In what is a recurring feature, Finopotamus spotlights innovative women who are positively impacting technology applications in the credit union industry, and beyond.
For this issue, we visited with PSCU’s Manager of Technology Compliance Programs Lori Lucas. The St. Petersburg, Fla.-based payments CUSO supports more than 1,800 financial institutions, representing more than 6.9 billion transactions annually.
By W.B. King
Like many IT executives, Lori Lucas’ career path wasn’t a straight line, but the critically important professional experiences she gathered along the way inform her forward-leaning methodologies.
After graduating from The University of Southern Mississippi in the early 1990s with a Bachelor of Science in business administration and a minor in accounting information systems, Lucas took a job with a local certified public accounting firm.
“In addition to my public accounting work, I assisted in managing the CPA firm’s network,” said Lucas, who later earned a master’s degrees in public accounting from her alma mater. “This is where I discovered my passion for technology and made a decision to leave public accounting and pursue a tech-related career.”
Lucas’ experience in accounting oversight would serve her well. After leaving the CPA firm, she landed a position working as an IT auditor.
“Since then, I have worked for several financial services companies in the field of cybersecurity and IT compliance as well as for a Big Four accounting firm [Ernst & Young] as a technology risk consultant,” said Lucas.
While certain business practices have changed since she started her career, there has always been a focus on security, availability and integrity of critical systems and data. In the financial services sector, she noted, IT controls are especially “scrutinized and rigorously tested” by auditors and regulators. As a result, IT departments are pushed to “work hard” in making “cyber hygiene” business as usual, she noted.
Cyber hygiene, Lucas explained, is the practices and controls that “IT workers implement to maintain system health and ensure resilience against online threats,” such as antivirus, application of security patches and least-privilege access controls.
And while there have been IT constants throughout her career, the pandemic brought about a “paradigm shift” regarding how the aforementioned work can (or should) be performed.
“This is requiring leaders across industries, who are accustomed to managing employees in an office setting, to adapt their leadership styles to engage and effectively manage remote workers,” Lucas said. “Though major changes and shifts in business can often introduce resistance and feel a bit unnerving, I think this will strengthen IT departments and their ability to drive value to the business.”
When asked if she has seen changes in the number of women working in IT since the early 1990s, Lucas hasn’t “observed noticeable changes in workforce dynamics – whether it be women in leadership roles or performing other IT functions.” What she has noticed is “a concentration of women” in certain roles.
“I see more women in software development than in systems engineering. What I believe is changing is supply and demand, at least in terms of cybersecurity and IT compliance,” she said. “We have been experiencing a skills crisis for several years. These skills are rare, in high demand, and difficult to retain. Scarcity breeds opportunity for women and men. I trust this will open doors and we will be able to recruit talent, regardless of gender.”
For those women looking to work in the cybersecurity side of the tech industry, Lucas said it’s a challenging and exciting field that is always seeking talent.
“If you have an opportunity to obtain a degree in a cybersecurity/risk management field or pursue professional certification that is a plus,” she said. “Otherwise, there is no set path into the field. Be creative. Pursue what energizes you the most, whether IT help desk, IT audit or something in between.”
Conceding that her career path didn’t include “traditional technology roles,” Lucas said she benefited from the tutelage of two previous associates, a chief information security officer and an IT consultant, each of whom has “broad experience” in “traditional” technology roles involving systems engineering and implementations.
“I have gained technology experience vicariously through them. For years, these individuals have challenged me personally and professionally. They are my valued colleagues, coaches and trusted sounding boards,” said Lucas. “I am grateful for having these individuals as my wingmen. Each has helped me advance my career at every step, to where I am today.”
In the spirit of mentorship, Lucas “pays it forward” in two specific ways: keeping an open mind when recruiting new talent and continually challenging her team to “stretch and step out of their comfort zones,” which, in turn, encourages team members to challenge Lucas when appropriate.
“I’ve hired individuals with ‘traditional’ experience and those with ‘blind spots’ in their résumé but who have the passion and drive to work hard and be successful,” Lucas said. “We learn from each other. Each of us has diverse perspectives and unique strengths. By complementing each other and covering each other’s blind spots, we collectively propel the cybersecurity and risk management profession forward.”
Currently, PSCU’s ITS (Information Technology and Services) department has approximately 215 employees, but Lucas said there are “additional technology positions” supported outside of ITS.
“From a demographic standpoint, about half are Gen X, one third are millennials and the remainder are baby boomers,” Lucas explained. “There is a larger percentage of males overall, but of the females, approximately one-third are baby boomers, followed by Gen X and then millennials.”
To ensure that in-house technology initiatives are successful, Lucas said her team is involved at the earliest possible stage of a project. Cybersecurity resilience, she noted, is achieved through effective internal control, which requires people, processes and technology.
“Since control gaps introduce risk and because retrofitting controls are costly, getting a seat at the table early in control design is critical. My team recently rolled out a phishing simulation tool that helps us train and educate our employees and monitor ‘click rate’ trends,” Lucas said. “My team also works closely with our marketing and corporate communications teams to alert employees of cyber threats, raise awareness and engage them in the fight against cybercrime.”
Prior to the pandemic, Lucas’ team also published an annual “Cyber Squad” wall calendar with information security themes and messaging. Each PSCU employee received a calendar. “With much of our workforce now remote, we had to pivot quickly,” she said. “We worked closely with our marketing team to launch a digital version of the ‘Cyber Squad’ calendar.”
PSCU’s Cyber Squad is comprised of three “superheroes” who embrace the three tenets of information security: confidentiality, integrity and availability.
“The Cyber Squad, now animated, teaches a virtual quarterly lesson, complete with an online quiz,” Lucas said. “Employees who answer correctly are eligible for a prize drawing.”
Technology: Exciting and Concerning
When asked about what trends she is keeping her eye on, Lucas said that the complexity, outsourcing and velocity of technology both excites and concerns her.
“They drive cybersecurity and technology risk, requiring innovation and automation to mitigate effectively. An example is cloud computing services. Cloud, in my opinion, is people, processes, and technology that you don’t directly control,” she continued. “The idea of ‘shared responsibilities’ is new to companies accustomed to managing and controlling all three. Containerization and payment virtualization are other examples of trends requiring re-invention of control design to protect critical assets while driving value to the business.”
If you enjoyed this article, you might like reading these Finopotamus articles as well: