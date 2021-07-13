July Premium Plus webinar\r\n\r\nU.S. Senate Federal Credit Union Chief Information Officer Mark Fournier is responsible for the financial institution\u2019s technology systems, including virtualization, security, financial processing, data warehousing and end-user computing platforms.\r\n\r\nFournier, who helps to manage the credit union\u2019s advanced security platforms, private cloud systems, and regionally dispersed computing and networking topologies, recently sat down with <em>Bank Automation News<\/em> editor Myra Thomas to discuss the growing threat of cybercrime against financial institutions, and how the financial institution is working to proactively thwart such attacks.\r\n\r\nFounded at the height of the Great Depression in 1935, by nine United States Senate employees with just $45, the $1 billion credit union now has more than 32,000 members that include the U.S. Senate and its employees, as well as employees of other government agencies and private corporations.\r\n\r\nWatch and learn how financial institutions can institute stronger cybersecurity policies.\r\n\r\n<em>The following is a transcript generated by AI technology that has been lightly edited but still contains errors.<\/em>\r\n<div class="transcript-scroll-box">Myra Thomas\r\nHi, everyone, and thanks for joining us for this pulse of the industry event. I'm Myra Thomas, editor at Bank Automation News and I'm proud to present our July Premium Plus webinar. Premium Plus offers exclusive webinar content like this, access to our conferences, and an archive of conference sessions and startup demos. We really hope you enjoy it. Today I'm joined by the wonderful Mark Fournier, US Senate Federal Credit Union CIO. He's responsible for all the technology systems including virtualization, security, financial processing, data warehousing and end-user computing platforms, computing platforms. In addition, Mark helps manage a suite of industry-leading advanced security platforms, private cloud systems and regionally dispersed computing and networking topologies. Prior to his role as CIO, Mark served as systems architect for Vonage, Vonage, and USSFCU, He previously served as chief operating officer at Clear IT, a technology business focused on providing enterprise class hosted virtualization platforms for the small to mid medium sized business market. Mark, welcome. So the topic. So the topic of today's discussion is the growing threat posed by cyber breaches in financial institutions. And given the nature of the US Senate Federal Credit Union, its membership, privacy breaches and cyber threats are very great risk.\r\n\r\nMark Fournier\r\nYeah, for sure.\r\n\r\nMyra Thomas\r\nYeah. So let's just like look at a little history, it's interesting to look back and I guess the establishment of the credit union on October 8 1935, at the height of the depression, Great Depression, nine United States Senate employees pulled their resources and chartered the United States Senate employees federal credit union with just $45. The goal was to provide quality financial services to workers throughout the senate today and a name change in 1990, the United States Senate Federal Credit Union now serves not just the Senate, but the Government Accountability Office, Federal Credit Union, the District of Columbia unemployment, Federal Credit Union, and the American Trucking Association, Federal Credit Union, which merged into it helping to achieve dramatic growth for the organization, which is now at over $1 billion. In 2014 2015, the credit union served more than 32,000 members. So I think this is a good place to start. So maybe you could tell us a little bit more about the people that make up the credit union?\r\n\r\nMark Fournier\r\nYeah, absolutely. Yeah. And I think that's a really important point and distinction between the different types of financial institutions out there. So if you were to compare us to traditional retail bank, now, our members are in effect our shareholders. And so we're directly beholden to each person that comes into the door with a checking account. And, you know, this is obvious by our name, the Senate makes up our core membership group. But the Government Accountability Office, architected the Capitol Supreme Court and Trucking Association, as you mentioned, so there is a bit of a diverse group, but the majority of it centered right up on Capitol Hill. Sure, sure. Now, I would imagine that given the type of financial institution that you are privacy breaches for the Senate, you know, the the United States Supreme Court, they would be a prime target for cyber criminals and a privacy breach I would imagine, correct? Yeah, definitely. And I think fundamentally, our approach to that is pretty much the same as I would think any other business and we want to keep the bad guys out. But we are still at the same time acutely aware of maybe the extra bit of bull's eye that our our membership kind of puts on our on our back. And what I mean by by saying that is that keeping the bad guys out, can really mean fundamentally different things to different types of organizations. And so the right answer is it's never as clear cut that can just be applied to everybody equally. So for us, it's that dream of truth, zero trust environment, from everything, stretching from our core banking platform to just the day to day systems that our internal colleagues are using. So, you know, at the end of the day, hoping to say that the only things that that are permitted to take an action and interact with our data is something that we've explicitly trusted and validated and something that lives only within the four walls of our data center.