National Conference on Public Employee Retirement Systems

The Voice for Public Pensions

Blog

Bridging the Cybersecurity Skills Gap with Virtual Chief Information Security Officer (vCISO) Services

By: Peter Dewar, Linea Solutions

The last article in our series exploring vCISO Services is written by Peter Dewar. It covers how the capabilities of a vCISO from vulnerability management to penetration testing can help pension funds – who typically have a small IT staff – keep their member data secure and adapt to evolving threats.
This is an excerpt from NCPERS Summer 2024 issue of PERSist.

The cybersecurity skills gap encompasses a wide range of needs, from policy formulation to vulnerability management. Effective cybersecurity requires personnel who can write and implement comprehensive policy documents that cover access control, back up, incidence response, and acceptable use. These policies must be crafted by someone with broad knowledge of all cybersecurity controls and the ability to communicate and enforce them among staff.

Pension funds face the critical challenge of closing this skills gap – a mix of technical expertise and business operations knowledge – essential for protecting sensitive data and maintaining robust security protocols. Virtual Chief Information Security Officer (vCISO) services offer a strategic solution to this problem, particularly for pension funds who have limited resources.

Key Components of vCISO Services 
  • Vulnerability Management: Identifying vulnerabilities within the organization's environment and mitigating them effectively. 
  • Third-Party Risk Management: Identifying and mitigating areas of vulnerabilities that these service providers pose to the organization.
  • Penetration Testing: Exploiting discovered vulnerabilities to assess the organization's susceptibility to specific threats, including zero-day vulnerabilities.
  • Incident Response Planning:
    • Developing and training staff on incident response plans, creating detailed playbooks for various scenarios.
    • Conducting tabletop exercises to simulate responses to system outages and test the robustness of these plans.
  • Training and Social Engineering: Educating staff through simulated phishing attempts, phone calls, and other social engineering tactics to recognize and respond to threats.

Hiring a vCISO can bring a wealth of knowledge and expertise to an organization on an as-needed basis. This arrangement can help lower costs for organizations as well.

This approach is particularly beneficial for pension funds, where IT staff sizes are typically small, and maintaining a full-time cybersecurity team is impractical. vCISO services provide the following advantages:
  • A vCISO can bring together diverse skill sets that are often not found in a single individual, addressing both technical and strategic needs.
  • They work with many other organizations and are able to implement industry best practices.
  • They understand the inherent risks specific to the business, such as those associated with third-party interactions, actuarial analysis, and external money managers.

The cybersecurity skills gap poses a significant challenge to protecting funds against the wide variety of cybersecurity threats. By leveraging vCISO services, funds can access the expertise needed to develop robust security measures, manage vulnerabilities, and train staff effectively. This strategic approach not only enhances security but also ensures that funds can adapt to evolving threats without the burden of maintaining a full-time cybersecurity team. Embracing vCISO services is a proactive step towards bridging the skills gap and safeguarding the future of the organization.

Bio: Peter Dewar has over 25 years of experience in cybersecurity and leads the cybersecurity practice for the Linea group of companies that provide services across the United States and Canada. Under his leadership Linea has developed a Pension Cyber Security Framework (PCSF) to complement the generalized standards for protecting information systems. The PCSF focuses on the business process employed, services provided, and technology utilized by pension and benefits organizations, and devises controls to minimize and mitigate the inherent cybersecurity risk experienced by the industry.

Peter has a Master's degree in Information Systems from the George Washington University, a Bachelor's degree in Information Systems from the University of the District of Columbia, is a Certified Information Systems Security Professional (CISSP), Certified Data Privacy Security Engineer (CDPSE), and has received certificates of achievements from the Harvard Kennedy School of Government, Gartner CIO Academy, and International Foundation of Employee Benefit Plans. 

Comments

There have been no comments made on this article. Why not be the first and add your own comment using the form below.

Leave a comment

Please complete the form below to submit a comment on this article. A valid email address is required to submit a comment though it will not be displayed on the site.

HTML has been disabled but if you wish to add any hyperlinks or text formatting you can use any of the following codes: [B]bold text[/B], [I]italic text[/I], [U]underlined text[/U], [S]strike through text[/S], [URL]http://www.yourlink.com[/URL], [URL=http//www.yourlink.com]your text[/URL]

Contributors