#337 Mastering Vendor Security in Financial Services: A 12-Year Journey

Embracing Digital Transformation28mJune 4, 2026
AI-Generated Summary

Galen Councilman, CIO of Pinare Credit Union, reveals the hidden complexity behind modern digital banking: a single app login can involve over 25 third-party vendors, each with their own security, data, and integration challenges. Unlike healthcare, where privacy was the primary focus, financial services demand relentless security due to the direct financial risk—making audits and compliance non-negotiable. Galen shares how his team navigates this maze through rigorous NIST-based risk assessments, a formal risk appetite statement with the board, and a bold strategy of forcing synchronous vendor calls to resolve issues in minutes instead of weeks. The real pain point? There’s no common data model—each vendor speaks a different language, forcing teams to manually transform data, clean it, and adapt custom code. What’s more, AI is only used for data movement, not integration automation. The episode exposes a critical truth: digital transformation isn’t about flashy tech—it’s about managing a sprawling, fragile ecosystem where one misconfigured certificate can crash an entire system, and the only fix is a 30-minute phone call with all parties in the same room.

Key Takeaways
1

A single digital banking app can involve over 25 third-party vendors, making integration and security a massive operational challenge.

2

Financial institutions face constant external audits and regulatory scrutiny (e.g., NCUA, quarterly pen tests), unlike healthcare, where privacy was prioritized over security.

3

The most effective way to resolve vendor issues is forcing synchronous meetings—30-minute calls with all vendors present, which fix problems in minutes instead of weeks.

4

There is no universal data model in credit unions; each vendor uses different formats, requiring manual data transformation and cleaning for every integration.

5

Risk is not eliminated—it’s managed. Pinare Credit Union uses a formal risk appetite statement with the board to accept only low or medium risks, never high.

…and 3 more takeaways available in PodZeus

Chapters
0:00
2 min

The 25-Vendor Reality of Digital Banking

When one of our members downloads our app and they sign in, they're going to potentially interact with over 25 vendors to make that whole experience work.

Highlight
1:40
3 min

Galen’s IT Origin Story: From Computer Shop to CIO

Galen shares his journey from building computers in a local shop in the 90s to becoming a CIO, emphasizing his hands-on roots and passion for technology.

4:10
3 min

Healthcare vs. Financial: The Security Divide

We are audited all the time. So we have to pay for third-party audits on a quarterly basis, external, you know, pen tests and all of these sort of things.

Highlight
6:40
3 min

The Integration Nightmare: No Silver Bullet

It's a lot easier if I had an army of software developers could just design it how we wanted.

Highlight
10:00
3 min

The Synchronous Fix: Why 30-Minute Calls Work

We have a phone call and we get it fixed in 30 minutes. It's taken us two weeks to get there.

Highlight
High-Impact Quotes
So when one of our members downloads our app and they sign in, they're going to potentially interact with over 25 vendors to make that whole experience work.
Galen Councilman14:41
If it's a low or less than that, so low or very low, then we accept that. If it's medium, we don't.
Galen Councilman22:33
be a lot easier if i had an army of software developers could just design it how we wanted
Galen Councilman15:28
Speakers

Host

Dr. Darren

Guest

Galen Councilman
Topics Discussed
vendor risk management95%financial services cybersecurity90%digital banking integration88%third-party vendor audits85%risk appetite statement82%data integration challenges80%core banking system customization75%AI in vendor management70%
People & Brands

Galen Councilman

person

15xNeutral

Pinare Credit Union

organization

12xPositive

NCUA

organization

4xNeutral

NIST 800-53

other

3xNeutral

HL7

other

2xNeutral

Python

other

2xNeutral

Microsoft

organization

2xNeutral

Cisco

organization

2xNeutral

Start discovering podcast insights today

Start with a 7-day trial and explore a growing catalog of popular podcasts. No credit card required.

No credit card required • 7-day trial • Cancel anytime