\r\n\r\nMyra Thomas\r\nSure, sure. And I would imagine given what you just said, utilizing third-party vendors is a particularly complicated thing for an organization such as yours.\r\n\r\nMark Fournier\r\nIt certainly can be and I think the the recent supply chain actions against a number of high profile players in the IT space certainly highlights that. It's, it's interesting to think back where even just a few years ago, I think a supply chain attack would have on a risk analysis sheet would have been labeled is certainly a big risk, but not a very likely one. And then, you know, in the span of just 12 months, two two major players, both impacted. So, figuring out, what we trust is sometimes as much as who we trust and making sure we've got the right due diligence, and some play in data analytics, because, you know, those two in particular who I don't want to name drop, they certainly have been trusted by hundreds, if not 1000s, of small, medium, large size institutions, governments. So sometimes that trust isn't isn't enough, either. And then I think we're getting into a play about behavioral analytics, data analytics, the things that you trust is, are those things actually doing what they nine out of 10 times do everywhere else? Do you have the systems that can give you have a fighting chance to alert you that hey, this this thing you say you trusted, but it's doing something it's never done anywhere else before? Or that it's only started to do everywhere else in the last five hours? Sure. So what sort of data without giving away the store obviously, what data and automation tools are you using to overcome cyber threats? Yeah, I think, gosh, overcome, it's such a, that's such a big, big word, right, that's certainly a journey that we're on. And I think we're constantly striving to overcome those threats. But the bad guys are smart. And everyday, they're coming up with something different. So for us, it becomes very important to have, I would say, an ecosystem of products. So I mean, stuff that that fits well together and complements each other. As opposed to. You know, one of the things that I love out of the security space, and I think it still gets circulated today is you know, this, this traditional 11 by 17 poster, a lot of the value added resellers love to show it off. And it's just every type of security vendor and software piece that's out there plastered on on this big poster, and it's used as a collateral to say, security is complicated. You can't do it alone. And you need us and 50 other people in here to even think about being secure. Security is definitely a big beast. And it's certainly not something you do one day, and then it's it's finished. But I think that there are growing avenues for simplifying a bit. And, and instead of getting, you know, eight different things that half the time are competing with each other finding partners and platforms that are built to mostly be cohesive and complimentary.\r\n\r\nMyra Thomas\r\nSo tell me a little bit about I guess what officially the role of a CIO is, I'm sure it's text and position. And I often notice that, you know, in talking to banks and credit unions, that the way that CIOs, CSOs, and, you know, the engineers and developers in a financial institution, how they relate to one another, is very different. You know, so how I set up the organizational structure there and to, you know, to minimize risks, risk issues, and to preserve security for your members.\r\n\r\nMark Fournier\r\nSure. It's almost it's almost two questions. I think there's so there's the role of the CIO, that's certainly one thing that's completely fluid, no matter where you go on it, every organization, and every CIO sees their role, just a little bit, well, sometimes a little bit differently. And sometimes, it's complete opposite ends of the spectrum from the guys that are super hands on to the folks that are purely invested in process and KPIs. And those different styles, while while they have very different approaches, I think, probably the biggest trend that I see across all of them, especially as far as the security conversation goes is in finding ways to kind of act as more of a networking resource internally and I don't mean networking in terms of Routing and Switching, I mean people networking. So you know, the, the legacy it structure has been, you have your networking silo, you have your security silo, you have your application silo, and these guys all have their lawn and maybe They talk to each other over happy hour. But otherwise, you know, get off it. When we're, we're in this kind of new environment where the firewall isn't really what it used to be, you know, the barrier isn't just at that north south edge, the conversation of ownership around security has to extend beyond just the security guy, the the networking guy has a vested interest in, in security, because security is suddenly becoming part of his network, his or her networking stack. And similarly, the application guys, the more invested they are in security, the more they can reveal things they know about their applications that a security person might not inherently be aware of. So kind of getting that process going, finding those champions in those different areas of the business, to have those cross functional conversations and to start fostering this idea of, you know, it's not just all on the security guy, and we don't have to worry about it at all. I think that that's a big aspect and CIOs, it's becoming more and more prevalent.