Technology & Truth

View This Article in BOSS Magazine

Veritex Community Bank is on a cybersecurity journey rooted in a Texas-sized commitment to honesty

Truth. It’s what’s deep in the heart of one of the 10 largest banks headquartered in Texas. Since its inception in 2010, Veritex Community Bank (VCB) has been firmly grounded in truth, transparency, and unwavering integrity. Those same values are the foundation for a cyber technology journey that aims to identify cybersecurity threats and respond to them, protecting and recovering vital information.

The award-winning Dallas-based institution specializes in providing depository and credit services to small and mid-size businesses largely neglected by national banks. VCB operates banking centers in the Dallas-Fort Worth metroplex and greater Houston area.

Bob Ludecke

Bob Ludecke, VCB’s Chief Information Security Officer, oversees its Cyber and Information Security Program (CISP). We recently spoke with him about the program and its goals, and the most vital aspects of their efforts. “Ensuring the careful consideration of people, processes, and technology throughout the entire life cycle, from conception to implementation and maintenance, is paramount to preserving our business partners' operational efficiency and guaranteeing the successful functioning of our technology,” he said.

Understanding the needs of the business as well as of the customer is essential. “Cyber doesn’t drive business, business drives cyber,” he said. “I learned this more than 20 years ago when I attended my first Common Body of Knowledge presentation for the newly created Certified Information Systems Security Professional (CISSP) certification, and it stuck.”

VCB’s customers trust them to provide credit, capital storage, and investment opportunities and to safeguard the cash, capital, and personally identifiable information they collect to do so. Cybersecurity requires that Ludecke’s teams understand the origin, processing, transmission, and storage of this information.

“The central reason we have technology is to serve our customers and achieve our strategic goals resulting in shareholder value. That technology is where information is created, transmitted, processed, and/or stored,” he pointed out. “Each one of those functions is an opportunity for unauthorized disclosure. Security and IT teams are on the hook to collaborate to make sure that data is secure at each function.”

As CISO, it is crucial for Ludecke to understand where the bank’s information assets are located, as it allows him to establish appropriate safeguards to effectively ensure their protection. “Additionally, we need the capability to monitor external activity in order to prevent, stop, or contain security events. This helps to avoid potential exposure of our data to unauthorized parties.”

The bank has recently partnered with a virtual security operation center that monitors their network 24/7 and has also implemented a new tool for discovering vulnerabilities to enhance existing security state management products. “This tool identifies and categorizes all assets on our network while highlighting any vulnerabilities they may have,” he said.

Keeping up with the bad actors

The volume of bad actors and the misuse of technology to attack digital infrastructure continue to increase virtually every hour of every day. VCB’s cybersecurity journey includes efforts to educate VCB’s business partners on information security and on how to handle sensitive financial information, with the goal of building a human firewall. “This takes time. The bad actors are working 24/7, so we all must be on alert and apply best practices with securing information. The Veritex organization excels at seeking input from my team to address their concerns and implementing process improvements that we recommend,” Ludecke said.

When it comes to securing VCB’s connected devices, his team needs to know everything that’s connected to their network in order to secure them. “We implemented a software solution that identifies all the devices on our network, categorizing them by the type of device and identifying open vulnerabilities on those devices,” he said.

Created by Ordr, the solution delivers visibility and security for connected devices from traditional IT devices to the newer and more vulnerable Internet of Things (IoT), and operation technology (OT). It discovers every device, profiles its risk and behavior, maps all communications, and protects it with automated policies.

VCB is using Ordr not only to inventory the devices that they have in the network, but also support their cybersecurity hygiene program– such as identifying devices running outdated operating systems. Insights on vulnerabilities for IoT and OT devices also complement their traditional vulnerability management solutions. “This was a very good investment.”

According to Ludecke, using Ordr’s device-centric threat and anomaly detection, VCB has also been able to detect and quickly address issues, even before being notified by their virtual SOC. This has helped the team accelerate response.

To ensure that VCB’s connected devices are properly configured and maintained, the organization shifted left, which means having security assurances at the earliest stages of the life cycle. “This is important to drive hardening standards across the technology stack before deployment. Leveraging industry standards as a baseline is a great first step.” Having tools in place to measure compliance to the industry standard is also critically important. “We’re tweaking Peter Drucker’s statement on, “You can only improve what you measure,” and expanding that to include, “You can only control what you measure,” he added.

As you’d expect, robust policies and procedures are in place to govern the use of connected devices.

“We transitioned to a new policy taxonomy for cyber and information security,” he revealed. Policy is applicable to the workers and authorizes standards, which are more focused in a particular area of security. Policies and standards are similar in that they tell what is required. Next, they have process control manuals that describe in detail how the control is managed, enforced, and measured. “For each standard, we have a corresponding process control manual.  Measures are in place to track compliance.”

To educate their employees about the importance of cybersecurity, VCB has annual training requirements that each employee or contractor is required to take, and Ludecke’s team gives monthly staff briefings to help staff understand their responsibilities, best practices to follow, or reminders to be diligent on emerging patterns. “Tiger team penetration testing provides awareness to our employees of the importance of securing all information, whether paper or digital, in their workspaces. Phishing campaigns are conducted to advise our employees on the different schemes threat actors are actively using.”

The CISP team closely collaborates with vendors and key partners, too. “Weekly check points are critical for ensuring our collective success and fostering a sense of collaboration within our community at Veritex. We pride ourselves on being more than just a company — we are a tight knit family,” he noted. “My team is critically important to the success of the CISP. I could not have asked for a better team or better management that fully supports me and the program.”

Balancing the need for security with the need for employee productivity and innovation presents a relationship challenge, so Ludecke has modeled his security team to be enablers, not the department that constantly says no. “The relationship is key to ensure that we are promoting the idea of a human firewall. Our business partners handle information, and they are on the front lines. Therefore, it is best to have the business partners be well versed in how to perform their jobs securely. This takes time but is worth the effort.”

Ludecke invoked Drucker’s adherence to accurate measurement as the ultimate truth. “Metrics indicate if things are working by showing progress toward strategic goal fulfillment. They also provide opportunities to make certain that programs are optimized and are operating as efficiently as possible,” he said.

It’s clear VCB’s commitment to veracity isn’t just a portmanteau. “The corporate culture is impressive, and to be honest with you, I didn’t know places like Veritex existed. I am incredibly blessed to be at this institution and serve as its Chief Information Security Officer.”