NU 2026 Conference Test: Culture is Control: What Your Committee Should Ask About Cybersecurity

Friday, June 19, 2026

Culture is Control: What Your Committee Should Ask About Cybersecurity
Barry Lewis, CISSP, Senior Director, Optiri

Cybersecurity is not just a technology issue—it is a governance, risk management, and organizational culture issue. This session will help supervisory and audit committee members understand why a strong security culture is one of the most effective controls a credit union can have against cyber threats, fraud, and operational risk. Participants will learn how to identify the characteristics of a healthy security culture, recognize warning signs that may indicate vulnerabilities, and distinguish between measuring compliance and measuring culture. The session will also provide a practical framework for assessing security-culture maturity and equip volunteers with key oversight questions to help evaluate management's efforts to strengthen cybersecurity awareness and accountability throughout the organization.

Fields marked with an * are required.

Please verify that you have checked the “I'm not a robot” checkbox.

A credit union’s strongest security control is its technology stack: its firewalls, endpoint protection, and SIEM.

The reporting rate, meaning how often staff report suspicious emails, is a more meaningful measure of security culture than the click rate.

A credit union that reports zero security incidents for the year is demonstrating a strong security culture.

One hundred percent completion of annual security training confirms that an organization has a strong security culture.

Overseeing security culture is an appropriate responsibility for a credit union’s board and supervisory committee.

When an employee reports that they clicked a suspicious link, a healthy security culture responds by focusing first on disciplining that employee.