Galen Counselman

That takes over 25 vendors just to make that happen. So when one of our members downloads our app and they sign in, they're going to potentially interact with over 25 vendors to make that whole experience work.

Dr. Darren

Welcome to embracing digital transformation, where we explore how people process, policy and technology drive effective change. This is Dr. Darren, Chief Enterprise architect, educator, officer, and most importantly, your host on this episode, vendor risk in financial services, cybersecurity and AI with special guest Gallon councilman, CIO of Pinnair credit union.

Podcast Host

Galen, welcome to the show.

Galen Counselman

Well, I'm glad to be here.

Podcast Host

Hey, this is really interesting. When we talked. What was it last week, a couple weeks ago that we originally talked?

Galen Counselman

Yep.

Podcast Host

Yeah, this could be a really interesting angle that I. I haven't had on the show before. So I'm like, oh, this could be really cool. But before we dive into managing vendors and AI and this whole new realm that we have. Gallon, everyone that listens to my show knows that I only have superheroes on the show. And every superhero has a background story. So, Galen, what's your background story? What's your origin story?

Galen Counselman

All right, well, I am not a superhero, so let's start there.

Podcast Host

All right, so humility is one of your superpowers. Okay, That's a good superpower for a superhero.

Galen Counselman

Yeah, I meant earlier to say, hey, I'm glad to. Glad to be here. Thank you for having me. So I. I have been in it going on, geez, 26, 27 years now. Started off working at a local computer shop back in like 97 time frame. BackCoin, if you can imag imagine a time when we had local computer shops. You know, we had a local. A local place that I started and kind of cut my teeth on learning how to build computers and service computers and all that. And, you know, I'd grown up loving technology. I'd always. I remember when my father brought home our first personal computer. It was a IBM clone back in the day. An 8088 processor. There you go with Ms. DOS on it. I remember using X Tree Pro for, like, organization and everything. And I love this, you know, and I would, I would tinker around bulletin board systems and I would do a little bit of minor programming and things like that. I remember tearing up my dad's computer one day, doing some file structure stuff and accidentally deleted the entire. That was back. There was no protection, so you could just delete the whole operating system by accident. And when you reboot it, it just, you know, nothing happens. And so that's where I started. I Always tinkered around with computers and then started at a local computer organization, local computer shop, and then from there got a job at a architectural engineering firm as a network support technician. So, you know, running around doing everything from desktop support all the way down to. That was when we had Compaq servers that were, know, desktop like standalone service sit next to a telecom rack at all the branches where this company was and moved into healthcare. That would, that would be probably the, the first big start of my career at a larger organization and running it for a bigger firm. Started there as tech support and then moved my way up into network engineering. Back in the day I used to program Cisco routers and switches and firewalls and I was certified in Microsoft Exchange and had all the Microsoft certs and so I did all of that, you know.

Podcast Host

So you're a true hands on IT guy, right? You've done it all, you've done all the hands on type of stuff.

Galen Counselman

I grew up in that. Yeah, yeah.

Podcast Host

So. But you're not that anymore.

Galen Counselman

Correct. So from that time in healthcare, I, you know, I've always just operated by that concept of if I can be trusted with little, maybe I can be trusted with more. And I've just focused on doing the best that I could at the job that I had at that time. And then more things opened up to me and I moved into running the network operations for that healthcare organization. So had grown, growing a passion around HIPAA security and the high tech rule, and had during that time built up a passion around information security in that time in healthcare and then started running the network operations team and then from there became the director of it. And so by the time I left healthcare, I spent 12 years at that organization. When I left there, I was running the, the entire IT shop and that could be different things to different organizations. For there that was everything from tech support, network operations, to programming, software development, data and analytics and the PMO that was there. And I've really, really enjoyed that. So I left and then moved over into the financial industry where I landed at Pin Air. I've been here right at three years now. So just, just hit three or not three years, sorry, just hit 11 years now. Sorry. I don't know why I said three. I was thinking March 3rd, for some reason. So yeah, I've been here 11 years and started off as information security officer, if any of you who've been in management. So when I left healthcare, I was looking for either to continue my career either in information security or in IT leadership and just happened to find a security job first and landed here as a security officer. And actually I like that. I liked not having the responsibility and the weight of managing large teams of people and all the headaches that come along with the people management side of things, of leadership, you know.

