Jan 11 2022

After the Merger, Part 2: Rationalize Security Solutions

When banks come together, how do they unify systems without increasing risk?

Mergers and acquisitions have been on the upswing since 2021 — and for a financial services sector grappling with the effects of COVID-19 and looking to find its feet again, that’s good news. Such combinations present unique challenges for banking IT staffs, however, as they look to consolidate technology environments that are often similar in function but distinctly different in form.

A recent EquITy blog post tackled the process of application rationalization: How do banks decide which applications to keep, which to merge and which to retire in the wake of a merger?

Now, let’s dive into security.

Chuck Ros, enterprise solutions consultant for SoftServe, a CDW partner, makes a distinction between the broader process of improving bank security and the post-acquisition step of “secure,” which specifically examines the security applications in use, determines where gaps exist and develops a target plan to improve overall defense.

So, what steps are needed for financial firms to merge protective processes without putting critical data at risk?

Merging Banks Must Understand Their Security Situation

The first step is taking stock of the security situation by discovering which tools are currently in use. “At some point,” says Ros, “the acquiring company wants the keys. There is a cutoff, and they need some rationalization around a host of different systems. As a result, they need to identify what’s critical to secure. This includes identity management, enterprise resource planning and operational IT processes.”

Click the banner below to receive exclusive security content when you register as an Insider.

In some cases, the acquiring bank may not have time to obtain full visibility before moving forward. Some transactions simply occur too rapidly to address every system. While operational systems must be a priority in security rationalization, other tools such as learning management frameworks may be able to wait.

As Ros puts it, “You may have to run them in place until you have time.”

Banks Must Address Security Gaps When They Merge

Next, companies must address potential gaps and redundancies created by the combination of existing tools and decide which (if any) to keep.

“You have to rationalize and make decisions around governance,” Ros explains. For example, an institution that’s compliant with the Payment Card Industry Data Security Standard must conduct a gap analysis when making an acquisition to determine how best to incorporate the new company’s tools into its security frameworks.

Gaps may exist. While bigger banks may be running best-of-breed tools such as SAP, Ros notes that smaller organizations may run “middle-of-the-market stuff that’s not even connected to single sign-on solutions. You need to make a plan based on this gap.”

In some cases, this plan involves remediation — finding ways to improve the performance of less robust solutions and meet compliance requirements. In others, modernization is required — data may need to shift from one security solution to another before the legacy tools are retired. In still other situations, neither of these options is viable. “It could be the complete opposite,” says Ros. “You may need to just turn it off.”

MORE FINANCIAL SERVICES: Explore the tech trends shaping the industry in 2022.

Security Rationalization Requires Planning, Flexibility

To effectively rationalize security at scale and over time, it’s best to create a target M&A plan for all IT resources, from security tools down to infrastructure resources. At the same time, bank IT leaders should be mindful that plans can change. In an industry as fluid as financial services, flexibility is a requirement.

As Ros explains, “The plan is the ideal target, but exceptions inevitably come up, and there’s usually some messiness. This is a target, not a rule book.”

While banks can draft and deploy plans on their own, the complexity of merged IT environments often makes this both time- and cost-prohibitive. As a result, it’s often worth partnering with experienced security advisers to conduct complete security assessments that address both posture and environment concerns and help companies draft in-depth and effective target plans.

Mergers create both opportunity and complexity in banks’ security environments. To ensure frameworks are up to the task, banks must take stock of the current situation, address potential security gaps and create plans that target a secure and sustainable future.

This article is part of BizTech's EquITy blog series. Please join the discussion on Twitter by using the #FinanceTech hashtag.


PrathanChorruangsak/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT