#337 Mastering Vendor Security in Financial Services: A 12-Year Journey
Galen Councilman, CIO of Pinare Credit Union, reveals the hidden complexity behind modern digital banking: a single app login can involve over 25 third-party vendors, each with their own security, data, and integration challenges. Unlike healthcare, where privacy was the primary focus, financial services demand relentless security due to the direct financial risk—making audits and compliance non-negotiable. Galen shares how his team navigates this maze through rigorous NIST-based risk assessments, a formal risk appetite statement with the board, and a bold strategy of forcing synchronous vendor calls to resolve issues in minutes instead of weeks. The real pain point? There’s no common data model—each vendor speaks a different language, forcing teams to manually transform data, clean it, and adapt custom code. What’s more, AI is only used for data movement, not integration automation. The episode exposes a critical truth: digital transformation isn’t about flashy tech—it’s about managing a sprawling, fragile ecosystem where one misconfigured certificate can crash an entire system, and the only fix is a 30-minute phone call with all parties in the same room.
A single digital banking app can involve over 25 third-party vendors, making integration and security a massive operational challenge.
Financial institutions face constant external audits and regulatory scrutiny (e.g., NCUA, quarterly pen tests), unlike healthcare, where privacy was prioritized over security.
The most effective way to resolve vendor issues is forcing synchronous meetings—30-minute calls with all vendors present, which fix problems in minutes instead of weeks.
There is no universal data model in credit unions; each vendor uses different formats, requiring manual data transformation and cleaning for every integration.
Risk is not eliminated—it’s managed. Pinare Credit Union uses a formal risk appetite statement with the board to accept only low or medium risks, never high.
…and 3 more takeaways available in PodZeus
The 25-Vendor Reality of Digital Banking
“When one of our members downloads our app and they sign in, they're going to potentially interact with over 25 vendors to make that whole experience work.”
Galen’s IT Origin Story: From Computer Shop to CIO
Galen shares his journey from building computers in a local shop in the 90s to becoming a CIO, emphasizing his hands-on roots and passion for technology.
Healthcare vs. Financial: The Security Divide
“We are audited all the time. So we have to pay for third-party audits on a quarterly basis, external, you know, pen tests and all of these sort of things.”
The Integration Nightmare: No Silver Bullet
“It's a lot easier if I had an army of software developers could just design it how we wanted.”
The Synchronous Fix: Why 30-Minute Calls Work
“We have a phone call and we get it fixed in 30 minutes. It's taken us two weeks to get there.”
“So when one of our members downloads our app and they sign in, they're going to potentially interact with over 25 vendors to make that whole experience work.”
“If it's a low or less than that, so low or very low, then we accept that. If it's medium, we don't.”
“be a lot easier if i had an army of software developers could just design it how we wanted”
Host
Guest
Galen Councilman
person
Pinare Credit Union
organization
NCUA
organization
NIST 800-53
other
HL7
other
Python
other
Microsoft
organization
Cisco
organization
When the cost of code approaches zero, what does engineering leadership look like?
33m • 6/10/2026
Transnistria (and other things) with The Red Line
1h 49m • 6/14/2026
#330 Disaster Recovery for Executives: Why Cloud & SaaS Are NOT Enough
33m • 6/4/2026
#322 Navigating Cybersecurity in Maritime Transportation
29m • 6/4/2026
#323 Nationstate Cybersecurity, Eric ONeill's Journey
31m • 6/4/2026
Start discovering podcast insights today
Start with a 7-day trial and explore a growing catalog of popular podcasts. No credit card required.
No credit card required • 7-day trial • Cancel anytime

