
Voiceover: Welcome to the JMARK Business Innovation Technology experience.
Dax: Hello, hello, hello. This is Todd Nielsen and Dax Bamborough. Today, we are joined by our friends at JMARK, Kevin Carpenter and James Schmidt. We are going to have a wonderful and exciting conversation about the world of bank audits, because we know that is such an exciting topic to so many people.
The truth is, though, that it’s a pretty important topic because bank audits are how banks stay in compliance with everything, how you know your money’s safe, and all that good stuff. Why don’t we start the conversation …
James: I just wanted to point that I jokingly said earlier today about this being a breathtaking conversation, and then Kevin responded with a really long response. I could just tell from his response that he legitimately was excited about talking about this. I think his enthusiasm is going to be contagious for all of us.
I actually really am excited, even though it might seem like a little bit of a dry subject.
Dax: Kevin, why don’t you give us a little bit of an explanation of what you do with bank audits and how it relates to IT, because sometimes people see them too close together, and sometimes people see them as very separate things.
Kevin: Thanks for the opportunity to chat about this. You use the phrase wonderful and exciting. That’s just my life, dealing with bank audits and the exams, and IT compliance. It’s a lot of fun. Not so much for the banking side, because IT audits are a stressful time for many of them, and it’s a lot of gathering of documentation from all across the organization.
We’re not just dealing with IT when a bank is dealing with an audit or an exam. They’re dealing with across the organization. The IT side and then the loans, they’ve got to get all that stuff together and the deposits, and the insurance asides, and all of that fun stuff. They’re spread very thin most of the time, when they’re dealing with this.
That’s where a good IT provider can step in. Much what we spend a lot of our time doing on my team is in the pre-event phase of the audit process, is gathering all of the IT documentation so that they don’t have to. We present that to them two to three days before the deadline for uploading their documentation requests lists, and then they can review it, and we modify as needed for any gotchas or things that had been forgotten, or were way late in the process.
Audits are very … Well, like I said, far reaching, covering the entire organization. The IT portion is actually a smaller part of it, but it is also one of those that is the most highly regulated parts of it, when it comes to the expectations. And of course, with the heightened interest, or spotlight if you will, on cyber security, we’ve expanded out into cyber security and network security being entwined in the whole process now.
Dax: Hey, Kevin, and you started to hit on this in the beginning. We have this general term of bank audits, of how we help customers. But really, there’s many components to what bank audits are. Can you touch on that? As it gets to … In two words, to describe something that’s pretty big and what needs to be affected in there?
Kevin: Yeah. Audits are an interesting thing. I think, from this point forward, my only expertise and JMARK’s at large, is in the IT side of it. That’s where everything’s going to be focused, because I can’t help out with loans, or anything like that.
When we’re dealing with the audit, the IT audit portion, there are many different facets that could be. There’s often a general controls audit, looking at policies, procedures, physical security, down to are your servers in a locked cabinet inside a locked room that has limited access by a few people? And it’s everything short of a German Shepard outside the door, protecting it.
The general controls audit, looking at all those, the soft IT side of things. But then, you can have external penetration testing as a part of that, external vulnerability testing, internal penetration testing, internal vulnerability testing. You can have wireless audits, and of course, the new piece that’s becoming more prevalent, is the remote access audit portion of it.
You can mix and match, and piece these things together, or you can do the whole thing in one shot, or you can choose this year is just going to be an internal vulnerability test or we’re going to hit wireless and virtualization. Those are all the different parts and pieces that can go into auditing.
Dax: And I’ll even-
Todd: Kevin-
Dax: I’m sorry. Go ahead, Todd.
Todd: I was going to ask, when it comes to … I’ll try that. When it comes to the audit, or from a perspective of I’m a compliance officer or something, at a bank, and I’m responsible for getting this done, what is it that you would do to … Or what is it that a lot of compliance officers may not realize about their network or about the security that maybe some of the things that you’re finding when you come into the network?
I don’t know if that was very clear.
Kevin: It’s very clear. My experience, banks come in all different shapes and sizes. It’s really trite to say, but you’ve got your single branch, a very community-referenced bank, and then you’ve got your multi-branch, very mature organizationally type of bank also, and then you’ve got your mega banks, which is not something I’ve had to deal with. That will probably force my retirement, if I had to. That’s another episode.
