A

That takes over 25 vendors just to make that happen. So when one of our members downloads our app and they sign in, they're going to potentially interact with over 25 vendors to make that whole experience work.

B

Welcome to embracing digital transformation, where we explore how people process, policy and technology drive effective change. This is Dr. Darren, Chief Enterprise architect, educator, office, and most importantly, your host on this episode, vendor risk in financial services, cybersecurity and AI with special guest Gallen, councilman CIO of Pinnair credit union.

C

Galen, welcome to the show.

A

Well, I'm glad to be here.

C

Hey, this is really interesting. When we talked. When was it last week, A couple weeks ago that we originally talked?

A

Yep.

C

Yeah, this could be a really interesting angle that I. I haven't had on the show before. So I'm like, oh, this could be really cool. But before we dive into managing vendors and AI and this whole new realm that we have gallon. Everyone that listens to my show knows that I only have superheroes on the show. And every superhero has a background story. So, Galen, what's your background story? What's your origin story?

A

All right, well, I am not a superhero, so let's start there.

C

All right, so humility is one of your superpowers. Okay, That's a good superpower for a superhero.

A

Yeah, I meant earlier to say, hey, I'm glad to. Glad to be here. Thank you for having me. So I. I have been in it going on, geez, 26, 27 years now. Started off working at a local computer shop back in like 97 time frame. BackCoin. If you can imag imagine a time when we had local computer shops, you know, we had a local. A local place that I started and kind of cut my teeth on learning how to build computers and service computers and all that. And, you know, I'd grown up loving technology. I'd always. I remember when my father brought home our first personal computer. It was a IBM clone back in the day. An 8088 processor. There you go with Ms. DOS on it. I remember using Xtree Pro for like, organization and everything. And I love this, you know, and I would. I'd tinker around bulletin board systems and I would do a little bit of minor programming and things like that. I remember tearing up my dad's computer one day, doing some file structure stuff and accidentally deleted the entire. That was back. There was no protection, so you could just delete the whole operating system by accident. Then when you reboot it, it just, you know, nothing happens. And so that's where I Started, I always tinkered around with computers and then started at a local computer organization, local computer shop, and then from there got a job at a architectural engineering firm as a network support technician. So running around doing everything from desktop support all the way down to that was when we had Compaq servers that were desktop, like standalone servers, sitting next to a telecom rack at all the branches where this company was and moved into healthcare. That would. That would be probably the first big start of my career at a larger organization and running it for a bigger firm. Started there as tech support and then moved my way up into network engineering. Back in the day, I used to program Cisco routers and switches and firewalls, and I was certified in Microsoft exchange and had all the Microsoft certs. And so I did all of that, you know.

C

So you're a true hands on I. T. Guy, right? You've done it all. You've done all the hands on type of stuff.

A

I grew up in that. Yeah.

C

Yeah. So. But you're not that anymore.

A

Correct. So from that time in health care, I, you know, I've always just operated by that concept of if I can be trusted with little, maybe I can be trusted with more. And I've just focused on doing the best that I could at the job that I had at that time. And then more things opened up to me and I moved into running the network operations for that healthcare organization. So had grown a passion around HIPAA security and the high tech rule, and had during that time built up a passion around information security in that time in healthcare and then started running the network operations team and then from there became the director of it. And so by the time I left healthcare, I spent 12 years at that organization. When I left there, I was running the entire IT shop and I could be different things to different organizations for there that was everything from tech support, network operations, to programming, software development, data and analytics, and the PMO that was there. And I've really, really enjoyed that. So I left and then moved over into the financial industry where I landed at pen Air. I've been here right, at three years now. So just. Just hit three or not three years, sorry. Just hit 11 years now. Sorry. I don't know why I said three. I was thinking March 3rd, for some reason. So yeah, I've been here 11 years and started off as information security officer, if any of you who've been in management. So when I left healthcare, I was looking for either to continue my career either in information security or in IT leadership and just happened to find A security job first and landed here as a security officer. And actually I like that. I liked not having the responsibility and the weight of managing large teams of people and all the headaches that come along with the people management side of things, of leadership, you know.

