Longtime Information Security Expert Helps Credit Unions Protect Data
By Roy Urrico
Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security, cybersecurity and information governance to protect data and transactions at credit unions and other financial institutions.
“The number one most vulnerable point of our nation's security infrastructure is people,” said Gene Fredriksen, co-founder and current executive director and president of the National Credit Union - Information Sharing and Analysis Organization (NCU-ISAO) and accomplished industry chief information security officer.
Fredriksen has over 40 years of information technology experience, with the last 35 or so focused specifically on information security. He has held the positions of chief information security officer (CISO) for payments CUSO PSCU, Global CISO for Tyco International, principal consultant for security and risk management strategies for Burton Group, vice president of technology risk management and chief security officer for Raymond James Financial, and information security manager for American Family Insurance.
Fredriksen has also served as the chair of the Security and Risk Assessment Steering Committee for BITS (an IT service providers working group that developed the framework for managing technology risk in 2001), as well as serving on the research and development committee for the Financial Services Sector Steering Committee of the Department of Homeland Security (DHS). He also served as an advisor on various cybersecurity steering committees for three different administrations and is a Distinguished Fellow with the International Association of Certified ISAOs (IACI) , located at the Kennedy Space Center.
In 2019 SC Media named Fredriksen one of the top three Information Security Executives of the last 30 years.
From a Montana Ranch to Florida CISO
Fredriksen was born and raised on a ranch in Montana before the family moved to Wisconsin in the mid-60s. After receiving education and training in mechanical design and engineering and spending four years in the Air Force, Fredriksen found work with a large government contractor as facility security officer just as computer-aided design (CAD) capabilities was coming online. “It really just meant making sure where all the blueprints were stored and locked as engineering moved toward the computer side.”
Fredriksen recalled, “We started to understand you not only needed separate accounts, but everyone should have their own user ID and change their password. These were in the days where that was sort of an afterthought. Most people had group IDs.” He explained that people were not thinking in information protection terms yet.
That led to a large midwestern insurance company, American Family Insurance, based in Madison, Wis., which was in search of a manager of information, security and email. “I helped them build an initial program,” said Fredriksen, who recalled it was also about when some of the early computer viruses began. “They weren't malicious. We called them ankle biter viruses.” It was also about that time the insurance firm started a web presence, which included installation of a security system.”
Looking to grow in the information security field and seeking a reprieve from Wisconsin winters led Fredriksen to Florida’s Tampa Bay area and eventually Raymond James Financial, where he worked from 1998 to 2006. There he built an information security organization from the ground up and implemented a comprehensive information security and risk management program that met or exceeded all business and regulatory requirements. “I grew the staff to about seven engineers on the information security side and an access admin group, because unless you've got control over who issues the rights (and) where they're going, you don't have control over anything.”
During this time, he also worked closely with the FBI to build an awareness and outreach program. This program provided a forum for regional business, government, and law enforcement entities to collaborate and share information, reaching well beyond the boundaries of Raymond James.
Following his tenure at Raymond James, Fredriksen decided to try his hand as a principal consultant for security and risk management strategies at the Burton Group, where he worked with some large companies doing security architectures and controls advising; and then with Tyco International. “At the time I joined Tyco, they had about 60,000 employees in 30 countries. There were a lot of challenges in running a group where I had information security people basically around the world. It was finding the right things that needed consistency and aligned with the business. There was no cookie cutter approach that would work.”
Securing the CU Community
Looking to cut back on travel, Fredriksen sought work near his Florida home and landed with the St. Petersburg -based PSCU, which supports 1,900 credit unions and represents more than 6.9 billion transactions annually. “At that point, I got my exposure to credit unions, and really fell in love with the people, the business model, and the whole industry’s community-based approach,” he said.
Fredriksen served as chief security strategist for PSCU for almost nine years. Among his PSCU accomplishments were leading information security and compliance activities, which included implementation of foundational programs, performance of ongoing technology risk assessment actions, and collaboration with business units to establish strategic and operational security programs; and providing a strategic security direction.
He explained there is also a lot of effort involved at PSCU with maintaining Security Operation Center (SOC) and Payment card industry (PCI) certifications.
Adding to his list of accomplishments, Fredriksen helped shape the National Credit Union Information Sharing & Anaylsis Organization (NCU-ISAO). He was also part of the Department of Homeland Security (DHS) authorizing information sharing and analysis organizations (ISAOs), which was a 2015 presidential directive. However, he said organizations like The Financial Services Information Sharing and Analysis Center (FS-ISAC) may not focus on the unique needs of credit unions.
So, in 2016 a handful of credit unions set up the NCU-ISAO to focus on industry-specific issues around operations, risk, and compliance through information sharing and collaboration. Said Fredriksen, “We work closely with the NCUA, DHS, and all the regulatory boards.”
Additionally, Fredriksen said he is currently the principal security consultant for Cypress, Tex.-based CUSO Pure IT Credit Union Services, which provides advisory and operational services. “They are a consulting firm which deals exclusively with credit unions, it fits into my sweet spot.”
Because not every credit union can afford or justify a fulltime chief information security officer, Frederiksen works with PureIT to set up virtual CISO (vCISO) programs, which includes an outsourced infosec expert who provides security awareness to credit unions on a continuing basis. The expert can start overseeing the information security footprint quicker and cheaper while still working thoroughly with management to produce a thorough infosec strategy.
Dealing with Current Threats
Finopotamus asked Frederiksen what threats keep him up at night. He recalled a conversation with a Tyco executive years ago who said, “Someday somebody is going to do something so stupid that it will just make everybody forget about the last five years of doing good.” That is what the veteran CISO thinks about when major breaches happen today.
“The major problems we've had it's down to a group of people —a person not checking that patches were installed properly, or someone fat fingering an address and sending a huge list of proprietary information to the wrong person, a human error, or a person falling for a phishing or social engineering scams,” Frederiksen maintained.
On the technical side what really concerns him is bad guys learning to be stealthy and efficient. “The skill of hackers combined with the increasing reliance on outsourcing of backup services, it seems like there's this perfect storm coming. I'm concerned for our whole fabric and infrastructure.”
Fredriksen recommended ongoing education for credit union executives to protect against scams. “You can't make your employees take a security awareness course once a year and hope it sticks. You should test your people quarterly. And if they fail, then make them take a refresher course. And if they fail the refresher course, make their supervisor take it with them. You have got to monitor their behavior and make sure that they are behaving in a safe manner.”