The compliance officer, depending on the bank structure, can be wearing as many as one, two, six, or seven different hats within the organization. Usually, the larger banks that have a dedicated … They’ll have a dedicated audit officer, internal audit officer, and they’ll have a dedicated risk compliance officer, and they’ll have a dedicated … Whatever the other one was that, much like you Todd, I lost my train of thought there.
They’ll have dedicated people in those positions. A small single branch bank is going to have one person, and that’s where they get overwhelmed. When an IT provider can come along and take the IT portion out of that mix and do the heavy lifting, down to the point to your question of looking at the network security side of it, [inaudible] to efficiently pull out the information that says here’s the firewall configuration as it stands today and be able to provide that for the audit team to review. Here’s our router configurations. Here is how we’re implementing cyber security measures that are best practices within the industry on this day.
That’s where that IT provider relationship can be critical. It’s just as critical when you have that more mature organization, because when the IT provider is doing that documentation retrieval, then your risk officer, and your compliance officer, and your audit officer can be doing other facets of their job in other portions of the bank that they may also have responsibility in.
Compliance is not IT only. I only have to worry about IT, but at the bank, compliance is IT and then what are FDIC regulations around deposits, and what are division of finance regulations around loans, and so on, and so forth. That lets them focus on [inaudible], and that’s the breath of fresh air that a good IT provider relationship can bring in.
Dax: Yeah. And then, to add to that, you hit on something, of a partnership. Obviously, we’re an MSP, that we work with our clients to make sure we’re taking on the understanding of the IT realm, not only on a managed level, but also how are we showing them, based off the guidelines that is set forth in regulations for FFIC guidelines, that says this is where your network environment should be going, not just how we’re maintaining that.
I think that’s missed in a lot of realm, is we … Todd, we talked previously of technicians aren’t always the same, as some technicians understand how to manage the router, the firewall config, and get that data over to that.
Todd: Yep.
Dax: Very simple process to help with the audit or the exam, but how are we helping shape the environment, so that the client understands what’s coming on the horizon for the audit and the exams, and how they should be securing their environment better? How are they going through their board and having a … Kevin, help me with this, where we’re having to go in and do scenarios to help them understand a disastrous scenario, and that’s part of the requirement that a good provider is going to help them with, bring them through those scenarios.
Because it’s not just the loan processing isn’t going to work. Somebody walks in, how do you deal with that scenario from a cyber security standpoint? That affects the audits and exams as you go through that process. Having that knowledge as a good partnership really pays dividends on there, as well.
Kevin: Yeah, that … The pre-event stuff, what I call the pre-event phase when I’m working with it, there are a number of tasks that I perform. Some of them are quite simple, but they’re just to refresh my memory of what’s actually going on at the client’s site. Everything from refreshing the network topology diagrams, so we know what is where, the client knows what is where, reviewing their cyber security assessment, which is a massive document that the FFIEC put out a number of years ago, and is now becoming very quickly the de facto that all of the regulating agencies, both state and federal, are really looking to, to put all banks regardless of size on level footing.
You’re all being judged, if you will, or evaluated against the same criteria. Looking at their virtual infrastructure, looking at the status of any projects over the last number of years. And then, what you hit on James, that is huge, is the business continuity program, which includes disaster recovery. Where does that stand? How’s the testing going on that? Have we had testing?
Part of a good IT service provider’s offering, whether it’s part of an agreement or separate from an agreement is secondary, but there should be an offering there of assisting with that very thing. Not only performing disaster recovery tasks, but also helping to train because disasters most often happen because of human failure. We know that. That human element comes into the audit and the exam process. That’s another piece of auditing that I failed to mention earlier, and that’s social engineering.
How susceptible are you to someone picking up a flash drive that was left in the lobby and sticking it into their computer, or answering a question over the phone without getting proper authentication from the person on the other end that they are who they say they are. Social engineering another big deal that goes hand in hand with the business continuity planning.
Todd: One of the questions I have for James and Kevin is, we’ve talked about this a lot in the past, in that … I’m trying to remember. Dax and I were talking about this. I think I wrote an article or we had an e-book, or something, about this idea that just because you pass your audit doesn’t mean you’re secure.
I know in talking with sales that’s one of the big objections … Maybe not objections is the right word, but one of the big pushbacks we get from banks that we go into is my network’s good. I’m getting good scores on my audit.
