Some have outsourced the entire job of information security management. Others have created new positions in-house to oversee data security, but are shifting much of the compliance tasks to systems hosted by vendors.
Whatever lengths they go to, more companies will consider outsourcing, observers say, as auditors and regulators step up their efforts to ensure that banks of all sizes are safeguarding financial data.
At small banks, the chief information officers have typically been responsible for making sure the networks and systems are all working properly and for ensuring that the technology and data is well protected.
But Ratna Ray, the chief information officer at the $1.6 billion-asset Rockville Bank in Connecticut, said the growing pressure to tune up security has also made her workload heavier.
"One person can only do so much," she said.
Ray say that, because Rockville Bank already outsources much of its data processing — Jack Henry & Associates Inc., for instance, hosts its core processing — there wasn't enough work to justify hiring someone dedicated to overseeing data security issues.
"This is not a full-time position," she said.
Instead, following the recommendations of examiners and her own belief that the info security function required an independent position, Ray last year hired a local consultant the bank had worked with in the past, John DeMauro, as a part-time nonstaff information security adviser.
DeMauro had the right combination of skills — a knowledge of risk management and security, as well as bank technology — that Rockville Bank needed, Ray said.
DeMauro's services go beyond monitoring data logs and risk assessment to include reviewing the bank's policy and procedures, even employee training, Ray said. "The FDIC was actually impressed. They said, 'That's a very good process you have. You're really getting your money's worth.' "
DeMauro calls himself an "outsourced information security officer," and said he has a dozen clients. He launched his own business, Practical Security Solutions LLC, in February.
"A lot of these smaller banks are struggling in developing their information security programs," DeMauro said, noting that regulators have progressively tightened their security requirements over the years, starting with the nation's largest banks. "Eventually that pushed down to the smaller banks as well."
Regulators have generally supported the outsourced approach, DeMauro said. "So long as the skill set is appropriate and the contracts are well designed, they have no issue with it."
Other banks are keeping the information security job in-house but are using automated tools developed by vendors to monitor compliance.
Wayne J. Leiss, a vice president at Union Savings Bank, a $1.8 billion-asset thrift in Danbury, Conn., moved into a new position in January, as its information security officer.
"Regulators are looking for a dedicated security person. It's a new position we're fleshing out here," Leiss said. "It's been an internal recommendation from our accountants and auditors to put in place for a couple of years."
Union Savings had been an early user of Perimeter Internetworking Corp. for data security, so Leiss was willing to take the meeting when Andy Greenawalt, a former chief technology officer at Perimeter, came to talk about his start-up company, Continuity Engine, Leiss said.
Greenawalt, the founder and chief executive of Continuity Engine, said his work on the operational issues of data security exposed him to the intricacies of regulatory compliance.