\r\n\r\nMyra Thomas\r\nSo tell me a little bit about, you know, this is a growth of bad bot activity. How real is that threat for your organization, as far as account takeovers, credit card fraud, data scraping in your organization?\r\n\r\nMark Fournier\r\nYeah, I think any malicious activity is ultimately going to be going to be a threat. We try and mitigate those types of activities. I alluded to data analytics, but you know, in our zero trust environment, but you know, how folks are going to approach that, really, it's just going to depend on on what they're trying to protect. But it is something that everyone needs to consider. Because as soon as you think, Oh, good thing that can't happen to me. It adapts, and it happens to you. And especially in ways you you wouldn't even expect one thing that's been key for for us over the last few years, has been conducting completely blind Red Team exercises, bringing the guys in from the outside that don't know hardly anything about us. And we don't give them anything about us, we say look, you know, find the way in, tell us what we haven't thought of getting getting those that type of exposure by the folks that really just have fun exploiting you any way they can. It can speak volumes for where you've been focused, and where you might have had a blind eye just, you know, out of not even thinking of that avenue of attack. Sure. So how are you dealing with KYC automation that, you know, trying to exceed regulation? regulator? expectations? Yeah, no, your customer? That's, um, that's a great topic that I think there. There are a number of initiatives that I would say we're pursuing that I wouldn't, I wouldn't say are fully involved enough for me to speak about. But I would say that there are a number of our peers, especially in this area, that we look at, and that identify themselves less as a financial institution, but more as a technology company that happens to do finance. And that that really resonates with us. When I talk about data analytics. It's, it's more than just crunching numbers in a spreadsheet. It's about, you know, what, what is the vast resource of data that we have maybe data that we we've never even looked at before? And how can we correlate that information, whether it's internal, or from credit bureaus, or from partners into something meaningful, whether that's fraud detection, or any of the stacks that could come with that or some other fun things that we hope to achieve down the road.\r\n\r\nMyra Thomas\r\nSo you're working with, I guess, VMware on your virtualization strategy, so that what does that really mean as far as the employee workspace, customers costs?\r\n\r\nMark Fournier\r\nYeah, that's that's probably the most fun thing. I love to talk about that post pandemic because the pandemic was certainly it's, it's tragic. And But for us, it highlighted a call it a weakness that we had in our our earlier operating procedures over the years where we really didn't have this simple effective way to shift and transition our entire organization to be worked from home. Now, I say that in a historical context, because we were very traditional and a lot of traditional finance houses. You had your tie on you were at your desk, and If the boss didn't see you, well, it's kind of questionable what you might really be doing. And we we learned very quickly, that that wasn't going to survive our CEO when a lot of the quarantine orders and the severity of the outbreak really started to hit home, he sat us down, he said, You guys have, you've got a week, get everyone home, get everyone safe. And while you know, we did achieve that, and VMware, having the VMware platform, having the agility available to quickly adapt to that use case, was fantastic. It also tied really well into our long-term security vision. So I mentioned before, that thought around, we only want to have data and we only want to have interactions with data in the four walls of that data center, where we are explicitly trusting things. And that's pretty tough, if not impossible to do, if you've got people working on, you know, thick clients back at their desk and some branch office, you know, you've got VPN tunnels, you've got flowers that are caching down to their local workstation, people are saving things to their their C Drive, or God forbid, they find a way to get USB drive in there. It's terrible. But in this in this new world, that's come about really accelerated heavily by the pandemic, getting everybody home, where everyone's on a VDI natively down to our tellers. And so when they're working, they're really working in the data center, and what they're receiving on, on our private information and a file format. It's, you know, essentially that video call back to where we've got a lot of East\/West controls and analytics and play to help govern what it is they can get to and and what they're doing.\r\n\r\nMyra Thomas\r\nSo your organization underwent some sort of digital transformation. When did the initiative begin? And maybe you can talk a little bit about what what you're looking to accomplish, or maybe even what vendors you might be working with?