TOLEDO, Ohio-A good IT manager knows the credit union's systems inside and out-and "that scares the living daylights out of me," admits Rick Haas, CEO at $45-million ProMedica FCU here.
ProMedica doesn't employ an IT manager, and Haas said he hopes to delay hiring one for as long as possible.
"IT professionals can program systems to do things that a CEO wouldn't understand," Haas said. "And then you're vulnerable."
Employees from other business units may also pose a threat, he conceded. But they don't normally possess the same level of technical skill that CIOs could leverage to pull off a grand heist.
For example, IT staff could lock down data by controlling encryption keys, making the data useless to other staff members. About 40% of IT specialists surveyed admitted they could even access encrypted data after they've left for other employment, due to weak encryption controls, according to a recent report from Salt Lake City-based Venafi, which provides managed encryption solutions.
"Just think if your IT employee was disgruntled," Haas continued. "They could put a time bomb in your system and shut you down. I'm not a big fan of handing the keys over to one individual, especially one who can do things you don't understand."
IT-manager-turned-criminal stories abound. A CU Internet technology manager admitted last year to a switch-out scheme where he sold $400,000 of a vendor's computer parts.
Recently, four credit unions learned that a computer consultant had stolen $2 million from them. The consultant's business partner, not the credit unions, exposed the crime.
At Goldman Sachs, a computer programmer was sentenced in March to eight years in prison after uploading source code from the company's trading system to a competitor's platform.
In fact, about 20% of people who steal from their employers are information technology managers, according to a report by Traverse City, Mich.-based Ponemon Institute.
Haas himself is no stranger to IT, having sold computer systems earlier in his career. "I've learned that the smartest people aren't necessarily the best people to hire. Sometimes they're too smart. They want to know way too much about your systems."
The checks and balances built into the credit union industry that are meant to protect against insider threats may not be strong enough, he suggested. "The NCUA can't do a good job unless it has a specialist come into the credit union and take a detailed look."
From time to time, ProMedica gets IT support from a trusted computer consultant, someone who has limited access to the CU's systems, Haas said. "Along with the consultant, I'd like to keep a handle on IT myself for as long as possible. But we'll probably need an internal manager as we continue to grow."
The decision to hire a CIO should be weighed on costs versus benefits, said John Santarpia, president and CEO at the $98-million Magnify CU in Mulberry, Fla., which has an IT department with 2.5 full-time employees.
"Whether you need an IT manager depends on the asset size and complexity of the CU," Santarpia explained. "Do you have Internet banking? An internally managed website? Multiple branches with data lines communicating between them?" The greater the complexity, the greater the need for specialized management, he said.
Professional IT headhunters can help credit unions find suitable candidates, continued Santarpia. Scrutinize each applicant's credit report, criminal and standard background checks, IT qualifications, education, previous employment and CUNA bondability.
Insurance helps mitigate risk, he added. "The credit union is protected if they bonded the employee and did their due diligence." A compliance officer should review employee transactions, and a third-party should conduct periodic vulnerability assessments to "double-check the competency of the IT manager."
Haas said he is familiar with the best practices that Santarpia recommends. In the end, hiring IT boils down to a matter of trust, Haas said. "We put so much faith in people that they're going to do the right thing, but they don't always."
