Cybersecurity ‘takes a village’
CUNA Technology Council Professional of the Year says keeping her credit union safe is an organization-wide effort.
Stephenie Southard, vice president and chief information security officer (CISO) at $4.8 billion asset BCU, Vernon Hill, ll., was recently named the 2021 CUNA Technology Council Professional of the Year.
The award comes on the heels of significant contributions Southard has made to her organization, as well as recognition for her accomplishments.
Internally, Southard shepherded management and staff to achieve a level four in all five categories of the National Institute of Standards and Technology (NIST) Cybersecurity Framework—a goal set by the BCU board of directors in late 2019 to be achieved in 2020.
Tech Magazine nominated her as one of the 10 Best CISOs of 2021, and the Chicago chapters of the Association of Information Technology Professionals, ISACA, FBI-InfraGard, Information Systems Security Association, and the Society for Information Management nominated her as 2020 CISO of the Year.
Southard discusses her approach to cybersecurity with Credit Union Magazine.
Credit Union Magazine: Where did you gain your knowledge and experience?
Stephenie Southard: I still am gaining knowledge and experience 25 years after starting in IT. It has taken years of hard but rewarding work. Cybersecurity is not easy, and you can never feel you have “it” all covered.
It takes being very curious about how everything works in your organization, as almost everything is digital or data. It also takes the ability to evaluate security and risk on the fly, plus years of learning from my own experiences—good and bad—and learning from my peers and mentors along the way.
Q: You led BCU’s efforts follow the NIST Cybersecurity Framework. What were the keys to completing that initiative?
A: Leaving nothing untouched; investigating every process, document, and technology solution we had in-house; and reviewing our dependencies and resiliency as they related to the NIST cybersecurity framework.
It required understanding what we could take on ourselves and getting help from others on what we couldn’t.
Another key item is to support and listen to the team that is in the weeds trying to accomplish these goals. Making sure the teams know you are there and finding ways to help manage their stress and celebrate milestones is critical to managing burnout.
Be transparent about risks and provide frequent updates to management and the board.
Communication to everyone was clear, frequent, and directive. No matter who you are communicating with, you need to communicate to their learning and communications styles.
Making sure everyone is aware and involved makes the initiative so much more successful.
Also, be clear about who has responsibility to achieve these goals and the timeframes that come with their tasks.
Q: What has changed about cybersecurity since the onset of the pandemic?
A: The way our employees, vendors, and members do business and work. We now have a bigger area to protect. Make sure employees work in secure manner and follow proper protocols.
For members, ensure digital and online banking services are always secure and available. Let members know you have their backs because fraudsters and hackers are busy trying to steal data.
Q: How do you engage employees in their role in fighting cyberattacks?
A: It starts by hiring employees who are engaged, energetic, and responsive. Allow them to be creative and give them a voice. Spend time with staff and have an open-door policy.
Q: How do you blend internal and external resources to fight cyberthreats?
A: It’s critical to survival, and it takes a village. We rely on external resources to help be our eyes and ears. There are a lot of great managed service solutions that can work with all organization types.
Q: What advice do you have for credit unions with limited resources that want to build a strong cybersecurity initiative?
A: Be involved in all the collaborating you can, such as conferences and online events. Jump in conversations with your peers and other credit unions. Join some information-sharing agencies like NCU-ISAO.
Also, look at distribution groups with similar interests. Sometimes there are great conversations about tools, software, and solutions that can help with your internal battles.
No matter what your size, you need to have buy-in from the entire organization. All levels must have a clear understanding of your cybersecurity goals and initiatives.
All credit unions should have some type of cybersecurity program, either in-house or managed by a third party.