Most small banks and credit unions simply can’t afford a $250,000-a-year cyberthreat hunter or security researcher. Many are lucky if they have a full-time IT support person on staff, let alone one with specialized security certifications and expertise.
EY’s Global Information Security Survey 2018-2019 found that 87 percent of organizations don’t have sufficient budget resources to deliver the levels of cybersecurity and resilience they want.
Cloud-based security solutions from providers such as McAfee, Symantec, Trend Micro and many others represent a lower cost option for financial services firms that can’t forgo security but may not otherwise be able to justify the spend.
“Just remember that whatever the bank does, it can’t outsource risk,” says Paul Sussex, who leads EY’s financial services digital transformation and cloud strategy practice.
Before getting started, smaller institutions must first understand the shared responsibility model that comes with cloud computing, Sussex says. He shares a three-step strategy and set of considerations for smaller banks and credit unions interested in potentially outsourcing security.
1. Develop a Cloud Strategy
First, decide why the company needs a cloud security provider. Are agility and growing market share the goals? Or will a cloud security solution simply cut costs and require investments in infrastructure and additional staffing? What workloads, apps and services will migrate to cloud, and what service levels will they require? Finally, will the institution use one provider or many? Remember, the more providers the bank brings to the table, the more security considerations they introduce.
2. Define a Data Strategy
What types of data should be stored in the cloud? Who will have access and how will that be managed? Will the data be encrypted? If so, where will the keys be stored? How (and how often) will all of the applications be patched?
3. Conduct an Independent Security Review
Once a strategy is developed and all of the important questions about data management are answered, it’s important to obtain an independent security review. That should be done by a third party, separate from the cloud security provider and preferably by an organization that’s familiar with the banking and financial services industry. Some compliance regulations, such as the Federal Financial Institutions Examination Council guidelines, apply specifically to banking. Others, such as the Payment Card Industry Data Security Standard and HIPAA, are more broadly adhered to. But it’s still important for the third-party auditor to have experience managing all those compliance regulations in a banking context.