Can you clarify that and why it isn’t true, that myth? And what are some of the things you’ve seen from people who have gotten, quote, good audit scores?
Kevin: Going back to the social engineering there, we deal with the human element. Many people will tell you, and I partially agree with this, that is your weakest link in your entire security chain. I think it tends to be, but it doesn’t have to be. That human element also comes into play on the other side of the audit or exam, and that is in the … With the auditor and examiners themselves, because you’re dealing with human beings evaluating a network.
If I go into a network and I begin to evaluate it, I’m evaluating it through my eyes with my experience behind that. I’m going to look at the places that I’m most comfortable looking at and have the greatest likelihood, based on my experience of finding problems to be resolved.
Now, if James comes in right behind me and does a network assessment, he’s going to find things that maybe I noticed but I didn’t emphasize, or maybe I missed them all together. It’s that same way with auditors and examiners. An auditor comes in and they’re doing the audit, and yes, they have their checklist, if you will. They have their pieces that are required for them to look at. But what’s going to pop out to them is going to be influenced by their experience, their most recent experience.
I saw something at my two exams ago, or two audits ago, and I’m going to be watching for that now. The old adage, when you hear hoof beats, think horses, not zebras. The idea being that you tend to emphasize that thing you’ve heard most recently. Just because … We see it right now in the pandemic age. Any little illness and suddenly, almost everyone on the planet thinks they’ve contracted COVID-19, when the reality is, COVID-19 doesn’t supersede all of the other illnesses that are out there.
We need to be circumspect in how we think about that. That’s that same thing with audits and exams. We need to be able to look at things as objectively as possible. The reason some banks will have gotten good scores and this is … You’ve just got to rip the bandaid off on this one and say it, is because they’ve built up relationships with the people doing the audits and the exams.
It’s not that they don’t want to give them an objective score. It’s their own personalities can sometimes prevent them from doing that. I have no problem with a bank sticking with the same audit firm for a number of years. But every now and then, it’s good to bring someone else in, just for one year. Every three to four years, bring someone else in. Examining agencies will regularly rotate their staff in order to accomplish that, also.
The FDIC as an example, you might get the same examiner two, maybe even three years running, or three exams running, but eventually you’re going to get a new examiner. That’s part of the reason for that. Comfort and familiarity are part of that.
Dax: I was going to add, if I can, to that, looking at a score and it’s not always synonymous with how it’s going to be taken. One of the things that I constantly run up against is expectations around we got this good score, we’re continuing with our hardware or our patch scores, and we don’t change anything, and they, over time, degregate their system, and not understanding the ramifications that is having is great, you did this one project five years ago, but where’s your next one, And having this continuous improvement in IT to keep those scores up.
That’s one of the biggest things, as even Kevin said earlier, is regulations are going towards all banks looking at the same, whether you’re a billion dollar bank or a million dollar bank. If you’re regulated the same, you have to understand how to stretch your dollar appropriately within your IT program and that affects your patching scores or your scores that you’re getting with your examiners.
It’s important to understand this continuous improvement. The big piece that we see, as compliance officers, they’re absolutely great compliance officers, but not necessarily had a background in IT. When these things are being explained is, well, I don’t really need that. We can stretch our equipment more, can’t we? It’s bringing it back into a continuous improvement cycle for their environment to make sure we are getting the right scores that are needed to maintain their bank.
James: I think it comes … Just adding to the cyber security side of things, something we talk about a lot, which is you can’t be comfortable because the forces out there that want to come in and get into your system, they’re not waiting. They’re not saying, “Well, I learned how to get into bank systems five years ago. I’m good now.”
They’re constantly upgrading their skills and figuring out new things and ways in, and social engineering tricks, and that kind of thing. You’ve got to be doing the same thing on every aspect. You can’t rest because they’re not resting.
Dax: No.
Kevin: There’s a reason even companies like us at JMARK are … We are constantly evaluating ourselves in the realm of how good are we at detecting phishing emails? I regularly, multiple times a week, will click that hey, phish alert link, and it’ll come back and say, “Hey, congratulations. Good job. You found an attempt by your own company to just test you on security.”
