The actual genesis for Ongoing Operations' CISOaaS began growing a couple of years ago out of the CUSO's client advisory board process. Clients said since OGO is a cloud provider, it had access to both protection expertise and tools, which many credit unions can't even begin to afford. So they asked the CUSO to extend its capabilities to include cybersecurity tools.

“We started down a path two years ago where we added a series of managed service provider tools around antivirus, desktop patching, asset control … all of those pieces, which are really the local environmental concerns that would align with the cloud,” Drake explained. “So whether they were doing things local or offsite, those tools would be the same.”

OGO later increased its capabilities by adding a series of perimeter defense pieces.

This year, the CUSO decided on a full-blown manifestation of its clients' suggestion by developing the shared security expert service. Drake explained CISOaaS is a tool many credit unions hoped for, as it helps bridge their security and compliance gaps and meets a major need.

“This combination of events gave birth to the idea of a systemic approach or process to managing the IT security lifecycle for the credit unions and giving them access to best in class resources and management techniques,” Drake said.

This piece helps individual credit unions afford technical and executive expertise to communicate the breadth and depth of their IT security issues to boards and auditors, Drake noted. It also ensures credit unions using OGO's CISOaaS are aware of changes in the market, the necessities to remain compliant, and available resources and tools.

OGO also plans to give credit unions appropriate procurement services, with the shared CISO serving as a personal security technology liaison along the way.

“We know where to find value, what works and what often fails,” Drake said. “We will cut through the marketing and technology jargon to help you understand the true costs and benefits of available organizational solutions.”

Three credit unions quickly signed on as CISOaaS pilots: The $2.9 billion, Laurel, Md.-based Tower Federal Credit Union, the $574 million, Rockville, Md.-based National Institutes of Health Federal Credit Union and the $87 million Washington-based Department of Labor Federal Credit Union. CISOaaS officially launches in early September.

The service is expected to provide access to security information gathered from the CUSO's enterprise-wide view as well as industry-wide trends and resources specific to disaster recovery, telecom, IT security and distributed denial of service mitigation. Drake said he anticipates a toolkit component to the service.

CISOaaS also provides clients with all the benefits of an in-house CISO without the overhead costs and assists with items that would otherwise cause stress for management and staff. As part of the service, credit unions will have access to:

• An expert, independent and unbiased view of their risk, compliance and security postures;

• An information security liaison to auditors, assessors and third parties;

• Oversight and management of day-to-day security activities, reporting and events;

• Coordination of security breach and incident investigations;

• Policy development and recommendations that are in line with NCUA/FFIEC requirements and best practices;

• A cybersecurity roadmap with strategic guidance in company growth, risk management and service offerings;

• Long- and short-term strategic planning discussions designed to coordinate and align with cybersecurity plans;

• An independent review of audit and assessment reports including assistance with prioritizing issues and tracking resolution;

• An assessment of their personnel's information security skills and implementation of a multi-media education and cross-training program designed to arm staff with the skills necessary to protect information.

• Guaranteed 24/7/365 access in case of a security event or other significant issue.

The shared CISO offers a full menu of areas of expertise. They include: Network segmentation, DDoS mitigation and clean pipe solutions, secure architecture and configurations, encryption and tokenization, cryptographic key management and performance, end-to-end and point-to-point encryption, holistic anti-malware and rootkit detection, secure messaging, mobile device management, anti-virus and anti-spam, data loss prevention, archiving/journaling, application security, access control and privilege auditing, security information and event management, file integrity monitoring, intrusion detection and prevention, incident response, risk assessment, and security policies and processes.

“On top of that we will take the credit union's individualized policy components and methodology, and philosophical components of their IT security, and blend those levels together into a full lifecycle piece,” Drake explained.

CISOaaS does not require credit unions to use all of those tools.

Drake said while the CUSO is open to having conversations with credit unions that are not OGO customers, its priority is to onboard existing investors and credit union clients.

“This is one of those things in which collaboration can help substantially in improving credit unions' approach and methodology,” Drake noted. “It is also something I don't think they can magically solve on their own. As an industry, if we pooled our resources together, this would not be an issue or a distraction, but because we are also ad-hoc, it creates a lot of challenges. This is something CUSOs can do to help credit unions.”

OGO, formed in 2005 as a business continuity CUSO by a group of credit unions, has grown from serving a handful of local organizations to more than 500 clients nationwide due to the growing complexities of disaster recovery planning. Over time, it acquired three companies: CU Recover – Business Continuity Planning, Teneros Email Replication and Cloudworks, a secure and redundant cloud computing platform.

As credit union disaster recovery and business continuity has evolved, so have OGO's solutions. Beyond traditional solutions such as business continuity planning, data vaulting and business continuity appliance, it added cloud solutions to become both a business continuity and cloud CUSO.