CUNA News
  • LOG IN
  • Create Account
  • Sign Out
  • My Account
  • LOG IN
  • Create Account
  • Sign Out
  • My Account
  • Topics
    • Community Service
    • Compliance
    • Credit Union Hero
    • Credit Union Rock Star
    • Credit Union System
    • Directors
    • Human Resources
    • Leadership
    • Lending
    • Marketing
    • Operations
    • Policy & Issues
    • Sales & Service
    • Technology
  • Credit Union Magazine
    • Buyers' Guide
    • COVID-19
    • Digital Edition
    • Credit Union Hero
    • Credit Union Rock Star
    • Subscribe
    • Advertise
    • Contact
  • Advertise
  • Awards
    • Nominate Credit Union Hero
    • Nominate Credit Union Rock Star
  • Podcasts
  • Videos
  • Jobs
  • Contact

News

Home » Cybersecurity requires multifaceted approach
Technology Subscribers

Cybersecurity requires multifaceted approach

Technologists offer insights on developing in-house expertise and working with external providers.

September 15, 2021
Ron Jooss
No Comments
Sprague_Chris_Roark_Richard_1200_
Richard Roark, left, vice president/chief technology officer at Bay Federal Credit Union, Capitola, Calif., and Chris Sprague, security engineer at TruWest Credit Union at Tempe, Ariz.

Cybersecurity is a multifaceted responsibility that takes both internal and external expertise, according to technologists participating in a recent CUNA Technology Council virtual panel discussion on in-house vs. outsourced approaches to information technology (IT) security.

“There aren’t many of us in the credit union space who can go completely in-house for everything,” says Chris Sprague, security engineer at $1.4 billion asset TruWest Credit Union in Tempe, Ariz. “It’s possible to go completely outsourced, but it’s not something I would recommend. You’ll always need some in-house expertise.”

When Sprague joined TruWest in 2015, he invested in around-the-clock, enterprise-wide security systems including Darktrace and Rapid 7. 

“Our first order of business was to gain full visibility of all activity across the network,” he says. “While these packages together might have an annual cost of as much as a single full-time employee (FTE), they provided us with 24/7/365 coverage. No FTE can provide that.”

With full network visibility, TruWest began prioritizing risks using the 18 Center for Internet Security (CIS) controls as a guideline. Sprague recommends starting with software and hardware inventory. 

“You don’t know what to protect if you don’t know what you have,” he says. 

CUNA Technology Council

Protecting the organization’s perimeter is another priority. 

“Just knowing that hackers can automate their attacks, your perimeter is your most vulnerable point,” Sprague says. 

He suggests conducting security assessments and annual penetration and audit testing of networks. “We use a different vendor for each penetration test so we get a unique perspective of our credit union’s security profile.”

Both Sprague and Richard Roark, vice president/chief technology officer at $1.5 billion asset Bay Federal Credit Union, Capitola, Calif., and a member of the CUNA Technology Council Executive Committee, say their credit unions worked diligently toward Payment Card Industry Data Security Standard compliance.

They advise all credit unions that collect credit card data to do so.

Maggie Coyne

‘Conduct due diligence and ask the questions that are important to you.’

Maggie Coyne

Maggie Coyne, director of in-house security for $5.4 billion asset Visions Federal Credit Union, Endicott, N.Y., offers these considerations for credit unions working with third-party providers:

  • Recognize they are in business to make a profit. “This doesn’t make them bad people, just be aware that you don’t share that priority,” says Coyne, who used to work at a security provider. “There’s a saying, ‘No one will care about your data like you do.’”
  • Understand they may lack technical depth. Credit union enterprise monitoring often is left to Level 1 employees who are replaced by other Level 1 employees as they move up ladder, she says.
  • Realize you may not receive dedicated resources or develop trusted relationships. “If they’re very large, you might always deal with a different person,” Coyne says.
  • Know that if the provider has a large customer base, it may only provide standard services and not gain intimate knowledge of the credit union’s security environment. Without this intimate knowledge, providers may not understand where tailored services are acutely needed, she says.
  • Be aware that providers carry third-party risk. They’re an attractive target for fraudsters and should share their security profile and philosophy with the credit union. 

“Working with any provider requires a strong vendor management program,” Coyne says. “Conduct due diligence and ask the questions that are important to you.”


Tech21
This article is part of Tech21, CUNA News’ special focus on innovations and developments in technology. Search for the hashtag #Tech21 to follow the conversation on Twitter.

KEYWORDS Tech21

Post a comment to this article

Report Abusive Comment

Credit Union Magazine: Winter 2022

Winter 2022

Credit Union Magazine’s Winter 2022 issue highlights data-driven marketing, the board’s role in cybersecurity, elder abuse scams, credit unions’ auto lending advantage, and more.
Digital Edition •  Subscribe

Trending

  • House passes CUNA, League-led board modernization bill

  • CFPB issues CUNA-opposed proposal on credit card late fees

  • Key committee leaders supportive of credit union priorities

Tweets by CUNA_News

Polls

Vote for the 2023 CU Hero of the Year

View Results
More

Champion for the Credit Union Movement

Credit Union National Association is the most influential financial services trade association and the only national association that advocates on behalf of all of America's credit unions. We work tirelessly to protect your best interests in Washington and all 50 states. We fuel your professional growth at every level and champion the credit union story at every turn.

More CUNA

  • Membership
  • Contact Us
  • Careers

Resources for

  • Credit Union Advocates
  • Leagues
  • Press
  • Providers

Our Affiliates

  • American Association of Credit Union Leagues (AACUL)
  • Credit Union Awareness
  • Credit Union House
  • CUNA Strategic Services
  • National Credit Union Foundation
GET CUNA UPDATES
© 2023 Credit Union National Association | ADA Compliance Notice & Legal
Email Us