C

But then I do know, that's why I found my way.

A

That's right. It's not for the faint of heart. Right. It's not for the weak. It's very, you know, a lot of responsibility in that.

C

Well, and, and just like you, I'm a technologist, I'm a software engineer and I tinkered around. I like deterministic problems to solve. Computers behave the same way every time. People do not. Yes, people are harder, are harder to, to work with than computers for. For technology guys like you and I.

A

Right. Yes. Completely empathize with what you're saying and agree.

C

But there's more joy, there's more joy out of interacting with people and helping people. It's just gotta put that extra effort in, I guess is the right word. So let's talk a little bit about, you know, you're in financial, you work for Pioneer, it's a credit union. Very. Was there a big difference moving to financial from healthcare or were a lot of the same IT and specifically cyber security. Was there a lot that transferred over or was it a completely different way of thinking?

A

A lot transferred over. I mean you think through things like infrastructure, all of that was very transferable. You know, you still need the same routing, switching, firewall, cloud technology, productivity type operations. You know, do you have a CRM? Do you have, you know, in addition to productivity, things like CRM, ERP systems, you know, you have all of those things that, that crossover. What, what I found was different though was my time in health care, very hyper focused on privacy, but not as much on the security with the organization that I was at for 12 years. So everything was around HIPAA, HIPAA rule and privacy, keeping patient information private but not secure. I never in 12 years had an actual IT security audit at that healthcare organization. Lots of privacy audits. How did we have our system set up and what were our policies, procedures to keep information private. But privacy and security are two different things. They're related, I believe. You know, in my opinion they're, they're very related, but they are two very different things. You can be private but not necessarily be secure, you know. And when I came over to financial, it was completely, I mean we, we are audited all the time, so we have to pay for third party audits on a Quarterly basis, external, you know, pen tests and all of these sort of things. Just kind of things that we didn't have to do at the organization. I was, I was at, in healthcare and we're also regulated by the ncua, National Credit Union Association. They come in annually and do a big, they bring a team of people here across our, our organization, like 15 to 20 people. And I usually get anywhere from one to three examiners that come in and they're deep diving into what we do. I even at one point had examiners, some would say they may have, were going a little too deep with this, but they were actually asking for Cisco router configuration logs and we're going through line by line the, oh gosh, running configuration of some of our, our operating equipment. You know.

C

Do you, do you think the reason for that is because you're dealing with people's money?

A

Absolutely.

C

It's a bigger target. I mean data, I mean people's patient data is a target, but that's correct. The payoff is much faster, I guess with if, hey, I get into a credit union, I have, I have free reign of the thing, I can do whatever I want different because with patient information I have to do a ransomware attack or something else. And so that, that kind of makes sense to me.

A

Yeah, it's where the money's at. Right. So if we can get that, that's, that's their main target. Like you said, that's what they're after. Yeah. With healthcare, if it's identity theft, I mean, money is always the ultimate goal somewhere along that chain, right? Yeah, it seems several steps up or away from that actual payday, you know, whereas if you can get into the money. Yeah. And we're talking people's financial assets, you know, we're talking about their stability and their future here. If their bank accounts get drained, that's a very big deal, you know.

C

Yeah, absolutely. So have you found, because when we first did our intake on this, we talked about managing your vendors. Have you found the ecosystem of vendors really different between financial and health care? Or are there a lot of commonality between them as, as far as your suppliers of software solutions or hardware or things like that, or is it completely different ecosystems?

