Community Bank IT Staffing – Doing More with Less

By: Mike Detrow, Senior Consultant and Manager of IT

Over the past two years, we have seen a significant increase in the number of community bank IT managers that have voiced substantial concerns about the ability of their bank’s current staff to properly secure their information systems and maintain regulatory compliance. These concerns are the result of IT managers trying to meet the requirements of new regulatory guidance related to information security and working to prevent potential damage from evolving cyber threats without supplemental staffing or other resources.

Some of the potential risks for a community bank with insufficient resources to properly maintain and secure its information systems include:

  • A data breach resulting from inadequate configuration management or security monitoring
  • A system outage, disruption, or data loss due to inadequate maintenance or system monitoring
  • The resignation of an overwhelmed IT manager, leaving an unusable IT infrastructure for a bank with an insufficient succession plan
  • Regulatory compliance issues due to repeat audit and examination findings

In many cases, it will be difficult for a community bank to add internal staff to address these risks, especially those that are located in rural areas. However, there are a number of cost-effective ways for a community bank to make its current IT staff more efficient and its information systems more secure through the use of automation and by adding additional expertise through education and/or the use of service providers.

  1. Education. Providing opportunities for the bank’s IT staff to attend training classes or to participate in peer discussions during industry conferences or forums will help them to learn best practices and gain other valuable insights that will increase their efficiency and improve security practices. Many state banking associations host annual technology conferences that can be an invaluable resource for the IT staff of a community bank, especially those that do not have a formal IT background.
  2. Automation. Tools to automate labor-intensive tasks such as patch management, capacity and performance monitoring, and event management can be implemented. Many manual tasks can be automated by implementing a remote monitoring and management (RMM) solution. By installing a management agent on each of the bank’s workstations and servers, the bank’s IT staff can manage all of the servers and workstations through a single dashboard. Some of the features of an RMM solution include: patch management, antivirus management, event monitoring, software installation monitoring, automated tasks, email alerts, and remote access. An RMM solution also assists with proactive monitoring to identify issues before they cause downtime.
  3. Engage a Consultant. Engaging a consultant to assist with policy updates and other compliance tasks can provide valuable insight and eliminate hours of research time spent by the bank’s staff. An experienced consultant will be familiar with regulatory requirements and he/she will have valuable insight, sample templates, and policy language to share.
  4. Outsource Network Management. Outsourcing the management and monitoring of the bank’s in-house servers, workstations, and other network devices to a managed services provider (MSP) can free up a significant amount of time for the internal IT staff and also offers additional expertise for complex systems such as virtual servers. In addition, having a team of professionals from the MSP supporting the bank mitigates the risks associated with relying on a single bank employee to maintain the entire IT infrastructure. There are even service providers that can move all of the bank’s critical information systems to their secure datacenter, which can significantly enhance the ability for a bank to recover from and function during a disaster.
  5. Outsource Firewall Monitoring. While we still see some banks utilizing internal staff or their MSP to monitor their firewall, most lack the expertise and 24x7x365 availability to properly monitor this critical system. Early detection and eradication of a threat can drastically reduce the potential damage caused to the bank’s information systems and its reputation. A managed security services provider (MSSP) maintains the appropriate expertise and staffing levels within its security operations center to quickly identify a threat and follow agreed upon response procedures.
  6. Outsource Vendor Management. Gathering all of the required documents from each of the bank’s service providers and properly reviewing all of this documentation can require a significant amount of time and expertise. There are a number of service providers that can perform the majority of this work on the bank’s behalf and provide a summary of their findings for management’s review.

Just like moving from in-house to outsourced core processing, utilizing service providers to assist with the management of the bank’s IT infrastructure and compliance needs can provide additional expertise and allow the bank to operate efficiently and securely with limited internal resources. As with any outsourced relationship, it is critical for management to perform appropriate due diligence for any service providers that the bank may consider for the services listed above. During the due diligence process, it is very important to ensure that the service provider has experience working with financial institutions and understands the regulatory requirements that must be met.

With cyber risks remaining a significant concern for community banks for the foreseeable future, failing to address staffing limitations now will only compound these risks in the future. If you have any questions about this article or you would like to discuss the ways that Young & Associates, Inc. can assist your bank through a consulting relationship, please contact Mike Detrow at mdetrow@younginc.com or 330.422.3447.