How to Properly Plan Your IT Strategy

This content is provided by our sponsor, and neither is written by nor provides endorsement from ICBA.

Plan Your IT StrategyPlanning an IT strategy for any organization is challenging, but financial institutions face additional complexities due to regulatory and security requirements. And because financial institutions typically have limited IT staff to address desktop support, server hardware, applications, physical connectivity and other technical requirements, managers must search for new ways to address business needs while still being efficient and within budget.

How can you balance your internal IT staff resources with the technical and business requirements of your financial institution?

Strategic vs. Tactical Aspects of ITcloud

Your IT strategy must be laser focused in order to be successful. With the plethora of technologies that exist and the additional ones that are released each day, it is all too easy for an IT organization to get engrossed with the tactical aspects of technology before defining business requirements. Especially when limited resources and budget constraints exist, expending time and effort on extraneous projects cannot be afforded.

While some define their focus for the coming year based on available technology, successful financial institutions align the technical strategy based on their pre-defined business strategy.

For example, if your board of directors has chosen to focus on operational efficiencies, the IT organization would seek budget and resources focused on acquiring new technologies that minimize manual processes in order to achieve the business goal.

One business strategy that must be insisted upon is the need to upgrade existing technologies. While it is often easier to maintain the existing technologies within a financial institution, the implications from a security, functionality, efficiency and supportability perspective can be significant and may not be fully understood by business leaders.

Status Quo vs. System Upgrades

Existing technologies can principally be categorized into three areas:

  • Hardware/equipment
  • Software/applications
  • Systems/processes

If any of these items are allowed to age beyond their expected technical life, it is likely that your organization will experience failures, vendor support issues and security vulnerabilities. In all cases, proper maintenance is critical for maximizing the lives of your systems.

Upgrading hardware, software and systems is inevitable, but some options exist in order to extend the usefulness of various components. For example, servers and workstations are less prone to failure when run in a cold environment, so the cost of running the air conditioning on weekends during warm summer months in particular should be factored into extended equipment life. Nonetheless, as proprietary hardware components are discontinued by the manufacturer, maintaining unsupported systems introduces risks.

As an example, although Windows XP workstations and Windows Server 2003 have exceeded end of life, some institutions continue to run these operating systems because it appears to be prudent from a cost standpoint. However, when security vulnerabilities and lack of support are factored in, just one incident or breach can far exceed any perceived benefit.

One of the most difficult aspects that IT leaders address is the status quo mindset and soft dollar costs. Most people are resistant to change because keeping the same systems in place is easier. But banking is now a technology-based industry, and change is unavoidable.

Security Considerations

There are countless examples of security breaches that have occurred within financial institutions of all sizes. No organization is exempt from being targeted by hackers, but there are many steps that can be taken to minimize risks and maximize security. It is critical that IT staff understands the importance of maintaining the highest and most up-to-date security standards.

Financial institutions need to assess where critical data is stored and how it protected. Is data walking out the door on small USB drives? Is it properly encrypted? Are wireless networks within the branch protected? Are anti-virus mechanisms fully functional or can users bypass these processes?

Consider where the servers that run your financial institution are located. Is it a locked closet or is it a real data center with security and camera monitoring?

The security mechanisms that are necessary to keep your financial institution safe will continue to require upgrades that cannot be postponed. While hackers continue to devise means of penetrating financial systems, your IT staff must counter those efforts by maintaining high standards for networks, firewalls, encryption and multi-factor authentication.

Examiners have increased diligence in areas relating to security, and will continue to scrutinize security and compliance. The Cybersecurity Assessment Tool is an example of FFIEC security diligence and best practice analysis for financial institutions.

Preparing for “What If” Scenarios

Disaster can strike in many ways. While some think of disaster as a hurricane, flood or other natural occurrence, keep in mind that server, database and other system failures can be significantly detrimental to financial operations. One of the most overlooked aspects of IT operations are single points of failure. Any single system component such as a network router or un-clustered database can fail, and even where component replacement or backup restoration can be performed, it may result in several hours or days of downtime. How many total hours of employee productivity, and more importantly, how many customers will you lose because a single point in your system failed?

Frequent audits have instilled the need for financial institutions to document all processes, including disaster recovery. But, how often are those documented processes attempted and fully tested? Successfully addressing a disaster test on paper is far different than realistic testing. The most successful disaster tests are based on varied, unexpected situations and should be carried out at least quarterly in order to ensure maximum preparedness. Having adequate monitoring systems in place is critical for providing real-time and forensic data. Monitoring systems can range from camera to system monitoring. In many cases, monitoring alerts are not properly configured and result in insufficient alerting or an overabundance of alerts, which causes the IT staff to ignore genuine notifications that may be indicative of an issue.

