Building a Community of Trust

As this growing community bank faced rapidly-evolving threats and increasing regulatory pressures, it turned to Qualys Express to manage its IT risk.

Community banks today are under constant pressure. There's greater competition in the financial services market than ever before: the economy is uncertain, interest rates are persistently low, and state and federal regulations are escalating.

This turmoil is reflected in a recent KPMG Community Banking Industry Outlook survey, which found that regulatory, legislative, and risk management pressures rank higher than any other business issues faced by community banks in the year ahead. Dealing with these risks has become just as crucial to these organizations as managing changes in their business model, reducing costs, and improving operational processes.

None of this is news to Mike Block, vice president and IT officer at The Equitable Bank, based in Milwaukee, Wisconsin, an independent community bank since 1927. Ever since Block started there as a network administrator in 1997, he has focused efforts there on securely embracing new technologies while maintaining compliance with state and federal regulations.

Managing risk through a decade of change

Throughout most of that time, The Equitable Bank has relied on Qualys Express to mitigate risks associated with malicious attacks and meet growing compliance mandates. The bank uses Qualys Vulnerability Management (VM) to automate the full life cycle of network auditing and vulnerability management – from network discovery and mapping, asset categorization, and vulnerability assessment reporting to prioritizing and tracking remediation according to business risk. Qualys has been a good fit for Equitable, providing cutting-edge protection against the latest security threats without substantial cost or resource and deployment burdens. Such attributes have proven crucial for the tight team running IT security at the community bank.

A decade ago, when Block first deployed Qualys Express, IT regulatory compliance mandates were just beginning to crystallize. The Payment Card Industry Data Security Standard (PCI DSS) hadn't yet formed, Sarbanes-Oxley was just getting started, and federal and state regulators were still formulating how IT risk would be governed. "Back then, regulators and auditors were not talking about risk assessments. IT risk was something only information security people were talking about," Block says.

Much has changed since then, in regulatory compliance as well as technology. What remained constant was Qualys Express's ability to help Block and his IT team keep the bank secure and compliant throughout all of those years.

The Enterprise TruRisk Platform, which powers Qualys VM, has the most comprehensive vulnerability KnowledgeBase in the industry, enabling security issues to be found quickly and accurately. Its highly-automated remediation and trouble-ticketing workflow automatically generates tickets based on Equitable's specific policies and tracks each vulnerability until it is actually fixed. "The remediation part of Qualys tells you how to fix something, and its risk scores help prioritize mitigation and remediation strategy," says John Kress, bank officer and network administrator at The Equitable Bank.

Qualys Express also helps the team maintain their infrastructure and endpoints properly, both Block and Kress explain. "When a new server is built, we use Qualys to make certain that it complies with our policy," says Kress.

Easing regulatory burden

Today, regulators know what they are looking for when it comes to vulnerability and risk management, typically requiring annual penetration tests as well as detailed vulnerability assessments. "When we perform these assessments, we are always pleased to discover how many of the service providers we contract with actually are already using Qualys as their means to evaluate vulnerabilities," says Block. "Time and time again, we hear it's because Qualys has such a comprehensive and accurate catalog of vulnerabilities in its database."

"Qualys is wonderful technology. And that's true if you're using it to manage your own risks and vulnerabilities or if you're a service provider helping others to manage their risk," says Block.

Finally, Block and Kress appreciate the insight Qualys VM provides into the risks they face every day. "It helps you to quickly determine which vulnerabilities are high-risk and which ones aren't as urgent. For banks, that risk assessment aspect of it is really important," he says.

"As a bank, we are always under regulatory pressure to make sure that we cover all the bases. We need confidentiality, we need integrity, and we need availability of information. But how do you get there without having the correct tools? All of this is what Qualys Express has helped us to achieve," Block says.