Cadence Bank is a U.S.-based financial institution headquartered in Birmingham, Alabama, with 99 branches in Alabama, Florida, Georgia, Mississippi, Tennessee, and Texas. Backed by 133 years of financial expertise, Cadence provides a full range of innovative banking and financial solutions to consumers and companies of all sizes.
Cadence Bank has been an Own client for 3 years and successfully leveraged a variety of technology solutions from Salesforce. We recently sat down with Jonathan Hay, CISO, and Carl Lange, VP, Application Systems Specialist, to discuss how to innovate securely in a brave new world.
Here are their 10 best pieces of advice:
Embrace more flexibility and more cloud as the new normal
The global pandemic forced a lot of organizations to accommodate “work from anywhere” teams, which required huge shifts in operational approaches. Cadence Bank, like most businesses, had to adapt quickly and move more of their day to day online—which it sees as a positive outcome.
Jonathan Hay: “We always hear the phrase that technology flattens the world. I think it's flattened it even more so now. The new normal is all about providing our associates and business partners with the capabilities to be more flexible.
“From a security perspective, COVID-19 really changed the way we look at cybersecurity threats and the overall risk of our organization. We are no longer constrained to the confines of our organizational perimeter security and such. We really have to push the boundary as far as embracing more cloud security controls and more cloud technologies—that will ultimately give our associates the capabilities they need on demand.”
Carl Lange: “From a delivery perspective, we have seen a significantly increased demand for cloud capabilities from our lines of business. What my team has been recommending for years—going cloud and digital-based on a lot of different applications—is the reality. The current demand is “we need it yesterday,” because the need is absolute. Thankfully, we’ve had a long relationship with Salesforce that allowed us to accommodate those needs as rapidly as possible.
“I expect that there will be a number of things that will be forever changed, but not everything. For example, I think we'll still have face-to-face meetings, but hopefully things like including paper in a process will no longer be part of what a bank does ever again.”
Provide a better client experience (which Salesforce can support)
Cadence Bank realizes that all of its products and services are highly commoditized, which means consumers have many choices in the market. Cadence leverages all of its applications, and Salesforce in particular, to give consumers a reason to choose them and give business partners the opportunities to improve the client experience.
Carl Lange: “Strategically, Cadence Bank is very much zeroed in on the client experience by leveraging the Salesforce platform. We have a long history with Salesforce, reaching back about 10 years. We recently deployed a new Financial Service Cloud platform and that, in combination with Salesforce 360, puts us in an even better position to serve our clients.
“Overall, we want to continue to update and modernize our client digital experience through the automation of forms and electronic signature capture. We had huge success with the Paycheck Protection Program (PPP) and being able to stand up functionality very quickly. And in general, we are creating a modernized platform for our client interactions with web chat, video chat, texts, and social media. So, the foundational work we're doing today will continue to benefit the bank.”
Jonathan Hay: “As a lot of banks have learned over the past five years, it's ultimately about the client experience. That's why FinTech providers have been able to chip away at established financial institutions. They're able to provide a much better client experience to procure a loan, mortgage, or whatever financial service you can think in a very frictionless manner (for example, you can do it at 2:00 AM, as opposed for waiting for your bank to open). That’s something that really excites me about what we're doing with Salesforce: driving a much better client experience that will ultimately drive more revenue for the organization.”
Make “security by design” part of your culture
Operating in a highly regulated industry means Cadence Bank must innovate securely. Even fast-tracked projects—like launching a new Financial Services Cloud with nCino, or instituting platform encryption and data classification—are executed on a collaborative basis with security controls in place.
Jonathan Hay: “As a financial institution, we’re a lot more regulatory and compliance driven than your typical organization. Security and privacy by design must be part of our culture. It’s like building a house—it won’t need a lot of rework if you have really good architecture and blueprints. We focus on making sure that we get data security right the first time, instead of having to go back and do a lot of rework.
“And we try to ingrain in our culture that InfoSec is everybody's job. All it takes is a threat actor to be right once for us to have a really bad day. We come to the table with our line of business and technology partners to solve problems and figure out ways to manage our risk to a tolerable level. InfoSec should never be a department of “no,” but rather “yes, but”; it's making sure that we're doing everything we can to manage risks to an effective level for the organization, and also not slow us down. We need to be very agile and flexible with the decisions that we make on a daily basis.”
Figure out where you have risks
Anyone moderately familiar with Salesforce knows that the platform is very complex with a myriad of options and controls for each Org. It can be easy to get paralysis by analysis when looking at your Salesforce environment, but Cadence Bank took proactive steps to understand and evolve how it uses the application.
Jonathan Hay: “Salesforce is like having an entire bucket of LEGOs—you can build whatever you want. That flexibility comes with a lot of complexities that once you start distilling down and applying the right risk management practices, can be a struggle to manage.
