The CU Chief Information and Digital Officer Nurtures and Protects Member Relationships, Data
By Roy Urrico
Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security, cybersecurity and information governance to protect data and transactions at credit unions and other financial institutions.
Earlier this year the $1.7 billion Melrose, Minn.-based Magnifi Financial changed its name from Central Minnesota Credit Union (CMCU) and created a new visual identity, including logo, signage, website and advertising. The credit union has also recently invested in cloud data analytics to empower employees with faster and deeper insights; and reinforced its attention to information security.
Magnifi Financial, which retained its credit union charter, business model and community-centered philosophy to better reflect its membership, has grown beyond central Minnesota and extends from western North Dakota into Wisconsin. The organization offers a comprehensive suite of products and services to serve a range of members from consumers to businesses.
Neal Kaderabek, chief information and digital officer (CIDO) at Magnifi Financial, joined the credit union in 2018 with the specific goals of maximizing information technology capabilities, cultivating IT and business partnerships, developing a long-term tech strategy, and aligning people, process, and technology to support and secure its rapidly evolving financial servicing environment.
Though Kaderabek classifies Magnifi Financial as a medium sized credit union, he said “The security threats are of the same complexity and risk as larger credit unions.” The challenge securitywise, he offered, is to manage the risks at smaller credit unions with fewer staff, limited security tools and vendors, and a smaller budget. Nevertheless, the security budget has increased 200% over the last four years.
Current Role Regarding Information Security
With the rapid change in business demands, the role of chief information officer has evolved into the larger role of chief information and digital officer (CIDO) at many organizations including Magnifi Financial, where Kaderabek essentially wears two hats.
As CISO, Kaderabek said it is his “responsibility to understand how complex tactical objectives can contribute to the strategic execution of keeping Magnifi secure, while respecting the privacy and trust of the credit union’s members and employees. While a technical background is helpful in making informed security related decisions, a passion for solving emerging conundrums that accompany information security is essential.”
Kaderabek’s Magnifi Financial security responsibilities include:
· Overseeing a network of security professionals and vendors who safeguard the credit union’s assets and computer systems, as well as the physical safety of employees.
· Identifying protection goals, objectives and metrics consistent with the organization’s strategic plan.
· Managing security policies, standards, guidelines, and procedures to ensure ongoing maintenance of security. Physical protection responsibilities include asset protection, access control systems, video surveillance, network access and monitoring policies, employee education and awareness, and more.
· Working with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology.
· Administering incident response planning of security breaches, and assisting with disciplinary and legal matters associated with such breaches as necessary.
Adopting NIST Framework
To help keep Magnifi Financial on track information security-wise, Kaderabek embedded the National Institute of Standards and Technology’s (NIST) Framework to guide the credit union’s security policies, standards, and guidelines. The NIST Framework presents a voluntary direction, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, the NIST Framework aims to foster risk and cybersecurity management communications between internal and external organizational stakeholders.
Kaderabek said implementing NIST’s guidance “not only established a direction that all security professionals could follow with passion and confidence, but it also provided a framework by which the credit union could benchmark internal progress, as well as, compare to other credit unions and financial institutions (FIs).”
The way the framework works at Magnifi Financial, explained Kaderabek, is that specific IT and security professionals are accountable for the delivery of each of the aspects displayed in the NIST diagram (see above). “Annually, we have an external NIST assessment of Magnifi’s security practice. The assessment reinforces current practices, as well as, identifies opportunities for improvement.”
Threats and Dangers to Credit Unions
When Finopotamus asked what threats keep him up at night, Kaderabek responded, “Many of the security risks facing Magnifi mirror those facing larger credit unions. For example, attack surfaces are expanding due to increased use of cloud applications by employees and members, maintaining a security-minded work culture is increasingly difficult with a growing remote workforce, and retaining top talent in a very competitive labor market.”
The digital supply chain risk presents another key concern for Kaderabek. “Especially attacks that can spread rapidly through the software supply chain. Ransomware also continues to be a top concern. It seems that on a routine basis, the media has posted an article about an organization that had its operations compromised due to ransomware. This then leads to some anxiety as to whether Magnifi has deployed sufficient defenses to block ransomware and is the incident response plan robust to deliver rapid response, containment and remediation.”
He also detailed some of the top cybersecurity dangers to financial institutions such as credit unions today including the aforementioned ransomware and supply chain attacks, as well as distributed denial-of-service (DDoS) attacks, which seek to disrupt network resources.
Kaderabek also noted that phishing and vishing (voice phishing) are methods utilized to trick credit union employees and members into divulging login credentials to gain access to Magnifi’s computer systems. “To trick members, the phishing and vishing bad actors are attempting to create panic with member(s). Such as, declaring a fraud event has occurred and needs immediate attention. With the member in panic, (bad actors) too easily, solicit the member(s)’ login credentials. Without a doubt, Magnifi has experienced an increase in phishing and vishing compared to years past.”
Another threat, said Kaderabek, “Credit union employees not adhering to policy. Sometimes, in the spirit of making it easier for the member, credit unions employees bypass security policy. For example, engaging with members with personal email accounts to exchange documents rather than a secure document exchange and workflow portal.”
Wearing Other Hats
Kaderabek’s 25-plus years of IT management experience including responsibilities over software development, infrastructure deployment, security, project management, strategic planning, and digital transformational leadership has certainly prepared him for his current duties.
Prior to joining Magnifi Financial, Kaderabek held CIO positions for Great Lakes Higher Education, Pekin Insurance, Hallmark Services Corporation, and Wisconsin Education Association Insurance Corporation. Kaderabek noted over the past 10 years, the performance of IT organizations under his leadership have been nationally recognized by Computerworld’s Best Place to Work in IT, CIO 100 Awards, Computerworld Premier 100, and American Business Awards for IT Department of the Year.
The Magnifi Financial CIDO explained that after attending a handful of universities in Wisconsin, he earned a bachelor’s degree in business administration from the University of Phoenix. When reflecting on his education and work experience, Kaderabek’s said he is “astounded by the breadth and depth of security practices that have emerged over the years. For example, security practices in the 1990s started out as tasks within job descriptions’ ‘duties as assigned.’ This is quite the contrast to the current state of individual security professionals with unique and narrowed security skills and duties.”
Kaderabek, who grew up in northeast Wisconsin and currently lives and works remotely in Madison, Wis., did point out he wears some other hats outside of Magnifi Financial — a Badger cap and cheesehead (as an avid fan of University of Wisconsin sports teams and the Green Bay Packers). In his spare time, he also enjoys golf, history, and watching his grandkids.