Podcast Host

But then I do know that's why I'm managing people.

Galen Counselman

That's right. It's not, it's not for the faint of heart. Right. It's not for the weak. It's a, it's a very, you know, a lot of responsibility in that. So.

Podcast Host

Well, and, and just like you, I'm a technologist, I'm a software engineer and I tinkered around. I like deterministic problems to solve. Computers behave the same way every time. People do not. Yes, people are harder, are harder to work with than computers. For technology guys like you and I, right,

Galen Counselman

completely empathize with what you're saying and agree.

Podcast Host

But there's more joy, there's more joy out of interacting with people and helping people. It's just got to put that extra effort in I guess is the right word. So let's talk a little bit about, you know, you're in financial, you work for Pioneer, it's a credit union. Very. Was there a big difference moving to financial from healthcare or were a lot of the same IT and specifically cyber security, Was there a lot that transferred over or was it a completely different way of thinking?

Galen Counselman

A lot transferred over. I mean you think through things like infrastructure, all of that was very transferable. You know, you still need the same routing, switching, firewall, cloud technology, productivity type operations. You know, do you have a CRM? Do you have, you know, in addition to productivity, things like CRM, ERP systems, you know, you have all of those things that cross over. What I found was different though was my time in healthcare very hyper focused on privacy, but not as much on the security with the organization that I was at for 12 years. So everything was around HIPAA, HIPAA rule and privacy, keeping patient information private but not secure. I never in 12 years had an actual IT security audit at that healthcare organization. Lots of privacy audits. How do we have our systems set up and what were our policies, procedures to keep information private. But privacy and security are two different things. They're related, I believe. You know, in my opinion they're, they're very related, but they are two very different things. You can be private but not necessarily be secure, you know, and when I came over to financial, it was completely, I mean we, we are audited all the time. So we have to pay for third party audits on a quarterly basis, external, you know, pen tests and all these sort of things. Just kind of things that we didn't have to do at the organization. I was, I was at, in healthcare and we're also regulated by the ncua National Credit Union Association. They come in annually and do a big, they bring a team of people here across our, our organization, like 15 to 20 people. And I usually get anywhere from one to three examiners that come in and they're deep diving into what we do. I even at one point had examiners on. Some would say they may have, were going a little too deep with us, but they were actually asking for Cisco router configuration logs and we're going through line by line the running configuration of some of our operating equipment. You know.

Podcast Host

Do you think the reason for that is because you're dealing with people's money?

Galen Counselman

Absolutely.

Podcast Host

It's a bigger target. I mean data, I mean people's patient data is a target, but that's correct. The payoff is much faster, I guess with, if, hey, I get into a credit union, I have, I have free reign of the thing, I can do whatever I want different because with patient information I have to do a ransomware attack or something else. And so that, that kind of makes sense to me.

Galen Counselman

Yeah, it's where the money's at. Right. So if we can get that, that's, that's their main target. Like you said, that's what they're after. Yeah. With healthcare, if, if it's identity theft, I mean, money is always the ultimate goal somewhere along that chain, right? Yeah, it seems several steps up or away from that actual payday, you know, whereas if you can get into the money. Yeah. And we're talking people's financial assets, you know, we're talking about their stability in their future here if, if their bank accounts get drained, that's a very big deal, you know.

Podcast Host

Yeah, absolutely. So have you found. Because when we first did our intake on this, we talked about managing your vendors. Have you found the ecosystem of vendors really different between financial and healthcare or. There are a lot of commonality between them as, as far as your suppliers of software solutions or hardware or things like that. Or is it completely different ecosystems?

