Cathy Smoyer’s role as senior vice president and chief risk officer (CRO) at $14 billion asset Mountain America Credit Union in Sandy, Utah, allows her to watch the nature of cybersecurity shift as technology has advanced.
Credit Union Magazine spoke with Smoyer about cybersecurity threats, her approach to leadership, and her advice for fellow risk leaders.
Cathy Smoyer: I'm a collaborative strategic partner. Gone are the days when we focused only on risk or risk mitigation. We're part of the whole strategic process, furthering the organization’s objectives while addressing acceptable levels of risk.
A: You feel like you're making a difference for the employees and in the member experience we're providing.
We’re building the infrastructure to provide a safe and phenomenal experience for members. When we can align what we're doing with the growth of the organization and the experience we're providing for members, it's very enriching.
A: Third-party risk is at the top of the list as credit unions grow. We're beholden to what third-party providers are doing, so when they have gaps in their security, we have gaps in our security.
It’s also a brand risk. We need to make sure we have the right partners in place.
And then, phishing and social engineering. They’re not going away.
What’s different is the level of sophistication we're experiencing. It's evolving to a point that it's hard to address all the different ways criminals try to phish and get into the organization.
A: It’s a balance of training people to protect the organization while allowing them to do their jobs.
We have quarterly phishing testing that we outsource. It involves onsite testing, phone calls, and a lot of email testing. Anytime an employee or member thinks they're getting phished from us, they can send the message to us.
We have a security engineer who immediately looks at those tests. They’ll send back a message that says either, "Congratulations, this was a phishing attempt" or "You're fine to open this, we've tested it.”
It’s nice to see that our employees are really looking and saying, "Wait a minute. I didn't expect to get this, and it has an attachment."
That's success. We use metrics to see how we're doing and if there are certain pockets of the organization that potentially need more training.
Addressing third-party risk is about knowing who you're doing business with. It's important that all vendors go through a review and to know that not all vendors are the same.
They're all documented and we know who has what type of access and what type of security reviews need to happen.
A: Phishing has been around forever, and it's got staying power because it continues to work. It's people-reliant, and people make mistakes.
Phishing is getting more sophisticated. You can get an email that looks like it came from your organization. It has everything, even the context of how that person would write an email.
Remote work is adding another challenge. We’re seeing how mobile devices can be attacked. And now our cars are electronic and you're talking on the phone. How are those calls being intercepted? Who's listening to you?
How does that relate to how we're protecting our members' data? And how are our members protecting their own data? It's something we need to keep our eye on.
A: Having risk programs and training throughout the organization. Staying on top of the trends. How are people in your organization staying on top of the trends? How are you addressing them?
A: I'm a collaborative leader. There is not one set of facts. There are so many different opinions, and you learn so much when you ask different people.
Lean in and ask people who you think won’t agree with your approach. It either gives you another framework to think about something or it validates where you’re going.
Don’t take offense if somebody disagrees with you. Be the person people want to approach and say, "Let's sit down for a couple minutes. I want to ask you a couple questions about this."
When we all do that, we end up with better decisions.
A: Be a partner. Early in my career, I was in internal audit. At times, it was a them-and-us environment, and conflict was seen as a negative. You can't have that. The CRO, risk managers, and vice presidents need to be partners with the organization.
Don’t take the same risks as other credit unions. Make sure it's the right thing for your credit union.
Don’t be afraid of risk. Risk isn't bad. Risk is the only way we're going to achieve our objectives and serve our members. Take documented, known risks.
A: Spend time with my family. We have three grown daughters who are married. We have six grandkids. It’s fun. Work is fun and exciting, but then you get to go home and live your other life.
We recently bought a cabin in Wyoming and we just did Thanksgiving there for the first time with 14 people. It was a blast. We like to hike and travel.
We live in Utah, so we're outdoorsy-type people. But my favorite activity is spending time with friends and family.
A: We’ve traveled to many different places. But a couple years ago, we took an all-family vacation to Hawaii and got a beautiful house on the beach.
It was the first time we were all together for a long vacation. It was so fun to all wake up together, with different families making breakfast and dinners, and cleaning up. It was just fun.