A

I find it different. So where I, where I came from with healthcare, you really had, you know, you had your core applications like your medical record system. You would have, you know, Great Plains or whatever your accounting and ERP package was. And in financial, it's similar, you know, you'll have that core banking application. But the challenge that we have, like in healthcare, we did not, we weren't offering out digital services. And now as a financial institution, if you're not 100% digital, you're, you're. I mean, I mean, it's table stakes these days, right? It's like we all expect to do everything from our phones. And so to make something like that happen, there's not one silver bullet out there. There's not one vendor that just does it all soup to nuts and does it very well or, or to the, that meets all of our needs as a credit union, you know, so that's one of the biggest challenges there is finding all of those different vendors and having them all play together so that you can have the digital offerings and digital channels that your members expect. Also, as an organization, we push for excellence. So we try and be the best that we can be in everything that we offer. And so finding that and getting all the right vendors in place is definitely a huge challenge. You know, the underlying infrastructure kind of similar, you know, we all, you know, we're a Microsoft shop, you know, so everybody uses Office and Outlook and all of that, you know, kind of infrastructure side of it. But it's really what we're offering to our members, that's a big challenge.

C

So define the, the hardest part of working with all these vendors is, is security a hard part or integration or contract negotiation? I mean, what are some of the things that you run into that are so different from healthcare? Healthcare, Pretty small ecosystem, Frank.

A

I would say integrations is one of the biggest, one biggest pieces. That's a challenge because, you know, a larger, let's take a bank, especially a larger bank. They'll have the resources to hire teams of software developers to create their online platform so they can design and build exactly what they want, how they want it. I can't do that. I'm, I'm not at that resource size. So we have to rely on bringing in different vendors. So if you take something like what we offer for our online banking platform, that takes over 25 vendors just to make that happen. So when one of our members downloads our app and they sign in, they're going to potentially interact with over 25 vendors to make that whole experience work, you know, so you have a, you have a main platform, so that's one vendor, you know, so that's kind of like what you mainly touch and feel most of the time. But when you switch over to, let's say, remote deposit capture, where you need to take a picture of a check and deposit it, that's A whole nother vendor. But all of it needs to look seamless, you know, so it doesn't feel jarring. So when a member clicks on that, it doesn't feel like it's jumping over to another application or platform or another vendor or login, all this. So it all feels completely integrated and seamless. But that's, it's a lot, I'm going to say it's a lot easier. I think it would be a lot easier if I had an army of software developers could just design it how we wanted. I think that would be a lot easier than just going out and finding all these vendors and then you have to plug them in and then make sure that the integration works and make sure that it's seamless and streamlined and it all feels like it's the same application. It's definitely a challenge. And so that's one example, you know, but I could rattle off a ton of them that we have all integrate, you know.

C

Yeah, I'm sure. How have you found that maybe AI can help out with this? I mean, the AI models are getting really interesting in that they can do these integrations kind of very simple and you can do some front end vibe coding on, on the front end and connectivity in the back. Have you guys experimented with any of these sorts of things to help decrease that friction?

A

No, as far as we've gotten with AI, it's just helping us with the data movement side of things. So if we're, you know, we use a lot of Python here to move data between vendors and to make some of these integrations happen. So we've leveraged that to create code that we can then automate and in some cases have automated, you know. But the other challenge, and what I was going to mention about this too, is when something breaks, that's always a big deal, you know, and it's being in it. And coming from a technology background, I'm sure you can relate to this when people love pointing fingers.

C

Oh yeah.

A

You know, we point the finger, they point the finger and then it's just, you know, you got a three way, Everybody's, you know, everybody's pointing the finger. And so it's, we've always found that anytime we can get all of the vendors on a call at the same time, which they never want to do, everybody wants to handle through tickets and phone calls, separate emails and IT ping pong songs back and forth and then things draw out and then I get our board of directors or putting pressure on my CEO and myself. When is this going to Be up. What is this going to be up? And it's like, guys, we gotta get them on the phone. We got to get everybody on a call now. And then when we do that, it gets fixed. You know, it's magic.

C

It happens amazing.

