Embracing Digital Transformation

Episode #337: Mastering Vendor Security in Financial Services: A 12-Year Journey

Air Date: March 25, 2026
Host: Dr. Darren Pulsipher
Guest: Galen Councilman, CIO of Pen Air Credit Union

Episode Overview

This episode examines the evolving complexities of managing vendor security in the financial sector through the lens of Galen Councilman’s 12-year journey at Pen Air Credit Union. Host Dr. Darren Pulsipher discusses with Galen the transition from healthcare to finance, the unique vendor ecosystem in financial services, the heightened security/regulatory pressures, and how a smaller institution navigates integration, risk management, and evolving technologies like AI. There’s a special emphasis on the real-world, "in the trenches" challenges faced every day by mid-sized IT shops.

Key Discussion Points and Insights

Galen’s Origin Story: From Tinkerer to CIO

Timestamps: 01:33–06:27

Started with a love for computers, learning hardware/software in local shops during the 90s.
Experience in both hands-on tech (networks, servers) and management (healthcare IT director).
Developed a passion for information security—especially during his healthcare years dealing with HIPAA and privacy regulations.
Landed at Pen Air Credit Union, starting as an InfoSec Officer and moving into CIO.

Quote:
"I've always just operated by that concept of if I can be trusted with little, maybe I can be trusted with more." — Galen (04:13)

Healthcare vs. Financial Sector: Regulatory Shifts and Security Culture

Timestamps: 07:23–11:17

Many IT principles transfer across industries (infrastructure, productivity tools).
Main difference: Healthcare focuses on privacy, not always security; rarely had IT security audits.
Finance is under constant scrutiny—with external audits, pen testing, annual NCUA exams, and in-depth inspections down to router configs.
The stakes are higher in finance: attackers are after immediate financial payoff, requiring constant vigilance and stricter controls.

Quote:
"You can be private but not necessarily be secure." — Galen (07:56)

Vendor Ecosystem Complexities: Integration and Scale Challenges

Timestamps: 11:17–15:54

Unlike healthcare, which often depends on a handful of core vendors, credit unions must engage with a sprawling vendor landscape—especially with the rise of digital banking.
Pen Air uses over 25 vendors to deliver seamless online/mobile banking experiences; each feature (e.g., mobile deposit) may be a separate integration.
Large banks may build their own solutions; smaller institutions must orchestrate multiple best-of-breed vendors.

Quote:
"When one of our members downloads our app and they sign in, they're going to potentially interact with over 25 vendors..." — Galen (14:04)

Integration Woes & AI’s Modest Role

Timestamps: 15:54–18:09

The hardest part isn't just contracts or negotiation but integration—making different systems work seamlessly together.
AI currently helps mainly with data movement and automation (via Python scripting) rather than direct integrations.
When issues arise, asynchronous vendor interactions create delays; synchronous meetings (everyone on one call) quickly resolve issues that dragged on for weeks.

Memorable Segment:
"We have a phone call and we get it fixed in 30 minutes." — Galen (17:39)

Security in a Multi-Vendor World: Risk Assessments & Regulatory Rigor

Timestamps: 19:03–24:39

Every vendor is subjected to rigorous information security risk assessments (following NIST 800-series standards).
Key focus: Does the vendor create any unmitigated risks to confidential data, or violate compliance (e.g., AI models not training on customer data)?
All risk findings are reported quarterly to the board, not just annually as required, for greater governance.
No such thing as zero risk; residual or medium risks are sometimes accepted only if well-justified and approved by the board.

Quotes:
"Hey, let me just turn off the Internet... then we have no risk at that point. Right. But how do we operate as a business at that point?" — Galen (21:34)
"Our risk appetite is low... If it's a low or very low [risk], then we accept that. If it's medium, we don't." — Galen (22:06)

Data Integration and the Myth of Standardization

Timestamps: 24:39–26:52

Striking absence of a common data model in credit unions—unlike healthcare’s HL7 standard.
Integration often requires custom code for each vendor: "Everyone’s different." Each credit union is unique in its data and member needs, complicating efforts toward standardization.
Highly customizable core systems, which are both a blessing (flexibility) and a curse (fragmentation and difficulty sharing solutions with peers).

