Stephenie Southard – BCU

Twenty-five years ago, when Stephenie Southard showed up for an IT job interview, she was told she was “pretty enough” to be a secretary or she could become a schoolteacher. The remarks only fueled her desire to pursue a career in the male-dominated industry she loves. 

Fast-forward to 2019 when Southard landed her dream job as a vice president and chief information security officer at BCU, a credit union based in Vernon Hills, Illinois. 

Stephenie Southard | Chief Information Security Officer | BCU

It’s a joy, she says, to be on the cutting-edge of the financial services industry and cybersecurity. At BCU, Southard, says she welcomed being treated like an industry expert, which is sometimes harder for women in the industry.

Given a year to help BCU earn a Cybersecurity Maturity Model Level 4 Certification—something she’s handily done—she’s now leading a 10-person team that’s upgrading cybersecurity services for 708 people in 63 credit union locations throughout the U.S. and Puerto Rico. 

“I want to empower women to come join me,” Southard says. “There’s no telling where we can be 10 years from now.” 

Hitting the ground running 

When Southard was hired, BCU was clear about her role in achieving the top cybersecurity certification in just a year. It was a tight timeline complicated by the onset of COVID-19 five months after she was hired. But after a brief reset to settle people into working remotely, it was back to meeting a looming December 2020 deadline. 

As Southard explains, what’s known in the industry as a National Institute of Standards and Technology, or NIST, CSF Level 4 certification is the highest security level in cybersecurity readiness. Getting it means banking processes and risks are well-established, monitored and tested with recovery processes in place.

“We did exactly what we set out to do,” Southard says. “It’s a hard enough task to do onsite, but to pull it off remotely was unbelievable.”

As part of the process, Southard evaluated BCU’s environment, installing security tools and software for banking services that eliminated or lessened certain risks, such as adopting what is known as NIST 800-30 controls while allowing identity and privileged access reviews.

In addition, she began to improve BCU’s business resiliency and incident response protocols. As she puts it, “we had to knit them together to make sure our project partners were aligned from a whole project perspective across the enterprise.”

Southard also had to factor in governance policies across the system, which meant reviewing data policy regulations and making sure BCU complied with the latest state and federal laws. She and her team kept the system in compliance by reviewing stipulations with its vendors, assessing risks and monitoring the system for areas that could cause system failures.

From there, the team could devise what security measures needed to be implemented—whether through installing products or via personnel—to keep the system in compliance.

“A lot of projects will typically die when they get to this level, but we had backing from the board from the start that cybersecurity was critical,” Southard says. “That’s why I’m here.”

Attention to detail

With the certification achieved, Southard is looking at other ways to support security awareness to better protect credit union operations for its 295,000 members.

Southard’s also implementing governance and sustainability practices and establishing a risk identification program. Her team also shares information with clients and employees on identifying phishing emails, or suspicious phone calls to protect them from scams.

Her performance—including developing transparent processes to build an internal culture of trust and collaboration—earned her a CISO of the Year nomination in 2020 by the Chicago chapters of the Association of Information Technology Professionals, ISACA, FBI-InfraGard, Information Systems Security Association and the Society for Information Management.

In 2021, Southard was also awarded one of 10 Best CISOs of 2021 Award by Tech Magazine. Given her expertise, she’s sitting on advisory boards and gaining popularity as a nationwide keynote speaker.

“By identifying weaknesses as a company—and within our group and processes—we are now able to address threats quickly and protect BCU moving forward,” Southard says. “No doubt, the benefits of building strong relationships and services will carry over to the members.”

Staying true

Southard’s self-determination, passion, and warmth made this Texas native accessible to people—all essential skills for emerging CISO’s, she says. Her adaptability stems from her experiences living everywhere from Japan to Indiana as a child, graduating from high school early and then moving out on her own by the age of 17.

“It’s important to make people feel comfortable with you,” says Southard. “You have to be able to communicate to different people in a variety of ways, from pie charts to talking [return on investment]. That’s what got me here.”

Earning her master’s degree at Indiana Wesleyan University in Business Administration and Management in 2008 was her first career move. After that, while working in technical roles as a security IT analyst and IT manager, Southard says she came to a fork in the road. As she saw it, her choice would be to either choose a “predictable” career in IT or splinter off into the emerging field of cybersecurity. She chose the latter.

But the glass ceilings she hit weren’t necessarily gender-based. As she describes it, certain companies weren’t ready to dive into the emerging field.

“I worked my way through a couple of organizations, but no matter how hard I tried to implement heightened protocols, there was always a missing feature in an organization—they didn’t have a mature CISO orientation,” she says.

BCU is different, she says, a seasoned organization looking to take cybersecurity to the next level.

“At BCU, I finally felt like I was at a company that understood what I wanted to do in this stage of my career,” says Southard. “By empowering me to focus on security controls, I was not fighting to promote cybersecurity in day-to-day operations.”

Since finding her niche in this emerging field, she says other CISOs coming into the ranks are eager to learn from our experience. She’s sharing her insights with audiences virtually on everything from governance processes and risk identification to technology platforms.

“What I love about the activity is that it’s nonstop—something’s always going on with all the projects we build and grow in multiple industries,” says Southard. “We are forever exploring new sets of vulnerabilities and diving down into those areas to investigate. What comes out in the end is a magnificent win for all. Watching the light bulb go off in someone’s head when they see why security is important makes me feel like I’m doing my job.”