\r\n\r\nMark Fournier\r\nYeah, um, if I really think about it, her transformation started only about five years ago, five or six years ago now. And that's when I started, I was brought in with a couple other folks. And the setup here was fairly straightforward. They had about a dozen legacy physical servers, all one to one, no virtualization of any kind. And the VP of it at the time, he, he had that forward vision, he knew that there was growth on the horizon, he knew that the organization was going to have to do something, and have some growth if we were going to keep pace with what we saw our peers doing. And so he knew virtualization was going to be the key. And it it was that initial vetting conversation, well, what's the right path for what vendors should we choose? And VMware became ultimately became our partner and that that was the result of not only many of our own familiarities with the product, we've we've had plenty, but also with seeming Avenue towards this long term vision of integrating different aspects of virtualization beyond just what had been done with server virtualization. So at that time, you had the beginnings of, I'll say, the beginnings but they might they might say, No, no, it was a fully that a product. But NSX, you know, that was really starting to come into its own v San was really starting to come into its own. And we're even the the agent lists, type plays with a few other security vendors, where you saw the beginnings of something bigger and better. And so we that's where we put our money and said, All right, we can see this, this going somewhere. And so fast forward to today. Those 12 physical servers have changed to over 300 and some virtual servers, two different data centers, geographically dispersed, converged blade computing and software defined networking. east west security, the stack has grown significantly. And the cool part is, if if I'm like picking this as a cool part is that our staffing hasn't really grown as much. So you might you might say, well, Mark, like where are you overloading your staff if they're if you've kept the same amount, some roles have shifted, but ultimately, it it's not that we've doubled the organization in size and, you know, however many times over increased our technology footprint and had to hire 20 more guys, 15 more guys. It's it's been pretty amazing to see what we can accomplish within that, that platforms that that ecosystem.\r\n\r\nMyra Thomas\r\nIt's funny, though, I mean, in talking to so many different bankers and individuals, you know, credit unions, the one thing that I always noticed is that, you know, investing in any sort of security infrastructure, you know, any sort of technology, implementation or deployment is expensive, you know, it's it's expensive investment, and just trying to measure the return on automation investments, particularly on the risk and security side. How do you determine that?\r\n\r\nMark Fournier\r\nYeah, it's certainly, I'm sure, there are a number of ways one could go about it. And I think, for me, the most kind of empirical way, I suppose implied way, whatever the right way to frame that is just seeing that where we started, in terms of the size of our team is fundamentally still where we are today, yet. We're supporting an organization twice the size and assets and efficiently more complicated, complicated technologies to act and, and many, many, many times over in terms of consumption. Because once that were realized how quickly we could, we could turn out new services and new servers, and they're like, Oh, this is great. Let's do this. And let's do that. which is fantastic. That's what we want to be able to do. Because that in turn, then feeds to agility. If we're playing the the numbers game, a matter of looking at the cost, the capital cost for licensing, and then looking at the ongoing costs for for staff. I think we're still ahead. I think we're still ahead.\r\n\r\nMyra Thomas\r\nYeah, it's a difficult thing to measure, you know? Yeah, particularly,\r\n\r\nMark Fournier\r\nit feels like we're ahead.\r\n\r\nMyra Thomas\r\nYeah, for CIOs, CSOs, CSOs. I guess the biggest realization is that you can never sit on your laurels and think that cyber threats are going to decrease. I guess the realization for you and your job is that, you know, as difficult as it must be, is that these threats will continue to grow.\r\n\r\nMark Fournier\r\nYeah, definitely.\r\n\r\nMyra Thomas\r\nHow do you deal with that realization? I mean, it's got to be stressful.\r\n\r\nMark Fournier\r\nSure. Now, I think, to say it's not stressful. That certainly would not be that would not be fair, or nor accurate. But I think it's a, there's a frame of mind. That, at least, myself and the folks on our team, try and take and that's more of that. It's not stress that's beating us down. Yes, we're concerned about it. But every day is just another kind of adventure. Another challenge to to stay one step ahead. So when we have those industry alerts, where we're texting each other, we're, you know, we're actually turning into a conversation, as opposed to not being able to sleep at night, you know, we're not, we're not lying awake, all just worrying and crying ourselves over the next bad thing that could come around the corner, we want to try and take all these things that happened, whether it's to ourselves or to our peers, or seemingly unrelated corners of the industry. We want to try and learn from those things and apply it to what we're going to do today, tomorrow, the next couple of years.\r\n\r\nMyra Thomas\r\nWell, great. I think that's a perfect place. To wrap up, Mark, I want to thank you again, for joining us for this webinar. It was a pleasure. We look forward to following the developments at the U.S. Senate Credit Union. And I want to thank all of our Premium Plus subscribers for joining us for this episode of the Premium Plus pulse of the industry event. With this video, you'll also get to see a full transcript of the conversation. We hope you enjoyed it.