In some cases, the acquiring bank may not have time to obtain full visibility before moving forward. Some transactions simply occur too rapidly to address every system. While operational systems must be a priority in security rationalization, other tools such as learning management frameworks may be able to wait.
As Ros puts it, “You may have to run them in place until you have time.”
Banks Must Address Security Gaps When They Merge
Next, companies must address potential gaps and redundancies created by the combination of existing tools and decide which (if any) to keep.
“You have to rationalize and make decisions around governance,” Ros explains. For example, an institution that’s compliant with the Payment Card Industry Data Security Standard must conduct a gap analysis when making an acquisition to determine how best to incorporate the new company’s tools into its security frameworks.
Gaps may exist. While bigger banks may be running best-of-breed tools such as SAP, Ros notes that smaller organizations may run “middle-of-the-market stuff that’s not even connected to single sign-on solutions. You need to make a plan based on this gap.”
In some cases, this plan involves remediation — finding ways to improve the performance of less robust solutions and meet compliance requirements. In others, modernization is required — data may need to shift from one security solution to another before the legacy tools are retired. In still other situations, neither of these options is viable. “It could be the complete opposite,” says Ros. “You may need to just turn it off.”
Security Rationalization Requires Planning, Flexibility
To effectively rationalize security at scale and over time, it’s best to create a target M&A plan for all IT resources, from security tools down to infrastructure resources. At the same time, bank IT leaders should be mindful that plans can change. In an industry as fluid as financial services, flexibility is a requirement.
As Ros explains, “The plan is the ideal target, but exceptions inevitably come up, and there’s usually some messiness. This is a target, not a rule book.”
While banks can draft and deploy plans on their own, the complexity of merged IT environments often makes this both time- and cost-prohibitive. As a result, it’s often worth partnering with experienced security advisers to conduct complete security assessments that address both posture and environment concerns and help companies draft in-depth and effective target plans.
Mergers create both opportunity and complexity in banks’ security environments. To ensure frameworks are up to the task, banks must take stock of the current situation, address potential security gaps and create plans that target a secure and sustainable future.