360 Privacy, a Nashville TN based LLC, is comprised of members from the Special Operation Forces, Intelligence Community, and technology experts whose mission is to protect the digital identity, reputation, and security of high-profile executives, athletes, and high net worth families.
Within the finance community, the term “CIO” is typically synonymous with, “Chief Investment Officer.” Today’s discussion centers around the role of a Chief Information Officer who, like that of their Investment Officer counterpart, must adhere to Policy Statements and budgetary constraints, while keeping current with the latest legal framework and threat-vector networks/operating procedures. An outsourced partnership in the Information Security field may prove useful in helping to create efficiencies within the family office, protect both financial assets, digital identities, and reputations, and stay at the forefront of an ever-changing landscape.
To begin, let’s define the role of a Chief Information Officer. According to Cisco, the CIO “is the organization’s most senior information technology executive who sets the vision for the overall IT security strategy and oversees major IT initiatives like digital transformation projects designed to keep the business agile and resilient.” In some organizations, a Chief Information Security Officer (“CISO”) is hired to verify, test, and adhere to the information technology implementations of the CIO.
Regardless of structure, the growing importance of these roles is becoming more evident, as demonstrated by both the SEC and the Biden Administration’s Fall 2022 regulatory agenda. The responsibility of cyber security and its policies, implementation, testing, and reporting at publicly-traded companies and asset management firms appears likely to change in April 2023. As outlined by the SEC above, reporting of a “material cybersecurity incident” within four business days will require communication and coordination across cyber, the executive leadership team, and public relations (among others). In other words, these types of policy updates will require shared responsibility across an organization. According to Fortune, in 2021 only 17% of Fortune 500 companies had board members with real-world cyber security knowledge. “By 2025, Cybersecurity Ventures predicts that 35% of Fortune 500 companies will have board members with cybersecurity experience.”
While the concepts of “shared responsibility” and “information security” are far from foreign to the family office community, the ability to adapt and grow the “3 Cs” (coverage, capabilities, and complexity) during times of ongoing change can be difficult. There is no shortage of risks faced by family office personnel in the digital space. Direct threats like social engineering, phishing and ransomware attacks are becoming more and more sophisticated, thanks to the growing power of artificial intelligence, prevalence of sensitive personal information available on data broker websites, and intelligence gleaned from social media. Insider threats arise when an employee or other trusted individual abuses their privilege and/or access to office systems and data. Indirect threats aimed at data storage, custodians, accounting, and investment firms must also be considered in the risk management process.
While the case for in-house information technology expertise is clear, the question of, “what value does an outsourced CIO or CISO bring to an organization,” remains. In our view, it boils down to three items for consideration: potential cost savings, access to specialized expertise, and increased security/flexibility.
Hiring a full-time, in-house CIO/CISO can be expensive for a family office, especially if the family does not have a large IT infrastructure. In a 2022 survey by Heidrick & Struggles, US-based CISOs reported median base income of $584,000 (+15% year-over-year), with equity packages pushing total compensation past the $1 million mark. By contrast, outsourced (or virtual) CISO costs can range from $20,000 to over $250,000 based on existing program maturity, contract structure, service hours, and industry-knowledge/expertise required (among others).
As outlined above, industries like finance or government require both adaptation and experience to help accurately guide the business and its investments toward compliance. Whether you’re dealing with consumer data, operating and investing on a global scale, or beginning the certification process with programs like FedRAMP, knowledge of and experience with concepts like personally identifiable information (“PII”), GDPR, FISMA, and National Institute of Standards and Technology frameworks help drive efficiency and avoid duplicating efforts internally.
Lastly, the ability to control how and where sensitive pieces of business and personal information are shared will assist in increasing overall digital security. Like an Investment Policy Statement put together by the Investment Committee, an outsourced CSO/CISO can help create, update, and implement an Information Security Policy framework. These guidelines oftentimes pertain to family office personnel and resources but should extend to family members. Practices and procedures which can be applied across generations (i.e., those with both mature and inexperienced information technology backgrounds) will help close gaps and reduce tail-risk associated to social engineering, data leakage, and financial compromise.