Cybersecurity is a multifaceted responsibility that takes both internal and external expertise, according to technologists participating in a recent CUNA Technology Council virtual panel discussion on in-house vs. outsourced approaches to information technology (IT) security.

“There aren’t many of us in the credit union space who can go completely in-house for everything,” says Chris Sprague, security engineer at $1.4 billion asset TruWest Credit Union in Tempe, Ariz. “It’s possible to go completely outsourced, but it’s not something I would recommend. You’ll always need some in-house expertise.”

When Sprague joined TruWest in 2015, he invested in around-the-clock, enterprise-wide security systems including Darktrace and Rapid 7. 

“Our first order of business was to gain full visibility of all activity across the network,” he says. “While these packages together might have an annual cost of as much as a single full-time employee (FTE), they provided us with 24/7/365 coverage. No FTE can provide that.”

With full network visibility, TruWest began prioritizing risks using the 18 Center for Internet Security (CIS) controls as a guideline. Sprague recommends starting with software and hardware inventory. 

“You don’t know what to protect if you don’t know what you have,” he says. 

Protecting the organization’s perimeter is another priority. 

“Just knowing that hackers can automate their attacks, your perimeter is your most vulnerable point,” Sprague says. 

He suggests conducting security assessments and annual penetration and audit testing of networks. “We use a different vendor for each penetration test so we get a unique perspective of our credit union’s security profile.”

Both Sprague and Richard Roark, vice president/chief technology officer at $1.5 billion asset Bay Federal Credit Union, Capitola, Calif., and a member of the CUNA Technology Council Executive Committee, say their credit unions worked diligently toward Payment Card Industry Data Security Standard compliance.

They advise all credit unions that collect credit card data to do so.

‘Conduct due diligence and ask the questions that are important to you.’

Maggie Coyne

Maggie Coyne, director of in-house security for $5.4 billion asset Visions Federal Credit Union, Endicott, N.Y., offers these considerations for credit unions working with third-party providers:

• Recognize they are in business to make a profit. “This doesn’t make them bad people, just be aware that you don’t share that priority,” says Coyne, who used to work at a security provider. “There’s a saying, ‘No one will care about your data like you do.’”
• Understand they may lack technical depth. Credit union enterprise monitoring often is left to Level 1 employees who are replaced by other Level 1 employees as they move up ladder, she says.
• Realize you may not receive dedicated resources or develop trusted relationships. “If they’re very large, you might always deal with a different person,” Coyne says.
• Know that if the provider has a large customer base, it may only provide standard services and not gain intimate knowledge of the credit union’s security environment. Without this intimate knowledge, providers may not understand where tailored services are acutely needed, she says.
• Be aware that providers carry third-party risk. They’re an attractive target for fraudsters and should share their security profile and philosophy with the credit union. 

“Working with any provider requires a strong vendor management program,” Coyne says. “Conduct due diligence and ask the questions that are important to you.”

This article is part of Tech21, CUNA News’ special focus on innovations and developments in technology. Search for the hashtag #Tech21 to follow the conversation on Twitter.