Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:37 PM
Christofer Hoff, CISO, WesCorp
Christofer Hoff, CISO, WesCorp
Connect Directly

Better Security Earns Credit For WesCorp CU

The largest corporate credit union in the United States has given security and risk management a high priority. By aligning IT projects with business goals, WesCorp CISO Christofer Hoff has reduced the company's exposure, improved business processes, and saved money.

Constant threats to our business have changed the way we prioritize security and risk management at WesCorp, the largest corporate credit union in the United States with $25 billion in assets and $650 million in annual revenue.

As chief information security officer (CISO) and director of enterprise security services, my role is to embed security into WesCorp's operations. The company's goal is to use rational information risk management to help solve business problems, provide secure business operations, and protect our clients' data.

We've developed a business-focused "reduction of risk on investment" approach. Because it's difficult to consistently attach a specific monetary value to information assets and to assess an ROI for security initiatives, we focus on reducing risk exposure and avoiding costs by implementing the appropriate security measures.

To effectively prioritize our risks, WesCorp aligns with the company's strategic initiatives. It's crucial to clearly understand what's important from a critical operational-impact viewpoint. This must be done from both technical and business perspectives.

WesCorp uses the Octave framework, developed by the Carnegie Mellon Software Engineering Institute, to facilitate our information risk-management process. Specifically, risk is defined, prioritized, and managed based on the synergistic flow of data, including risk assessment, business continuity, vulnerability management, threat analytics, and regulatory-compliance initiatives. These elements provide meaningful data that lets the company understand where it may be vulnerable, what mitigating controls are in place, and its overall risk and security posture. This approach lets us effectively communicate to management, regulators, and customers how we manage risk across the enterprise.

Three recent security initiatives illustrate how we've reduced risk through better network and security life-cycle management.

For some time, we've all been warned that the network perimeter is dead because of the increasing number of access points for mobile workers, vendor collaborations, and business partners. We suggest that the perimeter is, in fact, multiplying, though the diameter of the perimeter is collapsing. As technology gains additional footholds throughout the enterprise, thousands of firewall-like solutions are needed to patrol and monitor access points. The challenge is to provide network security while allowing the free flow of information and, therefore, business as usual. The tactical security implementations necessary for a growing network have traditionally been expensive and difficult to manage.

1 of 3
Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.