“The best thing we did as an organization was to start with risk management fundamentals. We did an initial assessment to see where our greatest risks exist within the Salesforce platform and then mapped out a journey on how to manage those risks (which took the form of a two-year plan on implementing controls in the Salesforce environment). The guided risk assessment gives you great context into what your risk is and how to approach it. And then you can rank the risks in order of severity and start making an actual risk remediation plan.
“We also keep a handle on potential new risks by closely collaborating with the Salesforce development team to make sure that anything our organization is doing adheres to information security controls, and addressing any concerns they might have.”
Don’t forget about insider threats
Cadence Bank emphasizes that risk assessments should encompass both external and internal threats. Accidental breaches can be just as damaging (perhaps more so, media wise) than bad actors and hacks.
Jonathan Hay: “We highly recommend that organizations sit down with their lines of business partners and discuss what they see as potential insider threats. It’s very important for InfoSec to have those conversations and understand where to monitor the Salesforce environment for those types of threats. It’s also a chance to establish a partnership with lines of business to extract that information. Ultimately, no amount of technology can overcome an insider threat and that intimate knowledge is only held by the lines of business. This shouldn’t be overlooked as part of the risk assessment as well.”
Build a close collaboration between InfoSec and Salesforce DevOps
Two-way communication between InfoSec and Salesforce DevOps is the key to successfully balancing business needs, data security, and compliance. Cadence Bank has been thoughtful and diligent about establishing those lines of communication and collaboration between these teams.
Carl Lange: “On the Salesforce development side, we're fully aware that there are risks associated with what we're doing and that we need to make the right decisions. Ultimately, it's the role of Jonathan and his InfoSec team to help guide those focuses and decisions. We've learned a significant amount in terms of the thought process that goes behind the security and what’s important for us to focus on collectively from the bank's perspective.
“For example, encryption of data at rest. From a development perspective, we were just looking at the fields we can encrypt and need to encrypt. But with InfoSec's involvement, we're getting a much better interpretation of why we should encrypt these particular fields. We've discovered that the list of 2000 fields doesn't necessarily need to be 2000 because we could have some performance issues; working together, we've been able to see that it's 200 fields that are the real risks to the bank and the priorities to be encrypted.
“Working with InfoSec has been such a good experience because it's not just about security, but about the user experience, too. There's an understanding that we have mutual goals and I think that's why we've been so successful.”
Realize that security is a journey
Knowing what data you have and which controls to apply is the first step on a long path. Cadence Bank (accurately) sees security as an on-going journey with specific checkpoints that need to be hit along the way.
Jonathan Hay: “Security is a journey. You start by doing basic things within the Salesforce platform, like data classification and encryption, to really understand where your data is. You map out where all of your sensitive data lives and how you utilize it within the platform. It’s then much easier to go back and layer privacy risk assessments on that data. Now, you can understand how your business uses that data, and how information is shared with other platforms and applications within the environment. Then, you can better leverage some advanced control capabilities in the future, like data obfuscation and tokenization. Those more complex security controls are what we're marching toward as an organization. And all of these steps are why we see it as a security journey that never really ends.”
Operationalize your security controls
Along the security journey, organizations need to operationalize their security controls. From a process perspective, establishing governance controls are equally as important as the actual technical controls, as far as making sure that everyone in your organization is adhering to best practices. Cadence Bank has proven that with their approach to security operations.
Carl Lange: “Our Salesforce development team has its own procedures and processes related to security, which include very rigorous change management practices. We’ve built our own system in Salesforce that integrates to the bank’s overall process. In terms of access, we've established and documented our controls. So, we’re following the lead of the bank as an organization in terms of making sure we're acting in the way that we've committed to.”
Treat Salesforce like your other mission-critical applications
It’s important for organizations to think of Salesforce as the same as every other application in their environment. The same types of controls and risk management methodologies should be instituted for Salesforce and its development team as your other apps and dev teams. It’s essentially an exercise in breaking down silos, which is underway with Cadence Bank.
Jonathan Hay: “The next hurdle we need to get over is bringing the Salesforce development team into some of the secure app dev practices. This will give them the ability to integrate their development work into a secure coding pipeline where we can check it for vulnerabilities before it gets released into production, and similar types of things. There's a lot of great native security capabilities within the Salesforce platform, so going back to the risk assessment, it's more about knowing what the risks are and then how to apply those native controls to make sure the organization as a whole is secured.”
Find a partner who knows Salesforce inside and out
Cadence Bank has advice to those just starting to look at Salesforce within the context of their broader security program and wondering where to start.
Jonathan Hay: “Find a partner who can help you figure out the technology. For example, partnering with someone who can do the Salesforce risk assessment from a technical perspective goes a long way. In our case, it was extremely valuable to go to Own for a risk assessment—trying to do it on our own or with our own internal audit teams would have been a pretty significant challenge. What would've taken us six months, took Own six hours. To get that much value that much quicker out of the platform was a significant win for us and the organization. Own was able to distill all the complexities around Salesforce into something that's easy to manage.
“And partner with someone who really knows Salesforce. Educate yourself on all of the controls and risks of the platform. That way you understand what those are, and then make the proper investments in your development team.”
Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.