A

30 minutes and then it's done. It's taken us two weeks to get there. You know, we have a phone call and we get it fixed in 30 minutes.

C

So is that the best practice then? I'm to do sync? I. I call that like synchronous meetings.

A

Right?

C

I mean.

A

Right.

C

Everyone's in the room at the same time. Instead of this asynchronous, there's a lot of miscommunication, I guess, is the right or missed cues on communication when you're doing everything asynchronous that I, I think you've identified here.

A

Yeah, yeah. I mean, because one on one instance I'm thinking of is we had an issue with between three vendors. One of the vendors had changed a encryption certificate in the background, didn't tell anybody. It shouldn't have affected anything because it was a root CA change. And. Okay, it wasn't a, wasn't an issue. And so everybody was pointing the finger. Well, it's not us, it's some on your end, you're not, you're not passing the right encryption and all of this. And we get them all on the phone and when they can see the real time logs. Okay, try it now. Click. Oh, and that's when it's like, oh, we didn't give you the new root CA here. And they, you know, what the PKS file or what, I can't remember at this point, but you know, they send us the, the group of certificates and we get those loaded in the web server and then everything was fixed, you know, and we were pulling our hair out for over a week on that particular issue.

C

How do you handle the security handoffs? Because you mentioned these, the certifications and things like this. When you have so many vendors and you're, you're actually moving data between all these vendors. How. There's. Oh, there's so many questions on this one. But let's talk about security first. How do you handle the security between these? Do you have a common security design pattern that you use? Because that's a lot of vendors, 25 vendors. That's a lot.

A

It's a lot. Yeah, for sure. So we, we. Rigorous risk risk assessments. And that's the thing that the NCUA is always looking for us in our regulation. Is the credit union performing reasonable information Security risk assessments, all vendors and everything that we do. So when I first got here, we put into play a just adhering to the NIST standards, the 800 dash document on guide to risk assessments. So we follow that and do that every. With every vendor, every change that happens through that and that the purpose for that, that helps us dig up rocks and know where do we need to dig deeper into some things and either say that a vendor is not a good fit for us or dig a little bit more into that vendor to understand, okay, here's some things we need you to add to your contract, or here's some things that we need you to do differently with this implementation to make sure that it meets our security standards. So we do those risk assessments, those actually get reported up through our board of directors. So per ncua, we've got to report that to the board, make an annual information Security program presentation to them, and all of those risk assessments go to them. We actually do that quarterly instead of just annually where we vote on risk.

C

Well, I. Can you explain that a little bit more because what, what you, what I'm hearing, and I know the answer to this, but I don't think my audience understands when you talk about risk assessment, shouldn't you always do like, zero risk?

A

Sure.

C

Always be zero risk.

A

Yeah. Hey, let me just turn off the Internet. And then we, hey, we have no risk at that point. Right. But how do we operate as a business? That point. Right, right.

C

So there's always some risk. So is. Is how do those meetings go? Is there a calculated risk? And, and you're saying, hey, this is. We're willing to connect to the Internet or give our customers ability to connect to the Internet even though there's a risk.

A

Right.

C

We just have to understand the risk and the mitigations. Why even take the risk in the first place?

A

That's correct. So what we do as an organization, what the NCUA asks for, is that we have a risk appetite statement. So part of our information security program, our board, along with management have, have agreed upon. Our risk appetite is low. So when we do a risk assessment, so we're looking at threats, vulnerabilities, mitigations, and then what is that residual risk with those mitigations that are in place? If it's a low or if it's a low or less than that, so low or very low, then we accept that. If it's medium, we don't. So we have two options here. So if anything is a medium or higher, we either have to mitigate it, let's say it's a vendor, in this case new vendor coming in. We have a medium risk here. That vendor is either going to have to make changes that satisfy that risk for us to bring it down to a low, whatever it is, say authentication issue or something with how they, they store data or process data. AI is an example. You know, are you using our data to train models along with other clients of yours? That's a big, a big no for us, you know, so they would have to give us guarantees that they would not do that otherwise. That's going to remain a medium. So what we would do there is that particular vendor. We're not going to be able to do that unless we can mitigate it or in some cases we've had to accept some medium risk. We've never accepted anything that's high or higher than that. But sometimes we've had some medium type risks that were around some things that could not be mitigated. But the scope was, was very, was much smaller with this, this particular organization. And so we voted as management and with the board to accept a risk, you know, but that's happens a lot less than us mitigating it.

