MIRAMAR, Fla. -
"Every time we turn around there are new regulations and threats emerging" observed Syed Ali, VP-technology services at the $2.7-billion CU here. "So we've made the commitment to implement the new technologies that will help us stay ahead of hackers."
It's fair to say that information security (IS) has taken over a number of credit union information technology (IT) departments. As technology spending climbed last year for two-thirds of all credit unions, security tools remained the No. 1 priority, according to the Callahan and Associates.
"The time I spend looking at security has increased immensely in the past year and a half," said Miriam Neal, VP-information systems at the $170-million South Western FCU in La Habra, Calif.
Neal said at least half of her workday is swallowed by IS tasks such as reading alert logs, firewall reports or checking e-mail encryption. "Security has been the top concern for me for the past five years."
Security tasks became so important and so pervasive at Eastern Financial that the CU added a full-time security administrator to the senior-level team in 2001, Ali noted.
Other CUs-even those that are smaller-will follow suit in the future, hiring information security officers left and right, asserted Scottsdale, Ariz.-based Cornerstone Advisors, a technology consulting firm for CUs and banks.
Currently, about one-third of credit unions employ IS officers, according to Cornerstone's "2006 Benchmarks and Best Practices for Credit Unions. Nearly three-quarters of banks already have IS managers, said the report.
Security is on the service provider radar, as well. "It used to be that security was a second thought with software development," said Michael Weathers, VP-risk and governance at Fidelity National Information Services (FIS), which provides Eastern Financial's core processing system. "Now security has to be integrated as part of the software development life cycle."
Clearly, IS has a hold on IT, but it doesn't stop there: data security is becoming everybody's business, according to Sharon St. Clair, chief information officer at Eastern Financial.
"One of the biggest changes I've observed in the last five years is that security has changed from the purview of IT to a business-wide focus," St. Clair explained. "Security is now a topic in our strategic leadership meetings, and all of our employees are aware and fairly knowledgeable about different types of threats."
Data security wasn't always at the forefront. It gained prominence at the beginning of the millennium, when credit unions started sharing member information with third parties over the Internet - and potentially any talented hacker, Eastern Financial and South Western Federal told the CU Journal.
"Three years ago, there were only two or three websites that we interacted with, and before that, we worked only with software on the workstation," Neal said. "Now, each employee interacts with many different sites as part of the job, so we had to start controlling where employees could go on the Net."
St. Clair agreed: "Prior to the advent of web-facing applications and a remote workforce, we really had more control over access to member information. Data moved within our private networks."
Auditors, security organizations and well-publicized data breaches have also "provided our CEO and board with the opportunity to ask us pointed questions about security," she continued.
Online classes in security awareness, required for all Eastern Financial employees, teach how to safely share member information-and what the difference is between public and private information, St. Clair added.
That's a good thing, as not everyone is able to distinguish between what's public and what's private, which has led to many false alarms on alleged data breaches, according to Weathers.
"The industry is still grappling with what should be defined as private and whether a data breach is serious," Weathers said.
Credit unions aren't going overboard, he added. "They are showing a healthy level of concern over security."
FOR MORE DETAILS
* South Western FCU at www.swfcu.org
* Eastern Financial FCU at www.effcu.com
* Fidelity National Information Services compliance page at www.complianceforcreditunions.com