Quote:
"There have been organizations that have tried to design common data models for credit unions, and they just never have worked... our data, we need data differently than each other." — Galen (25:14)

Small Team, Big Discipline

Timestamps: 27:00–27:25

Pen Air operates with a much leaner team than large banks. This requires strict discipline, prioritizing, and constantly balancing workload with innovation.

Quote:
"It must take a lot of discipline. Yes sir. Sure does. Never a dull moment." — Galen (27:21)

Notable Quotes & Memorable Moments

Humility as Superpower:
"I am not a superhero, so let's start there." — Galen (01:33)
Integration Pain:
"People love pointing fingers... then things draw out... and then we have a phone call and get it fixed in 30 minutes." — Galen (17:39)
Security Pragmatism:
"There’s always some risk... our risk appetite is low." — Galen (22:06)
Lack of Data Standards:
"There's nothing like, like from healthcare, when I left there, I had HL7... here there is nothing." — Galen (25:14)

Key Takeaways

The financial sector, especially credit unions, faces much higher regulatory and security pressure than healthcare.
Delivering seamless digital experiences requires orchestrating dozens of vendor integrations; this creates significant challenges for security, data integration, and issue resolution.
Small teams rely on process rigor, clear governance, and frequent honest risk assessments to function securely.
The industry lacks robust data standards, making every integration bespoke and labor-intensive.
Synchronous, all-vendor meetings resolve complex issues dramatically faster—an undervalued best practice.
AI currently plays a limited but expanding role in automating data movement, not system integration.

Resources & Further Connections

Learn more about Pen Air Credit Union: penair.org
Connect with Galen Councilman: LinkedIn

For more resources and exclusive content, visit: embracingdigital.org
Join the community: patreon.com/embracingdigital

Embracing Digital Transformation

Episode #337: Mastering Vendor Security in Financial Services: A 12-Year Journey

Air Date: March 25, 2026
Host: Dr. Darren Pulsipher
Guest: Galen Councilman, CIO of Pen Air Credit Union

Episode Overview

Key Discussion Points and Insights

Galen’s Origin Story: From Tinkerer to CIO

Timestamps: 01:33–06:27

Started with a love for computers, learning hardware/software in local shops during the 90s.
Experience in both hands-on tech (networks, servers) and management (healthcare IT director).
Developed a passion for information security—especially during his healthcare years dealing with HIPAA and privacy regulations.
Landed at Pen Air Credit Union, starting as an InfoSec Officer and moving into CIO.

Quote:
"I've always just operated by that concept of if I can be trusted with little, maybe I can be trusted with more." — Galen (04:13)

Healthcare vs. Financial Sector: Regulatory Shifts and Security Culture

Timestamps: 07:23–11:17

Many IT principles transfer across industries (infrastructure, productivity tools).
Main difference: Healthcare focuses on privacy, not always security; rarely had IT security audits.
Finance is under constant scrutiny—with external audits, pen testing, annual NCUA exams, and in-depth inspections down to router configs.
The stakes are higher in finance: attackers are after immediate financial payoff, requiring constant vigilance and stricter controls.

Quote:
"You can be private but not necessarily be secure." — Galen (07:56)

Vendor Ecosystem Complexities: Integration and Scale Challenges

Timestamps: 11:17–15:54

Unlike healthcare, which often depends on a handful of core vendors, credit unions must engage with a sprawling vendor landscape—especially with the rise of digital banking.
Pen Air uses over 25 vendors to deliver seamless online/mobile banking experiences; each feature (e.g., mobile deposit) may be a separate integration.
Large banks may build their own solutions; smaller institutions must orchestrate multiple best-of-breed vendors.

Quote:
"When one of our members downloads our app and they sign in, they're going to potentially interact with over 25 vendors..." — Galen (14:04)

Integration Woes & AI’s Modest Role

Timestamps: 15:54–18:09

The hardest part isn't just contracts or negotiation but integration—making different systems work seamlessly together.
AI currently helps mainly with data movement and automation (via Python scripting) rather than direct integrations.
When issues arise, asynchronous vendor interactions create delays; synchronous meetings (everyone on one call) quickly resolve issues that dragged on for weeks.

