Skip to content
CISO for NYDFS header
Twinstate TechnologiesJun 17, 2020 8:18:39 PM5 min read

NYDFS and Finding Your CISO

With cyber policies tightening up by the New York State Department of Financial Services (NYDFS), we created an overview of what these new regulations will look like to companies who fall into this category. Though as a whole, laws and regulations are becoming stricter for businesses across all industries due to high-targeted cyber threats; the financial services sector including banks, trust companies, insurance companies, mortgage lenders, investment companies, brokers and other financial service providers gets extra attention.

Video: Security Mandates for Finance

They’re storing people’s names, addresses, social security numbers and wealth. Talk about a tempting target if you’re a hacker. As of March 1, 2017, DFS’ laws went into effect for New York State and cybersecurity compliance. Because the financial services industry is a significant target of cybersecurity threats, the State’s priority is to promote the protection of customer information within the sector swiftly and urgently.


Financial services companies licensed by or operating in the State of New York must be compliant by August 28, 2017, according to the DFS. Whether you're located in Northeastern New York in Plattsburgh to Albany, to New York City or even Western New York to Watertown and Ogdensburg and Buffalo, if your business fits the criteria, you must comply. The window is closing for these businesses who have yet to become compliant. By February 15, 2018, all financial service providers are required to provide a Certificate of Compliance to the DFS. It’s a steep learning curve to ensure that these new regulations are met. With that being said, hiring a Chief Information Security Officer (CISO) is a critical part of the mandate. After all, they will be the ones who ultimately are in charge of keeping your business compliant with these standards.

So, how do you hire a qualified CISO? To start, this talent pool is a bit lower than other professions. Why? It is a hard business to branch into with the qualifications being hard to obtain and not to mention, can be expensive. Bottom line, finding a talented CISO can be challenging, so don’t expect this search to end overnight.

Financial services who store personal information like names and social security numbers are top hacking targets.twitter-logo-vector-download-612819-edited.jpg

A knowledgeable CISO is going to have vast experience in maintaining computer system security and most likely some experience in business management. Though bachelor degrees are required in related fields such as computer science, business administration, information science and security and the like, more and more, the industry is seeking qualified candidates who have earned graduate degrees. Look for candidates who have earned their master’s degree program in business administration (MBA) or who have specialized in information security management.

Often professionals who are pursuing careers in higher level IT such as those who would be qualified for a Chief Information Security Officer position will have acquired certifications over the length of their careers. Common certifications might include Certified Information Security Manager (CISM), Offensive Security Certified Professional (OSCP) and Certified Information Systems Security Professional (CISSP) to name a few. When all is said and done, you will have a qualified CISO which can cost your company on average $145,000 in their annual salary.

Piggy bank surrounded by coins

Though you may want and need a CISO of that caliber, it doesn’t necessarily mean that you can afford to have that salary on your payroll especially if you’re a small or medium-sized business. Have no fear, your Third Party Service Provider is here to act as your CISO if you can’t bring on a person to work internally. Providers like Twinstate Technologies offer best in breed solutions to companies who are in need of an IT partner without paying largely to have a team in house. Partnering with a Managed Security Service Provider (MSSP) will ensure that your business has the latest in protection and compliance so that you are, in turn, abiding by New York State regulations. MSSPs like Twinstate will offer the talent and expertise of that of a CISO and a team who will work closely with you to ensure your company’s IT issues are addressed.

Once you’ve hired your talent, whether it be an inhouse CISO or MSSP, the next task is to establish duties and responsibilities. After all, they are now your company’s overseer of all things IT and IT related. If you have hired your own CISO, then they are responsible for hiring IT professionals who may act as team members to assist in maintaining your business’s security and compliance if the size of your company requires extra hands. From there, your CISO is required to create and maintain a cybersecurity program that will protect your business that abides by New York State’s regulations. This will include establishing cybersecurity policies and procedures, conducting vulnerability assessments and penetration testing on a regular basis, itemizing all cyber risks to your business, grading the overall effectiveness of your cyber security program and more, including writing annual reports for your records.

Video: What is a CISO?

However, those businesses who choose to hire out an MSSP rather than potentially creating a whole new department to cater to these regulations, your provider should already have all of the proper testing, plans, reports and other requirements in place for your business. Next, your MSSP will simply work with you to closely adhere to the regulations that you and your company are required to, creating a customized IT plan just for you. Now, you have the benefit of working with a highly skilled and qualified team without bringing on people inhouse and having to worry about how that might affect your business financially. It will also be one less thing for you to worry about on a daily basis and allow you to turn your focus to running your company.

An MSSP will provide you all the services needed to be compliant for less than hiring an internal CISO and team. twitter-logo-vector-download-612819-edited.jpg

This may seem like a lot to digest with a deadline of August 28, 2017 looming, however, it doesn’t have to be as daunting as it sounds. A simple conversation with your local MSSP like Twinstate Technologies can get you started on the path to becoming compliant quickly. We understand that reading through papers of regulations can be stressful and takes time away from your daily duties, but the good news is there are several options no matter the size of your business and budget. We will also be continuing this series and diving deeper into New York State’s new laws as a resource to our readers who are potentially going through these changes in 2017.


Twinstate Technologies

Twinstate Technologies® specializes in cybersecurity, proactive IT, and hosted and on-premise voice solutions.