That makes feel good. It also annoys me, because why … That’s 15 seconds of my life I don’t get back because I had to look at this email. But we- You’re exactly right. Everything is changing. Because everything changes at this really, really fast pace, back to James’s point, you used to be able to buy a firewall and put it in place, and you’d get the thumbs up from regulators for 20 years. You just put that firewall in place and it goes.
Now, it’s really hard for me, having been around back in those days, to be able to go to clients and say, “I know we just sold you this firewall five years ago. We’re going to be asking you to replace it here really quick.” Because the technology has outpaced the hardware that was available at that time.
That constant vigilance, that constant improvement, and now, fighting that war on two fronts is not just network security, it’s also cyber security. And those are two different things that have to be evaluated on their own merits.
Todd: I want to back up a little bit and make sure that we touch upon each of these, on the bullet points, so to speak. When we’re talking about a bank, who is getting a good score on their exams or audits, but there’s a gap in their security that they may not know about. What I heard was, one, there possibly is something, some lackadaisical auditors that maybe aren’t doing anything wrong, but they’re just maybe going through the motions.
Two is that, surprisingly, hackers are not doing the same thing as the auditors. There’s a disconnect between the auditor and the hacker knowledge. The hacker is like way, way up here. Three, I heard, we talked about just the mindset of not really innovation, but keeping things up to date and staying consistent and constant with the changes in the environment and the changes in just banking world and IT security, just to keep on top of it. Thinking that you do something once and you’re good for a long, long time isn’t true.
Did I miss anything?
Dax: I think you hit, too, is the lackadaisical, is more, I see is they focus on the low hanging fruit. As they go through a checklist, and they’re going to say, “Hey, you guys need to really focus on patching in this next cycle.”
But that’s a great piece to focus on, but what is not being focused on is maybe what’s more priority. We’ve had this when discussing with some auditors and saying, “Sure, you’ve culled out patching, but based off what we’re seeing in network, we should probably be focusing our efforts on this area.”
But because … Obviously, they’re running the audit. They have their checklists, and that what the checklist has told them to do based off what requirements are. When we look at securing a network, is there’s a whole other piece than just that low hanging fruit that needs attention. I don’t want them to be set up for failure because this was a low hanging fruit and they could easily talk through it with their knowledge from their background.
Todd: Lesson learned is your checklist cannot be more important than your IT security.
Kevin: Right.
Dax: Yeah. You have some of these auditors that come in with a background in, let’s say networking, or a background in process. That’s what you’re going to find they’re going to focus on in the audit, that how are we taking a holistic approach, from a provider standpoint. Or even if I was an enterprise admin within an environment, how am I looking at the overall environment and basing that off of the regulation, and focusing on that. Whereas, the auditor’s taking their understanding and their checklist, and that’s what given.
We try to go way more than just the audit.
Kevin: And-
Todd: So, how- Okay.
Kevin: Let me just say, one consideration when you’re choosing an audit firm is who’s going to be performing the audit. There are some audit firms where one person will do the entire audit for you, the entire IT audit. There are other firms where they’ll have two to as many as five people, depending on the pieces that you’re going.
One engineer is focused on the external penetration and vulnerability tests. Another engineer is focused entirely on the social engineering side, as opposed to just one person craft all of that stuff together. There’s merits on both, and you’re going to pay accordingly for both most likely, but that’s an important consideration for a bank to take in, how detailed do you want your … Or how detail oriented do you want your audit firm to be? How precise are they going to get?
Todd: I think a lot of people probably take the approach of I don’t want to know the danger. I’d rather keep my head buried in the sand. One of the questions I have is, say you’re going through these audits and you’re getting good scores, but you’re not paying attention to your true security in the network and you’re not as secure and compliant as you really should be.
What is the danger to a bank, and I’m sure banks know this, but just for our sake, what is the danger to a bank to focus more on the audit but then get hacked or have a security breach?
Kevin: Yeah. The chills go up and down my spine just hearing you voice the question. It’s a huge consideration. The misconception with audits, honestly, is that they’re there to show us how bad our network is. The fact of the matter is, we bring the auditor in, and the federal agencies have required annual external audits because we want to catch these things before they turn into a problem.
Just very recently was in an exit interview with a … Following an audit for one of our clients. It was a very good review, but yeah, they talked about here are three things that we discovered were [inaudible] for you, and could, if [inaudible], result in breaches to varying degrees. We want to get those taken care of.
