Cybersecurity Essentials | Part 1

From our CEO: Cybersecurity Essentials

Cybersecurity Essentials for Community Banks: A 4 part series from Acumen Technology’s interview with Tommy Rainbolt of Acumen Technology

CEO of Acumen Technology sits down for a conversation with Acumen’s vCISO Tommy Rainbolt to discuss Cybersecurity and community banks. Each post in this four-part series offers community banks an in-depth look at cybersecurity best practices, from resilience and budgeting to incident response and culture-building. Part 1 of this 4 part series highlights biggest threats to cybersecurity and tools available to abide with industry security guidelines.

Part 1: Focusing on Resilience Over Perfection in Cybersecurity 

Sonny –   Tommy, what do you see as the biggest cybersecurity threat facing community banks today? And how can they prepare, especially if they have limited resources? 

Tommy –   Honestly, Sonny, the biggest threat I see is our deep dependency on technology. I’m not just talking about security risks from hackers—I’m talking about the fact that if a system goes down, many banks feel like they’re out of options. There’s this unspoken assumption that if tech fails, operations stop, and that can be dangerous.  

This dependency makes it essential to focus on incident response and disaster recovery. But here’s the key: disaster recovery isn’t about waiting until everything is back to 100%. It’s about what I call achieving “minimum viable operations.” You see, it’s more practical to prioritize your core services and keep them running, even if some systems are still down. That way, the bank can continue serving its community, which is especially critical for smaller banks. 

Sonny –   So, what does “minimum viable operations” look like for a community bank? 

Tommy –   Good question. For many community banks, the essentials—what we’d call the “minimum viable operations”—boil down to cash withdrawals, deposits, and maybe a few other core services. You want to be able to prioritize these tasks to keep customers connected to their money. Think of it like triage in healthcare: you address the most critical functions first and handle the rest as resources allow. 

This approach allows a bank to be up and operational faster, even if it’s not operating at full capacity. You get those essential functions online first, and then, when time and resources allow, you bring back less critical operations in phases. It helps relieve pressure on the IT side and gives the team space to fix issues without feeling like every single service needs to come back online immediately. 

Sonny –   And how does this fit with industry guidelines like FFIEC’s Business Continuity Planning (BCP) requirements? 

Tommy –   That’s the beauty of it. FFIEC BCP guidelines actually encourage this kind of thinking. They emphasize the need to maintain critical services in emergencies, even if not every system is fully operational. It’s about keeping essential functions online to serve your community. And that’s really the heart of what FFIEC wants banks to do: support their communities, no matter what. Minimum viable operations let banks do that. 

The FFIEC guidelines focus on resilience, not perfection. They ask banks to assess and prepare their “minimum” operational needs so they can stay functional in a crisis. This aligns well with NIST’s Cybersecurity Framework, too. NIST has a “Recover” function that encourages companies to plan for maintaining critical operations during a crisis, even if other areas are temporarily out of service. 

Sonny –   How should a community bank go about defining its own “minimum viable operations”? 

Tommy –   It starts with identifying those core functions. The bank’s leadership, IT team, and other department heads need to sit down together and look at what operations are truly essential to continue serving customers. It may take some work, but banks should focus on things like core transaction capabilities—handling cash, deposits, withdrawals—anything that affects people’s access to their money. 

Banks should also be proactive about creating specific guidelines for staff on what to do when core systems are down. There’s nothing worse than scrambling to figure it out during a real incident. These predefined minimums help everyone understand their roles and keep the bank’s service flowing during a crisis. 

Sonny –   Are there any tools or practices that help banks ensure their minimum viable operations plan is robust? 

Tommy –   Absolutely. Tabletop exercises, or simulated scenarios, are a great way to stress-test your plan. These exercises let you practice what you’ll do if certain systems are down, which can help identify any gaps in your response plan.  

You can use tools like Microsoft’s planning templates or specialized BCP software to track the critical parts of your operations. A well-documented plan is essential because, during a crisis, your staff won’t have time to create a new strategy on the spot. It’s the plan itself that creates resilience by allowing everyone to act confidently and with purpose. 

Sonny –   Thanks, Tommy. Any final thoughts on resilience and minimum viable operations? 

Tommy –   Just remember that resilience is not about having every system perfect all the time. It’s about being able to adapt and continue serving customers with whatever resources you have. For community banks, focusing on minimum viable operations is a game-changer because it helps you keep your doors open, support your community, and gradually recover from disruptions without feeling like you have to get everything back at once. Resilience, in this context, is about serving your customers even when everything isn’t perfect—and that’s what builds trust. 

 

About the Authors

 

To find out how Acumen Technology can help grow your business, connect with our team today!

Share Post: