From Manual to Optimal

Citizens Business Bank's proactive approach to security involves everyone-from the board room to the end user

Elsa Zavala, Senior VP and CIO, Citizens Business Bank

In the mid-1970s, Southern California's Inland Empire region was in rapid transition from an agricultural economy to a major urban center. In that environment, business and community leaders established a new bank, with the goal of offering the best financial products and services while maintaining a level of customer service reminiscent of the area's small-town past.

Just over 30 years later, Citizens Business Bank has over $6 billion in assets and 44 commercial banking centers in California, from Orange County to Stockton. The firm's financial strength prompted U.S. Banker to recognize Citizens as the nation's Top Business Bank in January 2007.

Through this growth, the bank has maintained its reputation for excellent customer service and, in an era of rapid employee turnover, Citizens' associates are more likely to stay on board for an extended time.

One of those long-time employees is Elsa Zavala, who joined the bank's information services department in 1993, and became the CIO in 2000. At the time, the bank was launching its online banking services and expanding its Web presence, and Zavala recognized the potential dangers that came with that expansion.

"At Citizens Business Bank, information security is an issue that goes all the way to the Board of Directors," Zavala explains. "I provide them with a quarterly report on where we stand from a security perspective, and I'm proud to say that they are personally invested in ensuring the safety of our customer data."

A proactive approach

Citizens' proactive approach to security is difficult to maintain in today's rapidly evolving landscape. "Banks are reacting to security threats and compliance requirements as they come, but they have no enterprise strategy to be more proactive and plan for what's going to be coming," says Jeanne Capachin, research VP, banking practice, at Financial Insights, a Boston-area financial technology research firm. "They can never take a step back and take a broader view, because they are always reacting to the next new thing."

Experts suggest that security is an increasing factor in earning the trust of customers and providing a competitive differentiator to grow the business. "Banks are not the target, but they must take responsibility and ensure their customers still trust they can keep their information secure. Very often, this requires making a financial investment to react to security concerns," Capachin relates. As a result, North American banks are expected to spend $10.7 billion this year on new technology investment opportunities alone-most notably around security and regulatory/compliance solutions.

Bringing in the experts

Having experienced both organic growth and growth by acquisition, Citizens realized that the plethora of manual processes in use to integrate and manage security and compliance issues would quickly become unwieldy. Adding new Web-based services to this mix made new technology solutions even more necessary. "I didn't want to increase my staff and develop their expertise for 24/7 coverage of the latest and greatest security threats," explains Zavala. "We wanted to depend on experts to manage this for us."

To handle its security monitoring requirements, the bank turned to Symantec Managed Security Services to monitor and manage the bank's security infrastructure, which today includes Symantec firewalls, network intrusion detection systems, and endpoint security software.

Symantec Consulting Services also provided a vulnerability assessment that helped the bank write its security policies, designing them to ensure compliance with a wide range of regulations. The initiative helped the bank prepare for FDIC audits and meet internal standards that at times are even more stringent than external regulations. "Ensuring that best practices were in place before the launch of online banking helped protect online customers during the crucial early adoption phase," says Zavala.