It’s not that we hadn’t noticed those, but again, you get those different eyes and those different tools available to them, and they’re able to get just that one step further than maybe we’ve been able to look thus far, and now we can get better, provide our clients better security. And now, when the examiners come in behind the auditors, they can see that things are really good.
Those incidents that happen that could have been prevented if we had been … We being everyone involved in the audits, if we had been a little bit more detailed and persistent in the entire process and getting ourselves outside that comfort zone. It’s not always about the score. Sometimes it is truly about finding out where your weaknesses are.
I think if we flipped that script a little bit, to where we’re thinking about where are our weaknesses so that we can get better, then everyone wins in that scenario. This is not an area where you can say, “Well, we’re going to emphasize our strengths and de-emphasize our weaknesses.”
No, we can’t do that here. That’s great for personal growth and development, but not so much for network and cyber security. Here, we’ve got to find the weaknesses and absolutely destroy them. We’ve got to get rid of the weaknesses.
Todd: What is the true danger, though? If there’s a breach at a bank and privacy is … There’s a privacy issue or something else, even though you have this great audit score, what is the risk to the bank? I know there’s some downgrading possible. Some other things?
Kevin: Yeah. Each regulating agency has a scoring system. Those scores can be upgraded to a high level and they can be downgraded. That affects a lot of different things, that allow the bank to be more or less profitable, allows the bank to offer more services or fewer services, because of their [inaudible].
The real problem is, when you have a breach, you have to report that. For a bank, that means you have to report that not just to authorities, but you have to report that to all of the regulating agencies that are out there. If you are a state-chartered bank, then you have to report that to the Missouri, or in our case, the Missouri Division of Finance. You have to report that to the FDIC if you’re FDIC-assured, which vast majority of the banks are.
And so, that begins that ball rolling on all of these different fronts. Suddenly, none of your staff can concentrate on what they’re supposed to be concentrating on because they’re concentrating on these reports and requests for reports, and so on, and so forth.
To the client’s eye though, yes, the biggest disadvantage is the solvency of the bank, really. That downgrading process is very difficult to turn around, at least quickly. If you get downgraded, you’re sitting there for a little bit while you restore the securities and the trust with all sides.
Dax: Yeah, and even the trust, the reputation of the clients when you have to report this now, not only potentially have you been downgraded, but how is reputation going to hurt you from your clients of pulling out because of that? Super important take.
A normal client that’s not regulated and do ten-fold, because now you have to report everything to the regulated, and that will present its own issues through that process.
James: Yeah. I think … You took what I was going to say about trust. In 2020, people are aware. Your clients, even consumers, the people who the banks are serving, people are aware of these things and trust is so important. People know that their life can be affected, their information is housed by every bank they use, every company they use. People are aware of these things. That trust is going to affect you, not just on the end of dealing with these regulations, and all the red tape and everything, but it’s going to affect you on the front of the bank too, and on the customers you serve. They’re going to begin to lose trust in you.
Todd: And not to beat the point to death, but the … In the banking world, there’s no lack of banks that any one of us can go to. I’m in a small little town and there’s four banks in our town. There’s more banks than restaurants. It’s everywhere.
With online banking and with everything now with COVID-19, the digital transformation is accelerating. People are doing things now with banking that they weren’t doing before. Scanning your checks with your phone and depositing them, and doing more online banking, and a lot of people that were used to going in aren’t doing that anymore.
The point is that the competition is strong. If you’re in a small town, like a lot of community banks are, where you’re building this trust with a small group of people, your town, and you lose that trust, it’s not going to be easy to get it back because people don’t just whimsically move their … That’s probably not the right word, move their money around just for the heck of it. We don’t wake up on Monday going, “I think I’ll move it over to this bank.”
Once it’s there it’s there, but if you lose trust, you’ve lost a customer for potentially life.
James: Yeah.
Kevin: Once you-
James: I wanted to talk a little bit about going back to how, in the beginning of the discussion where, Kevin, you were talking about how your MSP, your IT provider can help you prepare for these audits. Something you said a few minutes ago also brought to mind the idea that we’re not just learning from each bank individual.
The things that you’re learning from one audit that you do with a client over here is helping us become better and serve better the client over here, the next one down the road. I think that’s an important point to emphasize about how we can help them see things that they might not see when you’re stuck just with your own company, looking at your own data all the time.
