Security and compliance
Brian Babineau, an analyst at Enterprise Strategy Group, puts the compliance challenge succinctly: "You've got to look at technology to help mitigate failure to comply because it's just too costly not to."
Data security is the classic example. Banks and investment houses have always had to contend with the threat of fraud, but the growth of Web-based services and around-the-clock access, coupled with data privacy regulations such as California's SB 1386 and guidance from the Federal Financial Institutions Examination Council, have put a premium on securing customer accounts and customer data.
At TD Banknorth, the focus on compliance and the need for security monitoring led to the adoption of security risk assessment technology from Skybox, says Robert Kirby, TD Banknorth's manager of information security architecture. The product allows the bank to prioritize and understand its IT risk, so the most critical security risks rise to the top.
"It lets us decide what we need to do now and what we need to do in a reasonable time frame," Kirby explains.
Kirby says that TD Banknorth soon hopes to be able to map application and database vulnerabilities, in addition to network holes, into the Skybox system, and to integrate Skybox with a trouble-ticket system.
That kind of planning is one reason that financial services companies consistently score best in SunGard's measurements of security infrastructure, password protection, security policies, and employee training, says Jim Grogan, vice president of consulting product development at SunGard, a security products and services company.
"Financial services companies want to do due diligence on security but realize that they could spend an unending amount of money on it and still have potential for a breach. They're getting smarter and doing a prudent amount of investment to do the level of security protection commensurate with the data they're protecting," Grogan says.
Regulations are turning financial services firms into compulsive pack rats. Changing guidance from governing bodies such as the Securities and Exchange Commission, federal regulations such as Gramm-Leach-Bliley, and customer privacy provisions have prompted financial services companies of all stripes to hold on to more data than ever before.
The challenge is to use technology to meet regulatory and legal demands, while also creating business advantage, Grogan says.
FirstMerit Bank has more than 16TB of data archived, with 14TB in just the past two years, says Dave Samic, senior network analyst at FirstMerit. Much of the data -- including e-mail archives, and customer and transaction records -- is tied to regulations. But the data crunch spurred FirstMerit to reform the way it does business.
Among other things, FirstMerit consolidated its server operations from branch offices to a centralized datacenter. "Regardless of the vertical you're in, having those multiple copies all over the place is as inefficient as having the heat and the AC on at the same time," Samic observes.
To better manage its storage needs, FirstMerit also deployed a SAN and IBM's TotalStorage SAN Volume Controller virtualization solution, including IBM TotalStorage DS4400 storage systems and IBM eServer BladeCenters. Samic claims that he and one other full-time employee manage the center's 250 to 300 virtualized servers. That's allowed his staff of 20 to focus attention on application support and other vital areas.
Samic says he spends much less time on the road to FirstMerit branch locations now. And, in the long term, moving to virtualization has also insulated FirstMerit from fast-rising operational costs such as electricity, he says.
"Power and heat are gonna kill you. Look at California," Samic says, referring to a recent heat wave that caused blackouts that knocked a number of companies, including News Corp.'s MySpace, offline. "These are things that people need to keep seeing."