Memorable Segment:
"We have a phone call and we get it fixed in 30 minutes." — Galen (17:39)

Security in a Multi-Vendor World: Risk Assessments & Regulatory Rigor

Timestamps: 19:03–24:39

Every vendor is subjected to rigorous information security risk assessments (following NIST 800-series standards).
Key focus: Does the vendor create any unmitigated risks to confidential data, or violate compliance (e.g., AI models not training on customer data)?
All risk findings are reported quarterly to the board, not just annually as required, for greater governance.
No such thing as zero risk; residual or medium risks are sometimes accepted only if well-justified and approved by the board.

Data Integration and the Myth of Standardization

Timestamps: 24:39–26:52

Striking absence of a common data model in credit unions—unlike healthcare’s HL7 standard.
Integration often requires custom code for each vendor: "Everyone’s different." Each credit union is unique in its data and member needs, complicating efforts toward standardization.
Highly customizable core systems, which are both a blessing (flexibility) and a curse (fragmentation and difficulty sharing solutions with peers).

Small Team, Big Discipline

Timestamps: 27:00–27:25

Pen Air operates with a much leaner team than large banks. This requires strict discipline, prioritizing, and constantly balancing workload with innovation.

Quote:
"It must take a lot of discipline. Yes sir. Sure does. Never a dull moment." — Galen (27:21)

Notable Quotes & Memorable Moments

Humility as Superpower:
"I am not a superhero, so let's start there." — Galen (01:33)
Integration Pain:
"People love pointing fingers... then things draw out... and then we have a phone call and get it fixed in 30 minutes." — Galen (17:39)
Security Pragmatism:
"There’s always some risk... our risk appetite is low." — Galen (22:06)
Lack of Data Standards:
"There's nothing like, like from healthcare, when I left there, I had HL7... here there is nothing." — Galen (25:14)

Key Takeaways

The financial sector, especially credit unions, faces much higher regulatory and security pressure than healthcare.
Delivering seamless digital experiences requires orchestrating dozens of vendor integrations; this creates significant challenges for security, data integration, and issue resolution.
Small teams rely on process rigor, clear governance, and frequent honest risk assessments to function securely.
The industry lacks robust data standards, making every integration bespoke and labor-intensive.
Synchronous, all-vendor meetings resolve complex issues dramatically faster—an undervalued best practice.
AI currently plays a limited but expanding role in automating data movement, not system integration.

Resources & Further Connections

Learn more about Pen Air Credit Union: penair.org
Connect with Galen Councilman: LinkedIn

For more resources and exclusive content, visit: embracingdigital.org
Join the community: patreon.com/embracingdigital

wavePod

#337 Mastering Vendor Security in Financial Services: A 12-Year Journey

Summary

Embracing Digital Transformation

Episode #337: Mastering Vendor Security in Financial Services: A 12-Year Journey

Episode Overview

Key Discussion Points and Insights

Galen’s Origin Story: From Tinkerer to CIO

Healthcare vs. Financial Sector: Regulatory Shifts and Security Culture

Vendor Ecosystem Complexities: Integration and Scale Challenges

Integration Woes & AI’s Modest Role

Security in a Multi-Vendor World: Risk Assessments & Regulatory Rigor

Data Integration and the Myth of Standardization

Small Team, Big Discipline

Notable Quotes & Memorable Moments

Key Takeaways

Resources & Further Connections

Summary

Embracing Digital Transformation

Episode #337: Mastering Vendor Security in Financial Services: A 12-Year Journey

Episode Overview

Key Discussion Points and Insights

Galen’s Origin Story: From Tinkerer to CIO

Healthcare vs. Financial Sector: Regulatory Shifts and Security Culture

Vendor Ecosystem Complexities: Integration and Scale Challenges

Integration Woes & AI’s Modest Role

Security in a Multi-Vendor World: Risk Assessments & Regulatory Rigor

Data Integration and the Myth of Standardization

Small Team, Big Discipline

Notable Quotes & Memorable Moments

Key Takeaways

Resources & Further Connections