Galen Counselman

I find it different. So where I, where I came from with healthcare, you really had, you know, you had your core applications like your medical record system, you would have, you know, Great Plains or whatever your accounting and ERP package was. And in financial, it's similar, you know, you'll have that core banking application but the challenge that we have, like in healthcare, we did not, we weren't offering out digital services. And now as a financial institution, if you're not 100% digital, you're, you're. I mean, I mean, it's table stakes these days, right? It's like we all expect to do everything from our phones. And so to make something like that happen, there's not one silver bullet out there. There's not one vendor that just does it all soup to nuts and does it very well or, or to the, that meets all of our needs as a credit union, you know, so that's one of the biggest challenges there is finding all of those different vendors and having them all play together so that you can have the digital offerings and digital channels that your members expect. Also, as an organization, we push for excellence. So we try and be the best that we can be in everything that we offer. And so finding that and getting all the right vendors in place is definitely a huge challenge. You know, the underlying infrastructure kind of similar, you know, we all, you know, we're a Microsoft shop, you know, so everybody uses Office and Outlook and all of, all of that, you know, kind of infrastructure side of it. But it's, it's really what we're offering to our members that's a big challenge.

Podcast Host

So define the hardest part of working with all these vendors. Is security a hard part or integration or contract negotiation? I mean, what are some of the things that you run into that

Dr. Darren

are

Podcast Host

so different from healthcare? Healthcare, Pretty small ecosystem, frankly.

Galen Counselman

Right. I would say integrations is one of the biggest, one biggest pieces. That's a challenge because, you know, a larger, let's take a bank, especially a larger bank, they'll have the resources to hire teams of software developers to create their online platform so they can design and build exactly what they want, how they want it. I can't do that. I'm not at that resource size. So we have to rely on bringing in different vendors. So if you take something like what we offer for our online banking platform, that takes over 25 vendors just to make that happen. So when one of our members downloads our app and they sign in, they're going to potentially interact with over 25 vendors to make that whole experience work, you know, so you have a, you have a main platform, so that's one vendor, you know, so that's kind of like what you mainly touch and feel most of the time. But when you switch over to, let's say remote deposit capture, where you need to take a picture of a check and Deposit it, that's a whole nother vendor. But all of it needs to look seamless, you know, so it doesn't feel jarring. So when a member clicks on that, it doesn't feel like it's jumping over to another application or platform or another vendor or login, all this. So it all feels completely integrated and seamless. But that's, it's a lot, I'm going to say it's a lot easier. I think it would be a lot easier if I had an army of software developers could just design it how we wanted. I think that would be a lot easier than just going out and finding all these vendors and then you have to plug them in and then make sure that the integration works and make sure that it's seamless and streamlined and it all feels like it's the same application. It's definitely a challenge. And so that's one example, you know, but I could rattle off a ton of them that we have all integrate, you know.

Podcast Host

Yeah, I'm sure. How have you found that maybe AI can help out with this? I mean the AI models are getting really interesting in that they can do these integrations kind of very simple and you can do some front end vibe coding on, on the front end and connectivity in the back. Have you guys experimented with any of these sorts of things to help decrease that friction?

Galen Counselman

No, as far as we've gotten with AI, it's just helping us with the data movement side of things. So if we're, you know, we use a lot of Python here to move data between vendors and to make some of these integrations happen. So we've leveraged that to create code that we can then automate and in some cases have automated, you know. But the other challenge, and what I was going to mention about this too, is when something breaks, that's always a big deal, you know, and it's being in it. And coming from a technology background, I'm sure you can relate to this when people love pointing fingers.

Podcast Host

Oh yeah.

Galen Counselman

You know, we point the finger, they point the finger and then it's just, you know, you got a three way. Everybody's, you know, everybody's pointing the finger. And so it's, we've always found that anytime we can get all of the vendors on a call at the same time, which they never want to do, everybody wants to handle through tickets and phone calls, separate emails and IT ping pong songs back and forth and then things draw out and then I get our board of directors or putting pressure on my CEO and myself when is this going to be up? What is this going to be up? And it's like, guys, we gotta get them on the phone. We gotta get everybody on a call now. And then when we do that, it gets fixed. You know, it's magic.

Podcast Host

It happens amazing.

Galen Counselman

30 minutes and then it's done. It's taken us two weeks to get there. You know, we have a phone call and we get it fixed in 30 minutes.