Avoiding single points of failure, having the proper systems and procedures in place, monitoring and addressing compliance all come at a cost. As stated previously, business strategies must align with IT strategies for success, and these functions must be deemed important from both a business and technical perspective.

Strategies and Technologies that Will Help You Grow

As you move forward, strategies for growth and competitiveness will equate to success. First and foremost, take advantage of no-cost and low-cost approaches. Make full use of industry contacts, publications and websites. Learn about efforts that have and have not worked for other financial institutions and seek references. Request detailed demos and/or trials of all new technologies under consideration.

Most financial institutions with in-house operations function with an IT staff based on a 1:40 to 1:50 ratio of IT professionals to employees; thus, if a bank has 80 to 100 employees, there are likely two IT individuals that support the multitude of technology requirements. Maintaining the day-to-day reactive technical operations can be challenging and overwhelming for a small staff. Necessary upgrades, which are often overdue, and other proactive measures are frequently out of scope for small organizations due to limited resources.

The time and effort allocated for planning upgrades; including project planning, assessment and design, is often minimized in favor of proceeding with implementation. Organizations that instead address preparation as an important aspect of the project find that it is time well spent. When an internal IT staff has limited or no experience with assessing, designing or implementing a technology, the use of consultants that are well acquainted with the particular technology can be beneficial and will likely save money for your financial institution. How, you might ask? Consultants that regularly work with specific technologies are well versed in the market, product selection, analysis, and most importantly, the reality of the project. In the long run, these consultants can save time and money, as well as avoid mistakes based on their experiences.

Here are some suggestions for choosing consultants and technology providers for your projects:

  • Seek consultants that are focused on the financial industry, and have a deep understanding of the industry’s regulatory and security requirements.
  • Select a technology partner that can support your institution for years to come. Build a strategy plan together that can be implemented over time as budgets allow.
  • Require industry certifications and/or years of verifiable experience.
  • Request and contact references that have completed similar projects or experienced similar challenges.
  • Parse the project into phases with defined milestones to ensure valid checkpoints.

In order to extend internal IT resources, consider technology investments that focus on monitoring, automation and virtualization that will allow your IT staff to function more efficiently and focus on strategies rather than break-fix issues. By removing as many manual processes as possible, the IT staff can eliminate repetitive, mundane tasks that inhibit productivity. For example, virtualization technologies enable server workloads to automatically be moved from one physical host to another in the event of a failure.

Where the ongoing IT requirements of your financial institution cannot be sufficiently addressed internally and/or management has determined that the strategic direction is to focus on business activities, engage with a partner to address IT requirements. Service providers can be employed to address some or all of your IT requirements.

Especially for small and medium financial institutions, the advantages of contracting with a service provider include the following:

  • Physical equipment centralized and maintained by service provider, including support contracts and service level agreements
  • Premium data center, including access controls
  • Monitoring systems and reporting
  • IT staff specialization, including 24×7 coverage
  • Full redundancy, ensuring resource availability for failovers and disasters
  • Little to no disruption during upgrades and maintenance windows
  • Documented controls and processes
  • Tightly controlled networks and security


Your IT strategy is largely dependent on the business strategy that has been determined by the institution. And although defining an IT strategy may take some time and effort, it is one of the most important steps for making good technology management decisions. Once an overall strategy is determined, the IT staff serves as the conduit for implementing the technical aspects. Assessing the existing infrastructure and defining how technology can be used to achieve business goals is a critical project planning step that is sometimes bypassed in order to save time.

Review and evaluate your institution’s security policies and procedures. Especially in light of the multitude of security breaches that have occurred and examiner focus in this area, you should review the security of all data, including where it is stored, data center access, encryption, networks and firewalls. Security infrastructure is one aspect that can receive mediocre attention. If you’re having difficulty staying on-top of the ever-evolving security landscape, engage with a technology partner to help.

Take a good look at your disaster recovery plan to make sure you have a program in place to address today’s threats. Disasters can include everything from database, network, server failures and cyber-attacks to earthquakes, hurricanes and floods. Ensuring that your organization has redundant systems in place to address single points of failure and monitoring mechanisms to detect issues is important but not enough. Up-to-date, documented, disseminated and practiced processes are necessary to combat unplanned occurrences and address regulatory requirements.

Consider technology providers that can help. With limited personnel, a lengthy list of tactical goals and a constantly changing IT landscape, it’s common for community financial institutions to enlist the expertise of service provider professionals. To be successful, make sure your business strategy is defined, align it with your IT strategy, and begin evaluating your existing IT environment to ensure you’re on a successful path.