National Conference on Public Employee Retirement Systems

The Voice for Public Pensions


Leveraging vCISO Expertise to Protect Pension Funds Against Cybersecurity Threats

By: Peter Dewar, Linea
The primary goal of cybersecurity is to achieve the CIA triad: maintaining Confidentiality, Integrity, and Availability of information and systems. Peter Dewar at Linea describes how to achieve the CIA triad is by leveraging virtual Chief Information Security Officer (vCISO) services to secure confidential business processes, protect information and sensitive systems.
Leveraging vCISO Expertise to Protect Pension Funds Against Cybersecurity Threats
This is an excerpt from NCPERS Winter 2024 issue of PERSist, originally published January 16, 2024.
Managing cybersecurity risk is an essential task for any organization operating in today's digital landscape. Cybersecurity encompasses a wide range of disciplines that seeks to identify, mitigate, manage, avoid, and recover from risks and negative events in both technologies and business processes.
The primary goal of cybersecurity is to achieve the CIA triad: maintaining confidentiality, integrity, and availability of information and systems under the care of any organization charged with that mandate. This means protecting sensitive data such as Personally Identifiable Information (PII) from unauthorized access, ensuring its accuracy and reliability, and ensuring that critical systems are available when needed.
One way to achieve the CIA triad is by leveraging virtual Chief Information Security Officer (vCISO) services to secure confidential business processes and protect information and sensitive systems.
To manage cybersecurity threats, organizations must first understand the inherent risks that they are exposed that are manifested in technologies that they use and the business processes they perform. This involves evaluating all systems and processes that are in use or managed by the organization, as well as those employed by service providers to serve clients, members, or constituents.
Understanding the probability and likelihood of potential risks, such as data leakage, data theft, or denial-of-service attacks, is crucial in developing a comprehensive cybersecurity strategy.
Does taking a holistic look at your organization's entire area of business operations to determine this probability seem daunting? It should because it is.
A vCISO can provide several services to help organizations develop a complete information security program, including:
  • Policy Audit and Development
  • Network/Wireless Assessment
  • Applications Security Review
  • Social Engineering Awareness and Training
  • Risk Assessment/Cyberscore Development
  • Incident Response Plan Assessment and Development
  • Vulnerability/Penetration Testing
As well as ongoing activities that would continue after the information security program is in place:
  • System Security Management
  • Threat Management/Managed Detection and Response
  • Meetings & Reporting
  • 3rd Party Vendor Risk Management
Implementing appropriate security is like fitting the pieces of a puzzle together. When the implementation is done you want the pieces to fit together to show the landscape that is the cybersecurity program comprised of different layers of protection. For this reason, make sure the information security program is tailored to the uniqueness of your organization and the industry within which you operate.
Implementing these cybersecurity measures requires a skilled team with expertise in each of the above areas. Typically, organizations will need 5 to 10 cybersecurity experts to handle the complexities of cybersecurity risk management effectively.
However, many organizations face challenges in staffing the right talent to manage cybersecurity risks. To overcome this hurdle, some have adopted the vCISO approach by utilizing cybersecurity service providers that offer a range of cybersecurity services without adding to the organization's overhead costs.
Delegating external cybersecurity management can prove to be an economical solution, similar to how businesses hire financial services from external vendors. It allows organizations to access expert-level cybersecurity services without the burden of hiring and maintaining an extensive cybersecurity team.

About the author: Peter Dewar, President, has over 25 years of experience in cybersecurity and leads the cybersecurity practice for the Linea group of companies that provide services across the United States and Canada. Under his leadership Linea has developed a Pension Cyber Security Framework (PCSF) to complement the generalized standards for protecting information systems. The PCSF focuses on the business process employed, services provided, and technology utilized by pension and benefits organizations, and devises controls to minimize and mitigate the inherent cybersecurity risk experienced by the industry. Peter has a Master's degree in Information Systems from the George Washington University, a Bachelor's degree in Information Systems from the University of the District of Columbia, is a Certified Information Systems Security Professional (CISSP), Certified Data Privacy Security Engineer (CDPSE), and has received certificates of achievements from the Harvard Kennedy School of Government, Gartner CIO Academy, and International Foundation of Employee Benefit Plans.


There have been no comments made on this article. Why not be the first and add your own comment using the form below.

Leave a comment

Please complete the form below to submit a comment on this article. A valid email address is required to submit a comment though it will not be displayed on the site.

HTML has been disabled but if you wish to add any hyperlinks or text formatting you can use any of the following codes: [B]bold text[/B], [I]italic text[/I], [U]underlined text[/U], [S]strike through text[/S], [URL][/URL], [URL=http//]your text[/URL]