Podcast Host

So is that the best practice then? I'm to do sync? I. I call that like synchronous meetings. Right? I mean. Right. Everyone's in the room at the same time. Instead of this asynchronous, there's a lot of miscommunication, I guess, is the right or missed cues on communication when you're doing everything asynchronous that I, I think you've identified here.

Galen Counselman

Yeah, yeah. I mean, because one on one instance I'm thinking of is we had an issue with between three vendors. One of the vendors had changed a encryption certificate in the background, didn't tell anybody. It shouldn't have affected anything because it was a root CA change. And. Okay, it wasn't a, wasn't an issue. And so everybody was pointing the finger. Well, it's not us, it's someone you're in, you're not, you're not passing the right encryption and all of this. And we get them all on the phone and when they can see the real time logs. Okay, try it now. Click. Oh, and that's when it's like, oh, we didn't give you the new root CA here. And they, you know what the PKS file or what, I can't remember at this point, but you know, they send us the, the group of certificates and we get those loaded in the web server and then everything was fixed, you know, and we were pulling our hair out for over a week on that particular issue.

Podcast Host

How do you handle the security handoffs? Because you mentioned these, the certifications and things like this. When you have so many vendors and you're, you're actually moving data between all these vendors. How. There's. Oh, there's so many questions on this one. But let's talk about security first. How do you handle the security between these? Do you have a common security design pattern that you use? Because that's a lot of vendors. 25 vendors. That's a lot.

Galen Counselman

It's a lot. Yeah, for sure. So we, we rigorous risk risk assessments, and that's the number one thing that the NCUA is always looking for us in our regulation Is the credit union performing reasonable information security risk assessments of all vendors and everything that we do. So when I first got here, we put into play a just adhering to the NIST standards, the 800 document on guide to risk assessments. So we follow that and do that every. With every vendor, every change that happens, we go through that and that the purpose for that, that helps us dig up rocks and know where do we need to dig deeper into some things and either say that a vendor is not a good fit for us or dig a little bit more into that vendor to understand, okay, here's some things we need you to add to your contract, or here's some things that we need you to do differently with this implementation to make sure that it meets our security standards. So we do those risk assessments. Those actually get reported up through our board of directors. So per ncua, we've got to report that to the board, make an annual information security program presentation to them, and all of those risk assessments go to them. We actually do that quarterly instead of just annually where we vote on risk.

Podcast Host

Well, can you explain that a little bit more? Because what I'm hearing, and I know the answer to this, but I don't think my audience understands. When you talk about risk assessment, shouldn't you always do like, zero risk?

Galen Counselman

Sure.

Podcast Host

Always be zero risk.

Galen Counselman

Yeah. Hey, what's the deal? Let me just turn off the Internet and then we, hey, we have no risk at that point. Right. But how do we operate as a business at that point?

Podcast Host

Right, Right. So there's always some risk. So is. Is how do those meetings go? Is there a calculated risk? And. And you're saying, hey, this is. We're willing to connect to the Internet or give our customers ability to connect to the Internet even though there's a risk.

Galen Counselman

Right.

Podcast Host

We just have to understand the risk and the mitigations. Why even take the risk in the first place?

Galen Counselman

That's correct. So what we do as an organization, what the NCUA asks for, is that we have a risk appetite statement. So part of our information security program, our board along with management have agreed upon. Our risk appetite is low. So when we do a risk assessment, so we're looking at threats, vulnerabilities, mitigations, and then what is that residual risk with those mitigations that are in place, if it's a low or if it's a low or less than that, so low or very low, then we accept that. If it's medium, we don't. So we have two options here. So if anything is a medium, or higher. We either have to mitigate it. Let's say it's a vendor, in this case, new vendor coming in. We have a medium risk here. That vendor is either going to have to make changes that satisfy that risk for us to bring it down to a low, whatever it is, say authentication issue or something with how they, they store data or process data. AI is an example. You know, are you using our data to train models along with other clients of yours? That's a big, a big no for us, you know, so they would have to give us guarantees that they would not do that otherwise that's going to remain a medium. So what we would do there is that particular vendor. We're not going to be able to do that unless we can mitigate it. Or in some cases we've had to accept some medium risk. We've never accepted anything that's high or higher than that. But sometimes we've had some medium type risks that were around some things that could not be mitigated. But the scope was, was very, was much smaller with this, this particular organization. And so we've voted as management and with the board to accept a risk, you know, but that's happens a lot less than us mitigating it.

