Banks massively promote heads of information security to deputy chairmen of the board in order to comply with the presidential decree

Small Russian banks are massively promoting their heads of information security departments to the level of deputy chairman of the board in order to comply with last year’s presidential decree. According to the market participant, such a solution is “cheaper and easier” than the retraining of top managers. In addition, until recently there were simply no courses on the market that the authorities would recognize as suitable for empowering managers with the necessary competencies.

Information security (IS) specialists in specialized Telegram channels have recently been actively discussing ways to implement last year’s presidential decree No. 250 “On additional measures to ensure the information security of the Russian Federation.” In particular, according to the document, one of the deputy chairmen of the bank is empowered to ensure information security, “including the detection, prevention and elimination of the consequences of computer attacks, and responding to computer incidents.”

The difficulty of implementing the requirement is that the head of the information security unit must meet the criteria specified in the government decree of July 15, 2022. That is, to have a higher specialized education (not lower than the level of a specialist, a master’s degree). There is also a long list of competencies of a specialized top manager.

According to experts, the main purpose of the presidential decree was to increase the role of information security in organizations. SafeTech CEO Denis Kalemberg notes that today information security is “often isolated, and therefore banks, like other market participants, simply do not pay attention to it, giving all their money and experience exclusively in favor of business.” “If someone at the leadership level is in charge of information security, this may lead to a more serious attitude,” he believes.

The president’s decree was not forgotten for a year, market participants assure, however, firstly, the documents did not define the deadlines by which top managers should receive the relevant competencies, and secondly, until recently there were no retraining programs that would provide necessary knowledge and skills of new leaders.

In particular, the Federal Service for Technical and Export Control (FSTEC) reported this to the Association of Banks of Russia (ADB) at the end of April in response to its appeal. Only at that time, “work was organized to develop an exemplary program for the professional retraining of these officials,” the FSTEC letter says.

The Central Bank emphasized that they are not an authorized body exercising control over the implementation of the requirements of Decree No. 250. However, they noted that for violation of the requirements of the FSTEC order “in terms of qualification requirements for employees of structural security units”, administrative liability is provided. The FSTEC did not promptly respond to Kommersant’s request.

According to experts interviewed by Kommersant, as a rule, there is still no profile education among deputy chairmen in charge of information security. As Roman Prokhorov, head of the board of the Financial Innovations Association, notes, “one should keep in mind the continuing shortage of qualified information security specialists, including managers.”

Positive Technologies information security business consultant Aleksey Lukatsky adds that “according to the requirements of the Central Bank, it is difficult to combine the management of the IT function and information security.” Therefore, it turns out that it is impossible to simply entrust the management of information security to the deputy chairman for IT, the expert clarifies.

According to ADB Vice President Alexei Voilukov, as a result, banks have two options – to send the current deputy chairman for retraining or to submit documents to the Central Bank for the head of the information security department for deputy chairman. “In the second case, as a rule, this applies to small banks, in fact, the position of the head of the information security department is renamed, and he is a member of the board purely formally,” he says.

“Heads of departments of small banks are simply being converted into deputy chairmen,” a Kommersant source in the information security market confirmed. However, according to him, for some candidates, the Central Bank issues refusals “either because they worked in banks with revoked licenses, or because of the formal lack of managerial experience in their core business.”

In addition, emphasizes the manager of RTM Group Evgeny Tsarev, the head is responsible (up to criminal) for any incidents or non-compliance with the requirements. This does not contribute to the popularity of the scheme: “In order for it to work effectively, such an employee must, in addition to being responsible, be given the opportunity to manage the budget in order to respond to events and fulfill the requirements of the regulator in full.”

Maxim Buylov