Implementing strategic security planning at credit unions

Organizations of every size need business plans to operate efficiently as business pressures, market risks, and technology and people-related issues constantly change. Multiple factors continually put credit union information and functions at risk, including accidental or intentional mishandling of sensitive data and external attacks. Credit unions may also find their critical information at risk when theft, loss or destruction occurs, which could affect the ability of the credit union to meet member expectations and often results in a loss of member trust. Protecting sensitive information should be a priority within any business plan and the No. 1 security objective for every credit union.

The first step toward this goal is to develop a comprehensive security strategy that aligns with the credit union’s business development objectives. Credit unions can then use the resulting plan as a baseline for defining how much of their resources should be invested in information security. When you couple your security strategy with a risk assessment, you can also prioritize funds to the highest-value security efforts.

A security strategic plan is most effective when using a comprehensive approach. Plans should integrate the people, process and technology components of information security to ensure the plan balances risk and security needs and effectively couples business and IT strategies.

Security leaders should possess a significant understanding of their credit union to ensure their security program enables the business as opposed to impeding it. To that end, the security leaders of tomorrow should integrate the following steps into their security strategic plan:

  • Recognize the ever-changing tactics bad actors use to attack members’ information. New threats emerge every day with no sign of slowing down.
  • Understand the actors, their motivations and the locations from which attacks originate. The motives behind financial fraud, intellectual property theft, and political or ideological groups differ, as do the tools and methods behind them.
  • Keep pace with emerging threats. Drinking from a firehose is never easy. What is your strategy to review and prioritize actionable threats?
  • Share actionable threat information. Develop and use a professional network, ideally one made up of security professionals from other credit unions like the National Credit Union Information Sharing and Analysis Organization.
  • Leverage threat-sharing organizations to keep your protections current and effective against attacks. Organizations such as Information Sharing and Analysis Organizations (ISAOs) and Information Sharing and Analysis Centers (ISACs) are often equipped to identify actionable threats and efficiently distribute alerts. Sharing information and presenting a unified front makes everyone stronger.

Information security is a daily journey, not a single battle in a cyber war where a single victory will turn the tide. There will always be new security and risk challenges to meet, which is why creating a security strategic plan is critical for credit unions that want to manage information risk effectively. To commit to this process as a security leader, you’ll need resources and time. To be fully capable, you will also need to add value to your credit union, make an effort to understand the operation of the business and focus on how the security strategy can strengthen your credit union and help it succeed. This approach will demonstrate the value of a security program as a business enabler, not just an overhead activity.

Gene Fredriksen

Gene Fredriksen

Gene Fredriksen is the CISO for PSCU. In this role he is responsible for the development information protection and technology risk programs for the company. Gene has over twenty five ... Web: Details