Podcast Host

No, so I, I like how you, I like how you describe that it's. And I love how you have your board decide that. So it's not just, you know, Gowan said it was okay.

Galen Counselman

Right.

Podcast Host

That would be, that would put a lot of pressure on you as an individual saying, hey, I'm willing to take a medium risk because of this. Instead you, you're hearing from lots of different people in your governing board for this. I, I think that's pretty, pretty clever.

Galen Counselman

Make the decision together. Right? Yeah, I believe that helps.

Podcast Host

All right, so my next question has to do with data. So obviously if you got all these vendors, is there a common data model that you're using or that exists, Is there a standard that exists out there for, for all these? Or you end up writing all of these data transfers because you kind of hinted towards that a little bit that, hey, I'm converting data from this format to that format. This field means this, there is that something you guys have to do with these integrations?

Galen Counselman

Everyone's different. Everyone's different. Yeah. We don't have, there's not a common data model.

Podcast Host

Oh man, what a pain.

Galen Counselman

There's nothing like, like from healthcare. When I left there, I had HL7. You know, there was a common.

Podcast Host

Right.

Galen Counselman

Common data format for us to share information back and Forth here, there is not, there have been, there have been organizations that have tried to design common data models for credit unions, and they just never have worked because we're all unique enough in the members that we serve, the communities that we serve, that our data, we need data differently than each other, you know, and so everything's, yeah, it's all a challenge to figure out how do we get that data, transform it, and then bring it into our systems and make it, make it usable for what we need. So, yes, you go back to those 25 vendors, well, that's a lot of different data. And so it's a lot of work cleaning that up and getting that brought into, in our case, in our warehouse. You know, it's, yeah, it's definitely a big challenge. We also, our core that we have is known to be very customizable, which is also a, a weakness as a, as well as a huge benefit as a Strength.

Podcast Host

Yeah, strength and the weakness at the same time.

Galen Counselman

Yeah, yeah. But it means all of us that have that same core application, none of us use it the exact same way because we've all tweaked it and modified it and done our own customizations. And so we can't even share things. So sometimes we can share code back and forth, but there's a lot of, you know, we have to tweak and modify things to fit our environment versus. Versus Bears. Yeah.

Podcast Host

And it's much more complex than I think most people realize.

Galen Counselman

Yeah, Yeah, I think it is. I've never managed anything like it before. It's, it's intense.

Podcast Host

It, it's, it sounds pretty intense, especially considering, I mean, how big your staff is. I, I, your staff can't be massive. Right. Like you were mentioning, the big banks, they've got big, huge teams that, that do all this stuff where you've got a smaller team putting it all together. It must take a lot of discipline.

Galen Counselman

Yes, sir. Sure does. So, never a dull moment.

Podcast Host

Yeah, I bet. I bet not. So, Galen, if people want to find out more about Pin Air and what you guys do and maybe learn more about the best practices that you guys have, you know, started there, how do they go about doing that?

Galen Counselman

Pioneer.org Great starting place. You can always find me on LinkedIn. Galencounselman. Happy to connect and share more and chat with anybody.

Podcast Host

Hey, Galen, this has been great because I'm talking to someone that's living in the trenches. Not this big esoteric strategy, you know? No, you're living this every day. So thanks for coming on the show and sharing.

Galen Counselman

Very welcome. Thank you for having me.

Dr. Darren

Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube.

Podcast Host

It really helps others discover the show.

Dr. Darren

If you want to go deeper, join our exclusive community@patreon.com embracingdigital where we share bonus content and you can always connect with other change makers like yourself. You can always find more resources@embracingdigital.org until next time. Next time. Keep Embracing the Digital Transformation.