Kevin: Yeah. It’s one of the interesting things, and as an MSP, you can get so [inaudible] in your relationship, your partner, with your client, that you forget that you’ve got these other service providers out there, with whom you need to foster at least an amicable relationship. We don’t want to be hostile towards them because they’re supporting the same client that we are.
It’s that way with auditors and examiners. I can’t say I’m … I’m not buddy-buddy with every single examiner that I come into contact with. Some of them just aren’t built that way. But there are a few examiners and a few auditors that I’ve talked to enough times and we’ve … The conversations now go beyond the your firewall configuration really needs to be this and such, to … Even down to what’s your favorite coffee place down there in Fayetteville, Arkansas? Yeah, I’ll have to check that out next time I’m there.
That’s when it gets really interesting, but if we foster that same relationship, if you’re dealing with an MSP, with an IT support provider that looks at the other vendors with whom you do business, not just as vendors, but as co-supporters, that’s the way we look at auditors and examiners. Like I said earlier, they help us get better. They help us service this client better, and by doing that, they help us service all the clients.
One of the benefits of working with James, the team that James and I are a part of, is that team is focused, here at JMARK, on the entire organization. Things that we learn through audits and exams can be deployed not just to the banks, but hey, this is a huge security decision. We’ve got to get this out to all of our clients in these various industries, and sooner rather than later.
Keeping that in mind, not putting the blinders on and being so focused on this client, this time, but how does this impact the wider consideration? That’s a good point. Appreciate that, Dax.
Dax: That’s always to … It’s not reinventing the wheel.
Kevin: Yeah.
Dax: It’s sometimes tough to see internal IT, where they’re something that should be pretty simple. It’s taken to an nth degree, that it’s reinventing the wheel. As service providers, and I always want people out there to understand is, what’s the breadth of knowledge that you’re getting?
Sure, somebody could put in a project but do they understand the environment and then how do they create solutions around, that work for the banking structure? Not to have too much of a commercial of us, as I always want people to have more knowledge, it’s truly what’s the system that’s put in place to set your bank up for success each time you go into one of these audits and exams, because they are daunting for most people at first onset of them. How are you taking that to not reinvent the wheel?
That’s huge when you’re trying to create a structure within the bank environment.
Todd: Absolutely. I was sitting here thinking a few minutes ago, and this is maybe a little bit of change of topic, but I forgot about an experience I had one time. A number of years ago, I was in Oklahoma at a trade show for JMARK. It was in the evening and we were talking with different banks. It was a banking association. There was this one bank president that I was sitting next to and we were talking.
I asked him, “How are you guys doing on your exams? On your audits?” He looked at me and he just laughed. He did have a few drinks. And he goes, “On the last audit, the auditor wrote so and so does not have a clue about IT security or the regulations.”
He just laughed, and laughed, and laughed. I don’t bring that up just to throw us into another topic or anything, but I think that’s really interesting because we’ve been talking about innovation a lot lately and going to a better normal, and how things are changing, and how accelerated technology is becoming, and how accelerated security is becoming.
Just since COVID, the security risks have increased many, many, many fold. The truth is, if you have that attitude as a bank president, as a bank executive, as a compliance officer, as a share holder on a board for a bank, you’re not going to make it to the next level.
Kevin: Mm-hmm (affirmative).
Todd: You’re going to fail and that whole conversation we had about competition, you’re just going to get swallowed up or disappear.
Dax: It goes back to … That sounds like a scenario where their being able to check a box on an audit to get the rating that they need, but not necessarily being secure. I wonder what their scores are that allows them to operate like that, but I would not have confidence in that bank if I was a customer, if I heard that.
That’s really tough, is what is a true score? We grew up in school thinking if I’m at this range, I’m doing good. If you’re average, you’re doing good. That’s average. If you’re one step above, so how many of these banks are one step above that average level and not truly up here where they should be, to be secure.
That’s where I always worry about, are they just one step above or are they truly secure in their environment to be the right bank?
Todd: Being average when it comes to security is being bad.
Dax: Hey, I’m one step above. I’m not average. You still need to go way higher if you want to be secure.
Todd: Right. So to bring us … Oh, go ahead, Kevin.
