Cybersecurity is a multifaceted responsibility that takes both internal and external expertise, according to technologists participating in a recent CUNA Technology Council virtual panel discussion on in-house vs. outsourced approaches to information technology (IT) security.
“There aren’t many of us in the credit union space who can go completely in-house for everything,” says Chris Sprague, security engineer at $1.4 billion asset TruWest Credit Union in Tempe, Ariz. “It’s possible to go completely outsourced, but it’s not something I would recommend. You’ll always need some in-house expertise.”
When Sprague joined TruWest in 2015, he invested in around-the-clock, enterprise-wide security systems including Darktrace and Rapid 7.
“Our first order of business was to gain full visibility of all activity across the network,” he says. “While these packages together might have an annual cost of as much as a single full-time employee (FTE), they provided us with 24/7/365 coverage. No FTE can provide that.”
With full network visibility, TruWest began prioritizing risks using the 18 Center for Internet Security (CIS) controls as a guideline. Sprague recommends starting with software and hardware inventory.
“You don’t know what to protect if you don’t know what you have,” he says.
Protecting the organization’s perimeter is another priority.
“Just knowing that hackers can automate their attacks, your perimeter is your most vulnerable point,” Sprague says.
He suggests conducting security assessments and annual penetration and audit testing of networks. “We use a different vendor for each penetration test so we get a unique perspective of our credit union’s security profile.”
Both Sprague and Richard Roark, vice president/chief technology officer at $1.5 billion asset Bay Federal Credit Union, Capitola, Calif., and a member of the CUNA Technology Council Executive Committee, say their credit unions worked diligently toward Payment Card Industry Data Security Standard compliance.
They advise all credit unions that collect credit card data to do so.
‘Conduct due diligence and ask the questions that are important to you.’
Maggie Coyne, director of in-house security for $5.4 billion asset Visions Federal Credit Union, Endicott, N.Y., offers these considerations for credit unions working with third-party providers:
“Working with any provider requires a strong vendor management program,” Coyne says. “Conduct due diligence and ask the questions that are important to you.”