Deputy Chief Information Security Officer Started in Cybersecurity with Secret Service
By Roy Urrico
Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security (infosec), cybersecurity and information governance to protect data and transactions at credit unions and other financial institutions.
PSCU/Co-op Solutions Deputy Chief Information Security Officer Christopher Williams said his duties align closely with that of a typical chief information security officer (CISO), that is, to oversee his organization's information, cyber, and technology security.
“A large focus of that skillset recently, however, has been devoted to ensuring a seamless and secure integration of Co-op Solutions and PSCU systems as we come together to be one company,” Williams told Finopotamus. “So, I am engaged in continuing to protect the legacy Co-op systems while also working with my counterparts at legacy PSCU to strategize for the future.”
Williams was referring to the January 1, 2024 announcement of Co-op Solutions and PSCU merging the two organizations and beginning operational integration under a new holding company.
“PSCU/Co-op as a combined force has a very strong and mature security program, divided into two units – cybersecurity and infosec. I oversee the infosec team, which sets strategy, lays out governance and provides oversight across the enterprise,” said Williams. “Our job is to protect and defend PSCU/Co-op’s data, as well as the data of our clients.”
Infosec Baptism Through Secret Service
Williams said his entry into information security happened completely by accident. “Following 12 years in the U.S. Air Force, I had a calling toward federal law enforcement. Immediately after leaving the military, I found a home at the U.S. Secret Service (USSS) as a special agent conducting investigations.” That was in 1999.
He explained when he joined, the Secret Service was undergoing a transformation in its operations. “Giant printing presses and skilled counterfeit artists were no longer the target of the agency’s investigations. Criminals, particularly those in the drug trade, had started using computers to engineer and move fake money.”
Because he was, as his supervisor put it, “the only one who knows how to change the screensaver,” Williams was sent to a brand-new training operation called the Electronic Crimes Special Agent Program (ECSAP). “I was trained on everything from seizing a computer system to performing forensics, all while maintaining evidence and chain of custody for an eventual prosecution of the bad guys.”
Combatting Crime in the Banking Space
After the events of 9/11, Williams was transferred to Washington, D.C., to be part of an electronic crimes task force that the Secret Service was setting up in response to calls for help from U.S. banks. “They were getting hammered by internet-based crimes,” he said.
Williams recalled, “It was my privilege to assist with several investigations that hunted down and stopped the global crime rings behind these attacks. While assigned to the Criminal investigation Division at USSS headquarters, I had the opportunity to help create the Criminal Intelligence Section – Cyber Threat Unit to help better combat cybercrime.”
After several years of tracking down and assisting in the prosecution of cybercriminals, Williams moved to the private sector in 2011, working to combat crime from within the banking space. “I was not there long before I realized that banks have a completely different point of view around cybercrime. They are less concerned with who is committing the crime, and much more concerned with controlling the risk.”
It became clear to Williams that he needed to better understand how the business community thinks about and strategizes around cybercrime. “Earning an MBA (in 2018) from Colorado State was among my approaches,” he noted.
Williams remains in the private sector today, helping PSCU/Co-op Solutions and the financial institutions it serves mitigate the risks of cybercrime – and changing the occasional screensaver from time to time.
Cybersecurity Dangers and CUs
When asked “What threats keep you up at night?” Williams responded, “Third-party breaches are on the rise. This impacts any organization with a supply chain – which is essentially any organization in existence today. Vendors are critical to the day-to-day operation of most every organization in financial services. That includes PSCU/Co-op and the thousands of financial institutions we collectively serve.”
Williams pointed out headline-generating attacks like SolarWinds in 2020, which initially impacted the public sector, slowly began to bleed into the private sector. “Cybercriminals learned quite a few lessons from that and similar breaches. They have since leaned in on vendor-targeted attacks and are seeing a lot of success – which means that credit unions must prioritize vendor due diligence and management to combat this fast-growing trend of third-party compromises.”
Aside from supply chain attacks, Williams suggested credit unions and other community financial institutions should also be aware they are on the radar of cybercriminals. “Large banks have large infosec budgets and very sophisticated controls. It can take even the most seasoned hacker months to break into a global bank’s systems.”
In addition to the promise of an easier compromise, Williams said there is a second motivation attracting crooks to credit unions.
“Cards stolen from a credit union sell for a much higher price on the underground marketplace. That is because the buyers of stolen cards know that a Chase or Bank of America account number has a $100 million budget behind it, counteracting any fraud they may attempt to perpetrate using that account,” he continued. “When a new batch of stolen credit cards goes up for sale, those from credit unions typically sell out in the first week.”
Sharing is Caring
One of the most cost-effective ways to reduce the risk of stolen credit card files is to share information across the credit union ecosystem, explained Williams. “For too long, compromised organizations have been too timid to let it be known they are under attack.”
Williams added, “Fortunately, as the industry becomes aware that fraud and cybercrime is a universal problem faced by all financial institutions, that stigma is going away. This is fortunate, as warning each other of emerging fraud schemes is critical to stopping them early.”
He relayed how the head of the National Security Agency (NSA) once compared failing to share information about cyberattacks and breaches to watching someone else’s castle burn down and thinking, “‘Thank goodness it is not ours.’ Unless you help, that fire is going to spread – and the surest way to douse these types of fires is with information.”