Credit unions actively involved in digital transformation should be equally invested in security. Though your members probably aren’t champions of specific security technologies or processes, they are certainly concerned about the safety of their data and accounts, and so you should be as well.
How do you integrate your digital technology for speed, analytics and features without compromising security? We caught up with CO-OP CISO Paul Love who shared these eight tips to keep in mind.
1. Recognize the innovation that’s happening around you.
You may be actively pursuing digital integration and innovation – and keeping security top of mind as you go. But you must also keep in mind the innovation that’s happening around you. To manage security across the enterprise, take everything into account. You might not be upgrading your mobile interface this year, but maybe your mobile banking provider is. Your vendors are creating new technology all the time (or at least they should be), and it’s up to you to consider what the security impacts are to your organization and your members.
2. Insist on the big picture.
Anytime you integrate new technology, you have to consider how the information flows between systems and how information might be exposed. Consider authentication, for example. Do you just accept authentication from one technology to another, or do you require authentication at various steps in the process? If you choose to have multiple points of authentication, you might disrupt the seamlessness of the experience. If you don’t, you may create an unwanted vulnerability. These complexities reinforce the need for a strong integration between your product, IT and security teams, each having an equal and important voice in the product delivery, the sustainability and security of the products you provide.
Technology makes things easier and faster, but it also multiplies the stakes. To put it another way: technology makes bad processes bad, faster. If you don’t have good processes and good security, you amplify the potential risk and your vulnerability. If somebody loses or mishandles a piece of paper, the magnitude of loss is not as significant as it would be if they exposed a database. You can’t just take manual processes and apply technology without understanding the increased risk — and making sure you have the proper controls to support that.
3. Understand the risk, then mitigate against it.
Given these challenges, it might feel safer to avoid the risk of new technology. But business is about taking informed, appropriate risks. Instead of trying to avoid risk altogether (and running the risk of becoming obsolete), consider security as an equal priority when you’re integrating new technology. Think of it this way: You don’t buy a car because it has amazing seat belts, but you wouldn’t buy a car that didn’t have seat belts. Security is the same. New car buyers today shop for a wide range of technology-driven features like collision avoidance and Bluetooth connectivity, but basic overall safety is a critical given — just as people expect both a basic and responsive security experience from their financial institutions.
4. Designate security leaders at your organization.
Ideally, you want a person with expertise whose sole job is focusing on security, as well as a team to support them. But “perfect” is often the enemy of “good” in this case. If you don’t have a security team or dedicated expert, find someone in your organization who has an interest in security and — at a minimum — make security part of their job. While it’s not ideal, it’s much better than nothing.
5. Delegate management without delegating authority.
When kaizen, the Japanese philosophy of continuous improvement, is applied to manufacturing, every person on an assembly line can stop production to correct an error or make an improvement. That principle can also apply to security. Your team needs the management ability to have potentially difficult conversations with vendors or internal staff and to raise the flag when something isn’t going right.
6. Ask hard questions of your vendors.
Speaking of vendors, digital integration at a credit union nearly always involves multiple outside vendors. Each of these vendors has the potential to enhance or diminish your security.
What I’ll often hear from smaller organizations is, “XYZ big company uses this specific vendor or technology, so it must be OK.” But you don’t know if the configuration that the big company chose is the same one you’re considering. Maybe they chose a special configuration or found a special way to implement it that you are not aware of.
You have to ask basic security questions. If you don’t, you may be integrating a vulnerable technology, or implementing it in a bad way. From a security perspective, good vendor risk management means doing your due diligence. Is your vendor implementing an information security program? What tools are they using for security? If necessary, you might ask vendors to comply with your own information security policies and standards — and periodically review them to ensure that they’re staying up to date.
7. Learn. Learn. Learn.
You don’t have to learn everything the hard way. There’s a lot of training out there, and consultants who can help you integrate new technology securely or set up processes and train your staff to perform oversight. A lack of existing knowledge should never be the reason you don’t have a dedicated security person or adequate support. You can always find somebody (often somebody in IT) who has an interest in security and doesn’t mind taking on a new task.
8. Be ready for relentless change.
You have to be constantly flexible and adapt to the changing technology landscape as well as the changing threat landscape. Attackers are finding new ways to attack all the time; and the technology you use is evolving. If your security capabilities aren’t nimble, much like your business, your integrations are not going to be secure enough to avert constant threats.
Security is all about change, and at times may feel like warfare.
Businesses have to make decisions and execute based on partial information — the “fog of war” — and you may have to change course very quickly if needed. If you are a person who likes change, or who knows how to manage it adeptly, you will.
Click To Tweet
Improving security is one of the 7 strategies critical to digital transformation. Learn the rest of the strategies in our latest whitepaper: “7 Strategies to Accelerate Your Digital Transformation”