Thwarting cyberattacks is a key task for any CIO in the banking industry, however it’s not the only security-related challenge keeping them awake at night.
Maintaining legacy IT infrastructures, managing multiple customer engagement channels, and supporting new service initiatives are also part of the mix. CIOs must strike a balance between keeping existing systems fully operational, delivering what the bank needs to meet future demands, and achieving robust security.
The challenge of a siloed infrastructure
Most banks comprise a number of divisions or departments providing different services to groups of customers. These can include retail banking services, mortgage and personal loans teams, and foreign currency exchanges.
To meet the strict regulatory requirements imposed on the financial services sector, these departments tend to operate in relative isolation. Data for each tends to be stored in different locations and network traffic isolated on a departmental basis.
While such siloed operations can also be common in other sectors, the situation becomes much more complex when it comes to banks. In many cases, teams and their supporting IT infrastructures can operate as though they are actually different companies rather than part of the same bank.
The challenge of managing siloed infrastructure is made more acute because many banks are still heavily reliant on legacy systems including mainframe computers. Decisions made around making any changes to this infrastructure are particularly slow as the cost of causing any disruption to banking activity could be huge.
Additional challenges can also occur for banks with operations in different parts of the world. Often created through mergers and acquisitions, these departments often have their own siloed infrastructure that must be connected with the bank’s core networks and databases.
In these cases, it is important for IT teams to have a thorough understanding of all systems in use and the data links between them. This understanding is vital when it comes to ensuring the robust security measures are in place and fully functional.
The question of ‘building’ versus ‘buying’
Faced with the challenges of securing a complex IT environment, senior bank managers face the question of whether to ‘build’ their own security infrastructure internally or ‘buy’ by engaging an external vendor to complete the work.
When contemplating the choice, it’s worth recognising that achieving effective IT security is not a one-off task. It requires more than simply selecting appropriate tools and deploying them across the infrastructure.
Rather, it is an ongoing task that requires constant monitoring, management, and review. For this reason, many banks opt to make use of external resources with deep knowledge and experience in the cybersecurity field.
The role of Zero Trust
Regardless of whether the security function is handled by an inhouse team or outsourced to a third party, the topic of zero trust will need to be carefully evaluated. Many banks have already begun following a zero-trust strategy after recognising the benefits it can deliver.
To achieve effective zero trust, many banks look to undertake micro segmentation within their networks. This ensures that only users who have express permission and can confirm their digital identity can gain access to resources.
To be successful, however, a bank needs to have a thorough understanding of all applications, data sources, and their interactions. Any misunderstandings or incorrect configurations can lead to disruption and potentially large financial losses.
Internal teams may find it more time consuming than initially estimated to achieve full zero trust status across their IT infrastructure. In some cases, banks have taken years to complete the work while in others, projects are halted before they have been finished.
Also, ongoing monitoring of the zero-trust status of the infrastructure is important to ensure that robust levels of security are maintained. Each time equipment or an application is added or changed, the implications this has for zero trust need to be carefully reviewed.
For these reasons, there can be significant benefits for a bank that engages with a trusted third party who can design, deploy, and manage its security infrastructure. This will allow internal teams to focus on the important task of maintaining core systems without needing to allocate human resources to security.