CO-OP Financial Services CISPO Aims to Protect Against Today’s and Tomorrow’s Cyberthreats
By Roy Urrico
Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security to protect data and transactions at credit unions and other financial institutions.
For Paul Love, senior vice president, chief information security and privacy officer (CISPO) at Rancho Cucamonga, Calif.-based CO-OP Financial Services, information security is not just about how a company reacts to cyberthreats, but proactively protecting the organization from unforeseen dangers.
Since 2017, Love committed himself to creating a superior information security and privacy infrastructure within CO-OP Financial, which operates an interbank network connecting credit union ATMs in the U.S., locations in Canada and certain U.S. Navy bases overseas. Focusing on efficient and effective integration of cutting-edge techniques and technologies, he built information security policies, metrics, and programs in line with the company’s elevated security goals.
Love has earned a reputation as a strategic, results-oriented CISPO who can synchronize enterprise-wide security efforts while developing information security as a business competence. He has also gained recognition as an infosec thought leader by industry peers working at organizations like Microsoft, EY, and Freddie Mac, and for generating multiple books, publications and presentations.
Once a Marine, Always a Marine
A proud U.S. Marine veteran, Paul is known for his work ethic and dedication, as demonstrated by his extensive training and academic qualifications.
“I’ve been all around the U S,” Love said. He was born in Texas, lived in Florida, graduated high school in Iowa, received undergraduate degrees from Palomar College in San Marcos, Calif. and MidAmerica Nazarene University in Olathe, Kan.; and earned a Master’s from Capitol Technology University in Laurel, Md. Always seeking to expand his knowledge about security, Love also recently undertook a program, “Cyber Security: Managing Risk in the Information Age,” with the Harvard Extension School.
His affinity for computers, and then security, began as a teenager with an Atari 65XE. “I programmed my first computer program and just really loved all they offered,” he recalled. But he soon realized he also needed to protect his creations.
He continued with his love of computers and then eventually joined the United States Marine Corps, because it really fit his aspiration to help others. “I can be part of something bigger. I can protect our nation. And luckily I got to go into the intelligence field…in communications and stuff.”
Love spent two tours serving with the Marines where he observed how to build camaraderie and protect others. It just reinforced what he wanted to do for his career. “I wanted to be involved in computers; but also involved in helping others protect themselves.”
Some of the lessons he learned from his time in the military proved valuable in information security. “You don't want to just fight your last war. Because the adversary is always going to think of new and different approaches.” Another lesson learned is to remain adaptable to change and to not get complacent or satisfied with previous security actions. “Making sure we're not just dealing with the issues that happened in the past, but trying to think about new approaches and new effects.”
Helping CO-OP and Credit Union Security
Once Love joined the civilian labor force, he went to work at several companies, but always with a security angle. Prior to joining CO-OP Financial Services, he served as senior director of governance, risk and compliance (GRC) for the Federal Home Loan Mortgage Corporation (Freddie Mac); a senior manager at EY; senior director of threat assessment and protection services at Ally Financial; information security officer at Cetera Financial Group; and director of compliance and audit at Microsoft.
When Love joined CO-OP, with such strong ties to the credit union industry, it felt like a natural fit. “As I got into the credit union industry, which was about 4½ years ago, it felt like coming home. The level of care that people have for each other. It reminded me of all the best elements of camaraderie that you had in the military.”
Love described security as something CO-OP cares deeply about. The organization maintains a prevailing company-wide objective to protect the data under its care. “Part of that was adding privacy to that.” He credits top-down support for establishing and maintaining security for credit unions. Love pointed to the “the level of passion that (CO-OP) has about trying to do things that help our customers and the members.”
During his time with CO-OP, Love established a formal information security program from the ground up and created an incident response program. He also defined a four-year strategic roadmap for information security to transition the business from a reactive to a predictive model, as well as implementing a multi-year threat intelligence program based on emerging threats and changes in regulations. He also strengthened the company’s information security through internal penetration testing, external security assessments, vulnerability scans, and phishing exercises; and introduced infosec standards and policies based on regulatory and non-regulatory considerations, including FFIEC, NCUA, GLBA, PCI, and ISO 2700.
As CISPO, Love also sets the requirements for what CO-OP achieves from a compliance standpoint, such as meeting the different regulatory needs, and identifying how the company protects its information from unauthorized disclosure or attackers. “Part of that is working with our partners in IT (information technology), because I'm not in IT actually, and working with those partners to help ensure that the right security controls are put into place.”
Love explained his position within the credit union industry revolves around his role as a caretaker of member information. “Not everyone in security takes the same approach; everything I do needs to help take care of people. That is something that is important to our management.”
Preparing for Today’s and Tomorrow’s Threats
When asked about the top security dangers facing financial institutions today, Love referred to the recurring nature of some of the cyber threats. “I've been doing this for about 30 years. It has been very cyclical. You'll have something that is the issue of the day.”
Right now, all chief information security officers (CISOs) remain aware of the threat of ransomware, which often originates from phishing and spoofing scams, and making sure their organizations have appropriate controls in place. “We continue to monitor those types of activities,” Love noted.
Just as concerning to Love is what has not occurred yet. Because 10 years ago, ransomware was there, but it was not in the news as much. “It was not as prolific as it is now,” Love noted. “You need to have sight of what's in front of you, but also what's on the horizon.”
Love did not minimize the importance of staying abreast of the current types of threats and attacks. “Those are important, those are immediate, those are things you would need to have good reaction times on, but you cannot do them to the exclusion of what is in the
future. The more you prepare for it, the better you are prepared for it.”
The way he looks at cybersecurity is to make sure CO-OP continues to improve its security controls and make them stronger and more resilient. “You should always be in continuous improvement mode and curious about new things that are coming out.”
Taking a More Understanding Security Tone
Love proposed that cybersecurity people maintain a more empathetic approach to keeping people and organizations safe, even when individuals become victims of a new scam or malware attack. He does not want people refrained or dissuaded from asking any security question because they are not as aware of the threats security people think about all the time. “We're here to learn together.”
Love emphasized he tries to build awareness with employees and members. “Everyone makes mistakes No one's going to laugh at you because you had not seen that particular phishing email. I want you to be aware.”
One of the most rewarding parts of his job is helping employees understand how to protect information. That necessitates helping people not only understand the security requirements but also making people aware of phishing and other threats. Within one year, Love improved security awareness at CO-OP by 60% through employee-focused security and threat awareness training.
In addition, Love tries to build programs to show how individuals can protect themselves and their families because people then bring those prudent behaviors into work. “The security teams that I saw in the past 20, 25 years were all about pontificating about how you have to do (certain) things,” He added, “I want you to understand why we're protecting members, because you'll take that behavior to your peers and home to protect your family, which is really important to us, too.”
Love also suggested because incidents such as data breaches and ransomware attacks frequently make headlines, people become desensitized to the threats. However, behind all occurrences are victimized individuals. “If we stop thinking about people, it's easy to lose track of why and what we're doing.” He added, “I've seen security professionals get jaded.”
The CO-OP CISPO emphasized that security professionals across the credit union industry maintain their focus on the individuals they are shielding. “You're protecting people in the community. What keeps me excited about security is that I am helping individual people and helping our employees too.”