CISO Conversation with BCU’s Stephenie Southard

Just ask Stephenie Southard — there are as many career paths within the information security field as there are information security professionals. Southard began her career as an EDI Coordinator, then an IT security analyst at the Indiana Department of Corrections, working as an Department Chair in the educational arena, and finally as a CISO. Her career in information security began just as the Internet was going mainstream.

Today, Southard is vice president, chief information security officer at BCU in Illinois. Southard is an active keynote speaker and advisory board member. In this interview, we discuss how her career progressed and some of the things that have surprised her along the way.

Here is an edited and condensed version of our interview.

Thank you so much for taking the time, Stephenie. What piqued your interest in security? I’m spying on your LinkedIn profile right now, and it looks like you started security as an analyst at the Indiana Department of Correction.

Yes, the security side started there. I had already been working as a help desk associate, but they quickly reassigned me to a newly built Level 4 correctional facility in New Castle, Indiana, which was not far from where I lived at the time. In taking that position, I  got that experience building both the computer and physical aspects of security. The physical security included the touch screens throughout the building, biometric scanners, identity card access, and cameras. Getting exposed to security I realized it’s something that is always changing. It’s never dull, and every day there is something different that we’d had to fix, improve our controls, or secure. It was and still is exciting to this day, fifteen years later.

I enjoyed and felt it was something I wanted to continue my career path in. Right after that I received my master’s degree and wanted to teach. It so happened there was an opportunity with Ivy Tech  and  I jumped on that.  As an adjunct professor, I also managed a certification/testing center. A few years later, I had advanced to a department chair over both IT and business curriculum. I had gained a lot of experience in teaching and learning about things I hadn’t experienced while working in the field.

Was it the PCI that got you back into applied security?

It was. I bad been in the educational field for seven years and felt that I had an excellent understanding of the textbook knowledge. Yet, I missed the day-to-day activity. I missed putting the textbook theory into action.

A friend, who was the President of an organization that had just acquired several credit card manufacturing companies, reached out to and asked if I’d like to join and help them with merging the new companies’ IT and Security departments. The position opened my eyes to a whole new set of challenges, such as PCI.  From there it extended to include ISO, SOC, NIST, and others.  I think, today, the industry is more mature with their understanding of what is needed from CISOs, and now companies realize that they need dedicated  security resources, and somebody that’s going to have security responsibilities on their radar 24/7. Data exposure and breaches are some of the biggest organizational risks, and you need to make sure you have those controls in place.

Why did you think that security would be the career path for you?

I didn’t. Not at first. I knew that I liked security, and that I had jumped around enough in other roles in IT to find something that I was not bored with. But, I had no idea it would be the one. To be honest, I felt it may change several times throughout my life. I have always been fast paced, lots going on and security is the same way, I think that’s a big reason. Plus, I knew working in IT would pay the bills and that was super important for me to get out of the paycheck to paycheck cycle careers. I was overly curious in jumping around in different role and wondering, Is this for me? Is this something I can see myself doing forever? But now there is no time to think about that, too much going on. That’s security!

It didn’t register how much I liked security until I was in the field for a while and it still felt brand new. And it turns out that it is how it is to this day. As I mentioned, security is always evolving. It’s ever-changing. Two years ago, I wouldn’t have guessed that we would be involved with vendor management, business continuity or compliance. But today, we have some oversight in those areas and more.  It’s because those relationships are becoming critical to security’s success and protecting the organization.

I love the fact that the role of CISO is always expanding. I love that challenge, and I love that this is where we have evolved. I look forward to seeing what the CISO role looks like five and ten years from now. I think it’s going to be completely different and can’t wait to see those future CISOs in action.

Eventually, we will have a seat at the table with the other board of directors. That’s the ultimate goal as it’s essential to the organization to have that oversight and awareness. From the board of directors down, everyone needs to understand security is one of the most critical parts of the organization. Everyone’s exposed to the Internet, all the good and bad that comes with it, everyone’s exposed to critical data and all the good and bad that come with that. Exposure to the wrong person on either of those, could cripple an organization.

Is the CISO position what you expected? Were there any surprises?

Absolutely. I’ve had those struggles where the organization didn’t see the need for adequate security, from either a budget perspective or a resource perspective. It was a battle, a continuous struggle for a lot of other CISOs today. You then throw in that some security departments still fall under an information technology team and budget, and that makes it an even more difficult in their efforts.

In a lot of those situations, you’re stifled, and you can’t ultimately do what you want to do. You’re trying to put in compensating controls, or you’re trying just to mitigate what you can to get through. Here, at BCU, we’re thankfully more mature than that. The organization wants to know what our  risk management goals are. They want to know what it looks like for the organization to have a best-in-class security controls and practices.

That’s probably been especially challenging in the past decade, with all of the technological changes we’ve witnessed. One of the most significant changes is moving to the cloud and away from on-premises.

I think that it’s the right move. I believe that many organizations think it’s a thing to do and don’t necessarily understand what comes with it or how it changes from an on-prem to a cloud environment.

Before one makes that switch, I think everyone needs to research how it will ultimately look in their environment. That includes how it’s going to be accessed and how the costs will now change for those resources. When you decide, “I’m going to go from prem to cloud,” you’ve got to make sure that your staff and your resources have that knowledge to be able to move with it. If not, you’re going to struggle or fail.

I imagine that’s where a lot of organizations end up. They find themselves with clouds and silos of identity that need to be managed. What were some of the challenges you ran into with that transition, and how did you overcome them?

We had no idea how much access our employees had or to what. When we started this transition, we estimated that we had about 120 applications that our employees used. When we sat down and did our due diligence, there were over 300. We also discovered what we thought was on-premise, was in the cloud and vice versa in some cases.  And the list of applications just kept growing and growing.

That was probably one of our first lessons: don’t assume you know your environment until you do your research. Go in and do your due diligence, leave no rock unturned. Then secondly, get everyone who needs to be involved in the process of the transition actually involved in the beginning of the process. We had to change a lot of our processes or back track because we hadn’t involved the help desk or human resources or the proper managers involved.

It also took us sitting down with all those stakeholders and asking: If we do this, what will be the effects several times?

Was their concern about processes no longer working?

When we first introduced our identity access management process, others expressed their concerns that this was going to break their current process, or that we’re putting more work back on managers, whatever their concern or feedback was, we had to address those things before we had acceptance and buy-in on the new process.  

Fortunately, in the end, we were able to get those processes implemented. We were also able to put some automation in it, which gave some time back to some of our internal resources, including managers.

We’ll switch gears now back to a career-oriented question. What advice would you give someone who was to enter the field now?

Don’t be afraid to flex. If you find an interest that you’re curious about, explore it Go for it. I don’t think I would be where I am today if I didn’t take the time to explore those things that I felt most interested in.

Particularly in security, there are so many things going on.

As we’ve been talking about this whole conversation, the things that we’re doing today are probably not going to be what we’re doing tomorrow or what we’ll be looking at five years from now. Having a CISO or someone in security that has that flex ability and knowledge of different areas is going to be invaluable to whoever is looking.

I would also mention that in many situations folks feel that security is just an nice to have or something that doesn’t need to exist in their environment. So anyone going into security also needs to be able to be strong and stand their ground for what they are suggesting, as most of who they interact with wont understand or tangibly see what they are trying to achieve.


Discussion