C

No. So I, I like how you, I like how you describe that it's. And I love how you have your board decide that. So it's not just, you know, Gowan said it was okay. Right. That would put a lot of pressure on you as an individual saying, hey, I'm willing to take a medium risk because of this. Instead you, you're hearing from lots of different people in your governing board for this. I think that's pretty, pretty clever.

A

We make the decision together, right? Yeah, I believe that helps.

C

All right, so my next question has to do with data. So obviously if you got all these vendors, is there a common data model that you're using or that exists, Is there a standard that exists out there for all these? Or you end up writing all of these data transfers because you kind of hinted towards that a little bit that, hey, I'm converting data from this format to that format. This field means this, there is that something you guys have to do with these integrations?

A

Everyone's different. Everyone's different. Yeah. We don't have. There's not a common data model.

C

Oh man, what a pain.

A

There's nothing like, like from healthcare. When I left there, I had HL7. You know, there was a common, right. Common data format for us to share information back and forth. Here there is nothing. There have been, there have been organizations that have tried to Design common data models for credit unions, and they just never have worked because we're all unique enough in the members that we serve, the communities that we serve, that our data. We need data differently than each other, you know, and so everything's. Yeah, it's all a challenge to figure out how do we get that data, transform it, and then bring it into our systems and make it. Make it usable for what we need. So, yeah, as you go back to those 25 vendors, well, that's a lot of different data. And so it's a lot of work cleaning that up and getting that brought into. In our case, in our warehouse. You know, it's. Yeah, it's definitely a big challenge. We also. Our core that we have is known to be very customizable, which is also a. A weakness as a. As well as a huge benefit.

C

As a strength. Yeah, as a strength and a weakness at the same time.

A

Yeah, yeah. But it means all of us that have that same core application, none of us use it the exact same way because we've all tweaked it and modified it and done our own customizations. And so we can't even share things. So sometimes we can share code back and forth, but there's a lot of, you know, we have to tweak and modify things to fit our environment versus Versus bears.

C

Yeah, man. It's much more complex than I think most people realize.

A

Yeah. Yeah, I think it is around. I've never managed anything like it before. It's. It's intense.

C

It's. It sounds pretty intense, especially considering, I mean, how big your staff is. I. Your staff can't be massive. Right? Like you were mentioning the big banks. They've got big, huge teams that do all this stuff where you've got a smaller team putting it all together. It must take a lot of discipline.

A

Yes, sir. Sure does. So, never a dull moment.

C

Yeah, I bet not. So, Galen, if people want to find out more about Pin Air and what you guys do and maybe learn more about the best practices that you guys have, you know, started there, how did they go about doing that?

A

Pioneer.org Great starting place. You can always find me on LinkedIn. Galen.

C

Councilman.

A

Happy to connect and share more and chat with anybody.

C

Hey, Galen, this is. This has been great because I'm talking to someone that's living in the trenches. Not this big esoteric strategy, you know? No, you're living this every day. So thanks for coming on the show and sharing.

A

Very welcome. Thank you for having me.

B

Thanks for listening to Embracing digital transformation. If you enjoyed today's conversation. Give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the show. If you want to go deeper, join our exclusive community@patreon.com embracing digital where we share you bonus content and you can always connect with other change makers like yourself. You can always find more resources at embracingdigital.

C

Org.

B

Until next time, keep embracing the digital transformation.