Banks are increasingly using technology to reduce their costs and deliver high quality services. As banks continue to become very dependent on computers, millions of shillings are being spent on these information systems. But even as modern banks increasingly rely on the internet and computer technologies to make their transactions, they have become vulnerable to technologically – based fraud. This is because of the speed at which information system security is evolving and therefore leaving a gap between where information security is now and where it needs to be. To be able to deal with the widening gap in information security, the banking industry has implemented various frameworks that act as a guide when evaluating information security vulnerabilities. However, this seem not be enough as the Kenyan banking industry is still losing millions thanks to technologically- based frauds on a monthly basis. Reason being the fact that some of the frameworks are too generic and they do not match the security needs of the bank. Moreover, some of the information security controls suggested by the frameworks are outdated. This leads to short-term, incremental changes to be done on the framework that is not enough to close the gap. Case study methodology was used to find out the different challenges banks within the industry are experiencing and the kind of measures they are using to information security risks mitigation. This methodology was extremely helpful in discovering the challenges that banks are facing when using the existing framework. The research findings show that people are the largest threat to information systems as lack of proper communication (at 93%), lack of skilled labor and security awareness by customers (at 83%) were cited as a major obstacle to security effectiveness. Moreover, fraud (at 88%), careless or unaware employees (at 83 %) and internal attacks (at 77%) were cited as the threats and vulnerabilities that have increased banks’ risk exposure. To close the ever-growing gap between vulnerability does not require complex technology. Leadership and the alignment of people, processes and technology is what is most important in the transformation of information security.