The external CISO in the financial sector: between DORA, cyber risks and ICT risk management

Information security is no longer merely an IT issue in the financial sector

Financial institutions rely on trust. Customers, business partners, supervisory authorities and investors expect sensitive data to be protected, payment and business processes to remain available, and digital risks to be manageable. At the same time, banks, insurers, payment service providers, investment management companies and other financial entities are attractive targets for cyberattacks.

A successful attack can trigger far more than a technical incident: business interruptions, data leaks, reporting obligations, reputational damage, supervisory measures and significant financial consequences. This is precisely why information security in the financial sector requires clear strategic responsibility.

This is where the CISO comes in.

What is a CISO and what does a CISO do?

CISO stands for Chief Information Security Officer. The CISO is the central role responsible for information security within an organisation. The CISO ensures that risks to data, systems, applications and digital processes are identified, assessed and managed.

In other words, the CISO is not simply the person responsible for firewalls, antivirus software or security tools. The CISO is responsible for the overarching security strategy and connects technical, organisational and regulatory requirements.

Typical responsibilities of a CISO include:

• developing an information security strategy
• establishing and further developing security policies
• assessing and prioritising cyber and ICT risks
• preparing for security incidents and crisis situations
• managing measures across IT, compliance, data protection and risk management
• raising awareness among employees and managers
• reporting to the management body, risk committees or supervisory functions
• supporting audits, reviews and certifications

In short: the CISO makes information security manageable.

What is an external CISO?

An external CISO assumes this role not as a permanently employed executive, but as a specialised external expert. The terms vCISO, meaning “virtual CISO”, or CISO as a Service are also commonly used.

This model is particularly relevant for organisations that need professional security governance but do not want to, or cannot, create a full-time in-house CISO position. An external CISO can be engaged on a project basis, on an ongoing part-time basis or as an interim solution.

Especially in the financial sector, an external CISO can close an important gap: between regulatory expectations, limited internal resources and the need for proven practical security expertise.

Why is the CISO particularly important in the financial sector?

In the financial sector, several factors come together that make information security particularly demanding.

Three aspects are especially important:

• Highly sensitive data: financial data, contractual information, identity data, health or insurance data and transaction data are among the types of information whose loss or manipulation can have particularly serious consequences.
• Digital business models: online banking, payment services, trading platforms, customer portals, digital insurance processes and automated risk assessments only work if IT systems are available, resilient and secure.
• High regulatory requirements: financial institutions must not only implement appropriate security measures, but also demonstrate them, review them regularly and embed them in effective risk management.

For the CISO, this means organising information security in a way that is both technically effective and robust from a regulatory perspective.

DORA changes the way we look at cybersecurity

With DORA, the Digital Operational Resilience Act, digital resilience in the financial sector is moving even further into focus. The emphasis is not solely on preventing attacks. Financial institutions must also demonstrate that they can detect disruptions, respond to them, maintain operations and recover quickly.

This shifts the focus from traditional IT security towards digital operational resilience.

This includes, among other things:

• clear responsibilities for ICT risks
• documented ICT risk management
• protection, detection, response and recovery measures
• appropriate testing of digital operational resilience
• professional management of ICT third-party service providers
• structured processes for security incidents
• robust reporting to the management body

For many organisations, this is precisely the challenge: the individual building blocks often already exist somewhere within the organisation. What is missing is clear overall coordination. A CISO can assume this coordinating role or play a key part in establishing it.

What is the ICT risk manager under DORA?

In practice, the term ICT risk manager under DORA is often used. It is important to classify this role precisely: DORA does not necessarily require a position with this exact title. However, DORA does require effective ICT risk management and clear responsibilities for managing and monitoring ICT risks.

The ICT risk manager is therefore usually the function that ensures ICT risks are systematically identified, assessed, monitored and reported.

Typical responsibilities include:

• establishing and maintaining the ICT risk management framework
• conducting or coordinating ICT risk analyses
• assessing critical systems, processes and service providers
• defining controls, key figures and reporting obligations
• monitoring measures to reduce risk
• documenting risks, decisions and residual risks
• reporting to the management body, risk management or relevant committees
• coordinating with information security, data protection, compliance, IT and internal audit

This makes the ICT risk manager a central role for DORA compliance – but also for the organisation’s actual resilience.

Can an external CISO take on the role of ICT risk manager?

Yes and for many financial institutions, this can be a highly sensible approach. The external CISO brings precisely the perspective required for effective ICT risk management: security expertise, a risk-oriented view, regulatory know-how and experience in practical implementation.

Instead of treating ICT risk management merely as an additional compliance task, an external CISO can turn it into a manageable function. The CISO helps not only to document risks, but also to assess and prioritise them clearly and translate them into concrete measures.

Several arguments support this approach:

• Specialised experience: an external CISO is familiar with typical vulnerabilities, audit questions and implementation challenges from different organisations. This enables the CISO to assess more quickly where risks are truly critical.
• Independent perspective: unlike internal roles, an external CISO is less embedded in existing structures, routines or conflicts of interest. This makes it easier to assess ICT risks objectively.
• Connecting security and risk management: the CISO understands both technical security issues and their business impact. This translation capability is particularly important under DORA.
• Relieving internal teams: IT, compliance and data protection teams are already under significant pressure in many financial institutions. An external CISO can create structure, coordinate tasks and provide targeted support to internal resources.
• Better decision-making basis for the management body: ICT risks must be prepared in such a way that the management body can make well-founded decisions on priorities, budgets and residual risks. An external CISO can establish and support this reporting from a professional perspective.

• Audit-readiness and evidence: DORA requires not only measures, but also traceable processes, documentation and responsibilities. An external CISO can help implement these requirements in a practical and auditable way.

One point remains important: the management body retains overall responsibility for ICT risks. The external CISO cannot fully assume this responsibility, but can provide professional assurance, structure it and support its effective implementation in day-to-day operations.

What financial institutions should review now

Financial institutions should not only ask themselves whether they have formally assigned a role. The more important question is whether the function is actually effective.

Useful guiding questions include:

• Is there clear responsibility for information security and ICT risks?
• Are CISO, ICT risk management, IT, compliance and internal audit responsibilities covered?
• Are ICT risks assessed regularly and reported to the management body?
• Have critical systems, processes and service providers been fully identified?
• Are there clear processes for security incidents and recovery?
• Are measures, residual risks and management decisions documented in a traceable manner?
• Are internal resources and competencies sufficient?
• Would an external CISO be a sensible solution or complement?

Organisations that answer these questions honestly usually recognise quickly whether their existing setup is sufficient – or whether external support would be useful.

Conclusion: the external CISO connects security, regulation and practical implementation

For financial institutions, information security is now a central component of corporate governance. Cyber risks, DORA requirements, dependencies on service providers and increasing expectations from supervisory authorities make one thing clear: it is not enough to view security purely as a technical matter.

A CISO creates structure, priorities and accountability. An external CISO can take on this role flexibly and with specialised experience – especially where internal resources are limited or expertise is needed at short notice.

An external CISO can also assume or significantly support the function of ICT risk manager, provided that independence, governance, reporting lines and responsibilities are clearly regulated.

The key point is this: financial institutions do not need a purely symbolic role. They need an effective security and risk function that brings together the perspectives of the management body, IT, compliance and supervision.

This is precisely where the value of an external CISO lies.

How ISiCO can support you

ISiCO supports organisations in combining information security and regulatory requirements in a practical, workable way. In addition to legal expertise, ISiCO also has IT managers with technical know-how, including in the field of forensics. This creates a decisive advantage: security issues can not only be assessed from a legal perspective, but also classified on a sound technical basis and supported operationally.