market to perform the required duties,” said Michael Mathews, president of Vicksburg, Miss.-based Mutual Credit Union. “The pain point was justifying the cost of the service when we had no prior incidents within IT.”
Prior to outsourcing security responsibilities to the Baltimore-based Think Stack, Mutual CU “handled security internally,” noted Mathews.
“We began with a blank slate and researched the requirements and what we could afford to accomplish in phases,” said Mathews. “Relinquishing power was difficult for my team, as they have never answered to an outside party historically.”
With 61 employees, three of which are in the IT department, Mutual CU supports 20,600 members. In short order, Mathews said, a “collaborative dynamic” formed with Think Stack. He emphasized, however, that initial outsourcing cannot be handled remotely.
“Someone has to be here and understand what we have been doing for years to effectively perform the role,” he said, adding that his team often has weekly “check-in” calls with Think Stack, as well as monthly summaries and quarterly reviews.
Michael Burns, Think Stack’s virtual chief information security officer, explained that of the firms approximately 75 credit union clients, roughly 40 percent outsource or hire a vCISO.
“Using a CISO service allows the CU to leverage expertise from a team that does cybersecurity every day and leverages experiences from across the credit union community for each individual client,” said Burns. “As a result, our clients focus on what’s important to them and we focus on helping them make that a reality through technology.”
And while Burns said larger credit unions usually have the budget to fill the CISO role, there have been changes to this paradigm in recent years.
“Organizations with as much as $1 to $1.5 billion in assets are finding that talent can be hard to find and keep, which makes a vCISO a desirable alternative to the internal hire,” he said.
Mike Morris, a systems partner with the accounting and advisory firm Porter Keadle Moore, said credit unions will outsource CISO’s functions “in situations where there is a limited supply of local resources” available to hire a full-time employee.
“They will outsource this role if they have internal separation-of-duty issues between IT and ISO staff, as sometimes, credit unions will try to have IT staff operate as if they were an ISO, which is against industry regulations,” said Morris, adding that an average outsource contract is three years.
“There are also cost concerns when hiring a full-time ISO. In some instances a credit union might also outsource some, but not all, ISO duties to mitigate costs and for training reasons,” he said.
When it comes to budgeting, Burns pointed to a Payscale estimate of an expected salary for a CISO in Maryland. The median salary, he noted, is $148,000, coupled with an estimated $30,000 in benefits.
“Add recruiting, which is 17 percent of salary, and there is an additional $25,000 every time the job changes over,” said Burns. “Meanwhile a vCISO service can scale as needed and on demand. Typical rates vary from $4,000 to $12,000 monthly. Even at the high end, if you don’t need to hire a full-time position, there is a significant savings to be had.”
Morris added that depending on respective markets, outsourcing the role of CISO should equate to roughly one-third of a full-time CISO’s salary, including benefits.
“The credit union’s general expectation is that the provider will be tasked with managing the information security risks to the organization and then executing controls/functions the most economical way possible,” said Morris. “The ROI is the cost of the FTE versus the saving achieved by outsourcing the function.”
Taking the vCISO plunge
Maria Solorzano, CEO of $90 million-asset Liberty Savings Federal Credit Union, approached her board of directors in Nov. 2017 with a proposal to outsource the CIO position.
“We felt the credit union would benefit from a company that would deliver services using a team approach with professionals specialized in different areas of technology and security to best benefit our members,” said Solorzano.
Before taking the outsourcing plunge, the Jersey City, N.J.-based credit union employed a CIO. But over time that employee became overwhelmed, noted Solorzano.
“This single position was in place for about 15 years at the credit union, which was appropriate as we were much smaller then,” said Solorzano, adding that the CU supports 21,000 members and 48 employees. “Now, with cybersecurity and breaches prominent, we feel this change is the best decision to protect our members’ data.”
Think Stack also counts Liberty Savings FCU as a valued client. Burns said some of the common misconceptions about outsourcing this role are that internal teams or departments will be replaced.
“We have seen the exact opposite in practice. Teams that outsource commonly become stronger,” he said. “They are able to focus on their strengths and goals, while allowing us to support their efforts. In the end, they get more done and stay more organized. In turn they are more productive and happier.”
For Mutual CU, Mathews explained that it took roughly one month to get “up and running,” but longer to “finalize.” He said the most important part of the process was “trusting” the outsourcing partner. Ancillary benefits have also been realized.
“I did not evaluate ROI with this decision. I did look at enhancements to efficiency and how I could obtain specialized talent when I needed it and not have the carrying cost when I did not,” said Mathews. “Our IT team has been able to focus their attention in other areas and improve the overall functionality of our network as a result.”
Burns explained that each vCISO service is customized to the credit union client. Think Stack, he noted, developed “Goma,” a cybergovernance platform that “allows the vCISO or full-time CISO to organize all of IT’s complexity.”
“Goals are set in each area and the current state is continuously accessible,” said Burns. “A nontechnical board can easily understand the risks of goals that are far from met in one area while eschewing additional investment in an area where the organization is already competitive.”