Randy Penner | Manager IT at Access Credit Union
Access CU is the product of a merger of 7 credit unions over four years. In these economic times, when interest rates are so low and the spread doesn’t allow for much profit, economies of scale and better reach can be achieved through merger. IT touches so many facets of the organization – and in a series of mergers, all business processes are subject to change. Naturally, the reorganization and innovations that we’ve introduced bring with them security concerns. We collaborate early to ensure that everyone gets on board with the changes, and with the need for continuous attention to security.
Access CU creates an “Office of Security”
At Access, it was decided as the result of a security audit that two senior VPs and I would form an Office of Security to ensure that we know how our innovations touch on security. Are we doing our due diligence? All of the pieces of financial transactions have to align to remove security gaps. How do changes in policies and procedures affect risk? How does regulatory compliance fit in? Creating an “office of security” with very senior executive sponsors is a trend, and an act of maturity. This keeps me accountable and provides top-level support and oversight.
Every time you offer a new service, you’re introducing an element of risk, and we need collaboration across the C-suite to mitigate risk effectively. For instance, Canadian credit unions were the first to allow customers to take a photo of a cheque for quick processing. We need to have an eye on every element of that transaction. Customers are not necessarily security-savvy with regard to their mobile devices – we need to educate customers and staff, and be ever vigilant ourselves to the possibility of fraudsters, who are always looking for angles. We’re trying to stay one step ahead of them.
Quickest –evolving metric in IT is Security.
The biggest knowledge and experience gap for IT leaders is in security. We all know how to create and adapt networks and do data storage. Security has blasted onto the scene in a big way in the last five years – with some very well publicized leaks leading the way. Security now has the full attention of the C-suite and Board. Leaks paint everyone with a bad brush.
Just as there are new techniques in fraud – there are new techniques for identifying gaps and opportunities for fraud. For example, wire fraud through phishing is a constant threat. Phishing e-mails can be very effective because they by-pass so many levels of security. It’s a form of social engineering – fooling the end user – who isn’t aware of the consequences of his/her naivete.
Employee training is huge in counteracting security threats. We deliver security awareness bulletins; we mandate courses in security for employees.
There are also new products and services out there. For example, PhishMe can evaluate your level of security against phishing and send reports. Bromium secures the end user transaction – which is where leaks almost always occur. White-listing turns the perspective upside down – it doesn’t focus on identifying threats – instead it allows only what’s verified as good to get in – and nothing else.
We’re doing proof-of-concept discussions with some of these.
Great Insights on Security at the CIO Peer Forum
Although the main theme of the CIO Peer Forum was on leadership and driving business transformation, security was a very strong sub –theme. We heard top speakers from Palo Alto Networks (Rick Howard) and Bromium (Simon Baker), for instance, and we had a chance to speak with them afterwards. We really got a deeper understanding of the threat landscape.
Editor’s Note: CIOCAN members can see their slide decks in full at CIO Community Library.
On the Value of the CIO Association
Manitoba is a very new chapter with the CIO Association, although our president has been a member for ten years. The rest of us weren’t sure about the value proposition. Now I’m sold – and I have the support of my executive team to put some training dollars into my CIOCAN membership. I am learning so much – and I even find that I have some things to offer. You learn to trust these people, [CIOCAN members]. We share the same passions and concerns across so many industries, and our focus is always on business leadership as opposed to technology. It’s difficult for the organization to innovate and be agile if IT doesn’t understand the business.
Access CU is one of Manitoba’s Top 25 employers for 2015 (see page 4)
We’re all bragging about this award. Access CU is a great place to work. The level of employee engagement, and the collegial and community-minded atmosphere revealed in our surveys have been developed through very deliberate planning and attention, plus coaching, training. Every employee has taken the courses that we’ve offered. Buy-in has been astonishing.