Marc Crudgington – Woodforest National Bank

A decade ago, the aim of most cybercriminals was to sow chaos: attempting to crack a high-profile company, dropping a malevolent virus into an operational system—you probably remember the headlines.

But as technology evolved so too did the threats to the nation’s banking institutions. So says Marc Crudgington, chief information security officer (CISO) and senior vice president of information security at Woodforest National Bank headquartered in The Woodlands, Texas.

Marc Crudgington | CISO, Senior Vice President of Information Security | Woodforest National Bank

With cyberattacks more sophisticated in their design, Crudgington notes, the potential impacts to businesses—in resources and reputation alike—are costlier than ever.

To combat potential dangers to entities under his charge, Crudgington stepped up initiatives to thwart any efforts made by cybercriminals, increasing protection on the most privileged accounts.

“Large-scale breaches are rampant within the industry now, there’s a tidal wave of concern,” says Crudgington, who joined the bank in 2012. “Governed by the need to protect data in our portfolio, we acknowledged the need to strengthen our program and did so.”

The scope of the problem

Check out the FBI’s internet crime reports, Crudgington says, and it’s staggering to see what’s going on. These days, any geopolitical event can set off a wave of cyberattacks, with California leading the way and Texas and Florida tied for second nationally for the highest number of criminal events based on dollar amounts.

“We saw things spike earlier this year with state-sponsored attacks going on in Iran which translated into more attempts stateside,” he says. “It’s alarming.”

The big question is why now? And why in Texas? According to the Governor’s Office, the state had a recent uptick of 10,000 more cases in January per minute—one of the highest in the nation.

As Crudgington explains, the Lone Star State is one of the most popular in which to live and prosper with its commercially-friendly environment. Austin is dubbed the “Silicon Valley of the South,” and Texas is also home to many money-churning vertical industries including oil, gas and energy companies; medical centers; and financial services.

“It’s where the people, the companies, the money, and yes, the cyber-crime threats all exist,” he says.

While Woodforest National Bank may feel like a local bank—why with its community-centric projects like Habitat for Humanity home-builds and local rodeos—it’s also one of the nation’s largest privately-owned banks—supporting over 1.4 million customers throughout its over 780 branches in 18 states with 5,000 employees.

“Our transaction volume alone speaks to the scope of our business,” he says. “That’s why we take extreme precautions to safeguard our assets and our customers.”

Observation and analysis

From a security perspective, one of Crudgington’ s primary goals was to protect with even greater emphasis high-level administrative accounts.

To further achieve this, he employed a process known as segmentation, establishing a more secure server environment by requiring administrator accounts use a jump server and multi-factor authentication as well as requiring additional security controls.

“The status of administrator accounts in particular posed a significant risk because they previously were being treated just like any other general account,” he says.

That presented a problem, however: If a hacker were able to log into those more powerful accounts, they could gain access to any others underneath it. The hacker would, in effect, have the “keys to the kingdom,” giving them direct access to just about anything.

“That could compromise all accounts and could lead to a large volume of data loss. This was a crisis waiting to happen,” he says.

Crafting a solution

Woodforest had been a customer for 12 years, but a little over two years ago, Crudgington connected with CyberArk, a company specializing in cybersecurity, to tackle this very problem. Its specialty is maintaining privileged accounts in corporate environments. Together they created a hyper-focused privileged access plan,

Working closely with Carter Johnson, CyberArk’s district sales manager for Houston, Crudgington implemented a solution to ensure privileged access by managing passwords—in short, making sure anyone trying to access the account had permission to be there. Access will be gained through a two-factor authentication process, logging in through the jump server.

“We help the end-user manage credentials to minimize threat on a regular basis,” Johnson says. “It’s been a quick win. The process is maturing, and we’re adding different groups and teams and expanding our footprint as well as how we’re working with the team.”

As the implementation continues apace, Crudgington makes and rotates administrative passwords to the existing system much stronger—and increased in length—making them more difficult to crack.

“It’s a much more secure process rather than accessing servers directly, now that there are much stricter protocols and a large number of security tools, to alert us to suspicious behaviors,” he says.

In his blood

It’s this kind of work—deep in its mission, staunchly service-oriented—that’s long motivated Crudgington.

A former senior airman with the U.S. Air Force, Crudgington got his start as a computer information systems specialist in 1992. The area of expertise he developed during his tenure and four-year tour with the military—first in Germany and later in California’s Silicon Valley—was in IT network operations, getting a top-secret Single Scope Background Investigation (SSBI) security clearance.

“I could not have asked for better assignment, entrenched in the topic,” he says. “I loved it.”

Post-military, Crudgington earned a bachelor’s degree in business administration, management and operations from the University of Phoenix in 2000. He went on to garner an MBA in strategy and  technology at The Paul Merage School of Business at the University of California, Irvine in 2008, as well as a cybersecurity certificate from the FBI CISO Academy in 2017.

All told, he would spend 17 years in California. After finishing school, he worked in a variety of IT roles for companies such as 3Com, Ciena Corp., ONI Systems, KPMG, Advantage Sales and Marketing, and his own Apex Consulting Group.

A combination of business and family brought him back to Texas in 2011, where he started working at Advantage Sales and Marketing until 2012. Even in his downtime, Crudgington volunteers for various boards, including at the University of Houston, Lone Star College and Sam Houston State University.

“I helped start a cybersecurity internship at the bank because I believe in mentoring the next generation of cybersecurity professionals,” Crudgington says.

The best thing about his job? He would say it’s being stretched in multiple directions daily. On any given day, you might find him immersed in strategy sessions, discussing new product development, working with his software team, researching cloud security or chatting with the FBI.

That drive garnered him a national award as Information Security Executive of the Year for Financial Services in 2019 through the Technology Executive Network.

“This work appeals to me a lot and is a departure from the repetitive nature of computer engineering releases in IT, a former position,” he says. “Here you are operating at an analyst level and executive level, investigating the root causes of what might be happening and then strategizing a cybersecurity roadmap.”

And when it’s finally time to unplug? Crudgington likes nothing better than spending time with his wife and two boys, ages 12 and 15. Ziplining, trekking in the mountains, spending time at the beach, exercising and travel are the top picks. Wherever adventure takes him, Crudgington can breathe easy knowing there’s a system in place to alert him when the bad guys are up to no good—and it’s time to jump back into the fray.

“To win the coming cyberwar we must be using advanced AI tools, implementing user-security awareness education and have a thorough cybersecurity strategy to mitigate the incident to incident response gap,” Crudgington says. “I believe it’s the best way.”