Kevin: I was just going to say, that’s one of the nice things. I mentioned the cyber security assessment tool. It is this massive document. It’s over 500 questions, or I should say, 500 declarative statements that the client will answer yes or no to. But the beauty of that is they broke it down into five maturity domains.
One of the first things we do with a bank, that I do with a bank, is I say, “Where do you want to be?” The requirement is baseline, so that’s the first one. For most of the banks that we deal with, that I have the opportunity to deal with, that’s good. It’s not just good enough, it’s good. It’s a secure environment with room for growth.
Now we’re at the point with a number of our clients of saying, “We have this next maturity domain. This is evolving. How far in to this do you want to be? Let’s take a look at that.”
The nice the thing with that cyber security assessment tool is it’s given us a framework to objectively show them and work with them to get to the level of network security that they want to be at and that we agree, as their MSP, as their IT support provider, they should be at. That’s also a key consideration. This is a partnership, not a we’ll do whatever you want and be happy about it.
Exactly right, we can’t just say, “Oh phew, we passed the audit. We don’t have to worry about anything.” Well, let’s be sure of that. That’s where a good IT provider comes in.
Todd: Yeah. Last week, we had a conversation about outcomes. Part of that is, when you hire an IT company, whether you’re a bank or any other type of organization, and especially if you’re a bank and that they’re supposedly going to help you pass these audits and exams, and such, you are hiring to get an outcome. You’re not hiring for complacency. You’re not hiring for them just to do the minimum or the average like you were saying, James. You’re hiring them to do an outcome.
I really like what you said, in that we can help people get to the next level and, based on also where we feel comfortable them getting to, as well. There’s a progression and there’s sometimes costs, and there’s sometimes changes that are difficult that have to be gone through. As an IT provider, or as a bank, you have to be expecting these outcomes from your IT provider, not just managing them.
Kevin: That’s a change that we’ve seen actually over the last … When I first started doing this full-time, when I became the audit compliance specialist, we were really seeing and examined against, if you will, as an IT … As an in-house IT provider. We were employing [inaudible], oh yeah, they provide our IT.
Very quickly, and I’m not sure what caused the change, but it was pretty quick that examiners especially began to say you need to treat JMARK as a vendor. They’re no longer an employee of the bank. They’re no longer your good friend that you go out to coffee with. They are a vendor, and therefore, due diligence and all of this other stuff needs to be done to an nth degree.
That wasn’t a bad change, but we need to recognize that’s a change that’s gone on. The reason I agree with the change is because it puts control exactly where it should be, and that’s with the bank. The bank gets to hold us accountable, gets to hold their MSP, their IT provider accountable for what they’re doing. The bank has a say in the expectations.
We also have a say in whether or not those expectations are realistic, based on a lot of different variables, but the bank has a say in what those expectations are. That’s something that good IT providers will know and will respect. But it’s especially true when you come to banks.
Todd: Very true. I think we’ve had a great discussion. This was … Has been pretty interesting and I’ve enjoyed learning a little bit more about the audit process and what happens in banks. I think some of the takeaways that we’ve talked about are you need to expect outcomes from your managed service provider. You need to realize that your auditors are not on the same level as hackers. You need to realize that great audit scores don’t mean great security. And you have to realize that a lack of trust can be lost in a minute and may take years to build back up.
As we end today, for those listening, whether you’re shareholder in a bank, whether you’re an executive, or an employee, or a president, or whatnot, find how good your security is, find out … Don’t just rely on the audits.
JMARK works with a lot of auditing companies, with a lot of banks. Please reach out to us at JMARK.com. Fill out the form there, give us a call. We have reports that we’re going to be … Redacted reports that we’re going to be … Have available soon, where you can see the awesome scores that we’re helping our clients get through our bank audit services that we help our clients with.
Just as a last comment, just remember that no matter whether you’re a bank or any other type of company, you’re also a technology company. That’s important to remember. See you.
Kevin: Bye.
Dax: Thanks guys. See you.
Voiceover: Thank you for attending this podcast. We hope it has been informative and helped convey that at JMARK, we are people first and technology second. To learn more and discover additional content relevant to your business, please visit us online at JMARK.com or at LinkedIn, Twitter, Facebook, and Instagram. You may also call us at 844-44-JMARK.
Thank you for your time and we look forward to seeing you again.