Serving Those Who Have Served: Why Protecting Web Services Is Critical At USAA

Serving Those Who Have Served: Why Protecting Web Services Is Critical At USAA

By Jason Compton

Any financial institution with millions of members across the globe faces significant cybersecurity challenges. As an exclusive provider to members of the U.S. military, USAA faces additional complexities that stem directly from its members' work in defending the country.

The Texas-based company provides banking, insurance and investment services to 12 million active and retired service members and their families. With military personnel deployed around the world, USAA is expected to deliver a fast and reliable online experience no matter where members are when they need to do business.

Because many active service members have financial challenges, USAA strives to minimize anxiety over money matters by ensuring the lights are always on for members. That need is felt acutely across the organization.

Serving Those Who Have Served: Why Protecting Web Services Is Critical At USAA
At USAA, the CIO and CSO are peers on the organizational chart.

Pressure On Military Members

Because availability is such a high priority, USAA makes all of its security decisions with uptime in mind.

"Since we are a digital organization, having always-on, always-connected service is critical for us," said Gary McAlum, the chief security officer at USAA. "We talk about the impact on member experience if there's a security failure, whether it affects one member or the membership as a whole."

McAlum is the company's first CSO. Before taking the position seven years ago, he served 25 years in the U.S. Air Force, much of it in a cybersecurity role for the Department of Defense.

At USAA, McAlum is responsible for defending the enterprise against all security, continuity and compliance threats — from massive cyberattacks to small-scale fraud. When designing protections for USAA and its members, like a recent rollout of multifactor authentication, he considers what most members have already been through.

USAA knows that a large percentage of members were victims of a deep data breach: Over 20 million federal and military-connected individuals were affected by the attack on the U.S. Office of Personnel Management. The breach put personal information in the hands of criminals, information that could be used to exploit existing financial accounts or to fraudulently open new ones. McAlum and his family were among the many caught in that net.

"We tend to believe that our military members are more vulnerable to attack than others. There has always been a criminal aspect of society looking to scam and to exploit military members," he said. "So we focus a lot on education and awareness, including raising awareness of phishing attacks."

Withstanding Large-Scale Attacks

While fending off individual scammers, USAA must also stay secure and available in the face of a large, well-organized cyberattack. USAA was targeted by the Operation Ababil spree of distributed denial of service (DDoS) cyberattacks against U.S.-based financial institutions in 2012 to 2013.

USAA had advance notice of the planned attack. After assessing the network infrastructure provided by Akamai, USAA felt confident that the planned attack would not disrupt member services. That prediction proved correct. Akamai protections deflected much of the traffic that might have otherwise overwhelmed crucial services.

DDoS attacks often target the independent domain name servers (DNS) that resolve domain names, like, to hosting servers. Overwhelm the DNS, and legitimate traffic can't find a business. Distributing DNS across Akamai's wide network helps protect against that threat.

"Both of the scheduled attack days were nonevents for us. We saw an activity spike, and then saw it dissipate," McAlum said. "Akamai's network gives us a very wide front door and was able to dissipate that DDoS attack very easily."

How Executive Culture Affects Security

Considering that any security chief needs strong alignment with other executives, USAA designed the CSO office to be fully independent, with a close link to senior leaders at the top.

"We wanted one budget, one line of accountability for security," he said. "Today, everything from security to investigations to business continuation falls under the security group I lead."

At USAA, the CIO and CSO are peers on the organizational chart. Instead of struggling to find common ground, the two have a great deal in common, McAlum said.

"The culture of our company, driven from the board of directors down, is that we have to be available to our members," he said.

The partnership is working: USAA conducts an estimated 1.4 billion digital transactions each year and continues to avoid major incident.

Against a steady drumbeat of high-profile data breaches, McAlum said he considers the company's stability and unique CSO-CIO partnership as a model for others.

"We will continue to work very closely with the CIO side of the house, because we all understand that if our products and services are not available or compromised, nobody wins," he said.

Jason Compton is a writer and reporter with extensive experience in enterprise tech. He is the former executive editor of CRM Magazine.

Related CIO Content