Sean Murphy is the Senior Vice President and Chief Information Security Officer at BECU, the 4th largest credit union in the United States and the largest community-based credit union in the country, with approximately $30 billion in assets. With more than 7 years at BECU, Sean leads a security organization of 60 professionals spanning risk management, identity and access management, security operations, platform engineering, and disaster recovery. His career spans the U.S. Air Force and military medicine, civilian healthcare, and now financial services, giving him a cross-sector lens on cybersecurity accountability that is rare at the executive level.
Here’s a glimpse of what you’ll learn:
- Why Sean reframes the "they only have to be right once" threat model and how layered defense changes the math entirely
- How AI-powered email security tools are doing what traditional gateways never could, and why bolting an LLM onto a legacy product is not the same thing
- Why Sean believes the good guys ultimately win the AI security battle and the one condition that has to be met first
- The direct call to action Sean is making to security manufacturers about their responsibility in the AI era
- His three-principle framework for building and defending a security product portfolio to a board
- Why the CISO peer network remains one of the most underrated and most reliable tools for evaluating new security technology
- What Sean's cross-sector background in healthcare and the military taught him about who actually bears the cost when cybersecurity fails
In this episode…
Sean arrives at this conversation with something most CISOs do not have: a career that has moved through military medicine, civilian healthcare, and now critical financial infrastructure. That arc shapes how he thinks about cybersecurity accountability, not just as a technical discipline but as a protection of real people who cannot absorb the consequences of getting it wrong. At BECU, the $30 billion in assets under management belongs to the members. Sean makes that point directly and returns to it throughout the conversation. When cybersecurity fails at an institution like this, it is not an organizational metric that suffers. It is someone's savings, someone's mortgage, someone's financial life. That is the weight he carries into every board presentation and every product decision.
The conversation sharpens quickly when Sean pushes back on one of the most repeated framings in security: that defenders have to be perfect every day while attackers only have to be right once. He does not dismiss the underlying tension, but he reframes it in a way that changes the strategic posture entirely. If your architecture gives an adversary a single opportunity to get through, then yes, that framing holds. But the answer is not to accept it as fixed. The answer is layered defense built across protection, detection, response, and recovery, where attackers have to win at multiple levels before they reach anything critical. Sean is specific about what this looks like in practice, drawing on AI-powered email security as a concrete example of the model working. Tools that use machine learning to evaluate URL age, flag anomalous behavior, and move suspicious content before a user ever sees it represent what security has always needed to be able to do. The distinction he draws matters: that is fundamentally different from slapping an LLM onto a traditional email gateway and calling it AI-powered, which introduces prompt injection risk without solving the underlying problem.
Where this episode breaks real ground is in Sean's argument about manufacturer accountability. It is a point he admits he was not planning to make when the conversation started, but once it surfaced he developed it with clarity and conviction. Organizations that are not in the business of cybersecurity cannot be expected to carry the full defensive burden when the products being shipped into their environments arrive with vulnerabilities baked in. Sean draws the parallel to law enforcement: communities are not expected to police themselves simply because a police force exists, and yet organizations are routinely penalized when vendor-originated vulnerabilities result in a breach. His ask is not to absolve defenders of responsibility. It is to hold manufacturers to a higher standard, specifically that they use AI proactively to find and fix vulnerabilities before publishing them, rather than waiting for researchers or attackers to surface them first. He closes with three principles for how he builds and defends his own product portfolio: platform consolidation over niche products, objective industry benchmarking through tools like the Gartner Magic Quadrant, and the CISO peer network, where honest conversations about what actually worked and what nearly caused a breach drive some of the most reliable buying decisions in the industry.
Resources mentioned in this episode
Matthew Connor on LinkedIn
CyberLynx Website
Sean Murphy on LinkedIn
BECU Website
Sponsor for this episode...
This episode is brought to you by CyberLynx.com
CyberL-Y-N-X.com.
CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.
The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.
Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied.
To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.
Check out previous episodes:
Why Insecure AI Is Just as Dangerous as No AI with Shannon Brewster - Ep 210
Transcript:
Sean Murphy
Cyber Business Podcast
Guest: Sean Murphy
Senior VP & CISO, BECU
Matthew Connor: Matthew Connor here, host of the Cyber Business Podcast. Today we're joined by Sean Murphy, Senior VP and CISO at BECU. Sean, welcome to the show.
Sean Murphy: Hi there, thank you.
Matthew Connor: Thank you. Before we get too far in, a quick word from our sponsors. Hackers are getting smarter — is your security keeping up? Cyberlynx sells industry-leading, AI-powered cybersecurity solutions that detect threats in real time, so you know about an attack before the damage is done, not after. Learn more at cyberlynx.com. And now back to our show.
Sean, for those who aren't familiar, can you tell us about BECU and your role there as Senior VP and CISO?
Sean Murphy: Absolutely. BECU is a credit union in the Seattle area with a field of membership in Washington and surrounding states — and we're growing, so that field of membership is expanding as well. We have about $30 billion in assets and we're the 4th largest credit union in the United States. And equally importantly, we're the largest credit union that is community-based. Other credit unions are often chartered for specific industries or occupations, whereas BECU is chartered to serve the broader community. We take that purpose very seriously — we walk the talk.
As Senior Vice President and Chief Information Security Officer, I've been here a little over seven years. My responsibilities cover the full traditional security framework: risk management, third-party risk management, identity and access management for both our workforce and our members, security operations, platform engineering and architecture, and disaster recovery. All the things you'd expect in that role. I have a team of about 60 people — the A-Team.
Matthew Connor: That is impressive. Fourth largest credit union in the nation, $30 billion in assets — and what strikes me is that in comparison to the major banks, even an institution like Chase is reportedly under attack more than the U.S. government, which puts the scale of the challenge in perspective. They're spending something like $15 billion a year on cybersecurity. But for most credit unions, even large ones, the target profile is different. At your size, though, I imagine you're a much more significant target. What's that like?
Sean Murphy: It's a good point. First, for context — the B in BECU stands for Boeing. That's our origin story, though today our field of membership extends well beyond Boeing to the broader community. But having Boeing in our name means we sometimes get confused with the military industrial complex, which adds an interesting dimension to our threat profile. And fundamentally, that $30 billion in assets is our members' money. That's the key differentiator between banks and credit unions — we don't have profits in the traditional sense. We exist to serve the community. But yes, it absolutely makes us a target.
Cybersecurity is not an afterthought at BECU. I came into the organization with a clear mandate to mature the program, because we are under attack every single day. Every time I present to the board — regardless of what progress we're discussing — I make a point of saying: do not be mistaken. We are under attack every single day, and we have to stay one step ahead of the adversary. That is becoming increasingly difficult. The pace today is dramatically faster than even 18 months ago.
Matthew Connor: It really is. The cybercrime ecosystem has become a professional, highly-funded industry. We're talking billions of dollars flowing into it annually, with individuals making millions personally. The attacks are no longer the poorly-written phishing emails of years past — they're fully automated, precisely targeted, and AI-powered. This is one of my favorite topics, and I think it's analogous to bringing a knife to a gunfight. If we're fighting this new adversary with old tools, we're at a structural disadvantage. They only have to get lucky once; we have to be right every day. And when they do get through, we need tools sophisticated enough to catch it. I'm a big fan of where AI is heading on the security side — particularly things like Darktrace and Abnormal on the email side, where machine learning is being used properly rather than just an LLM bolted onto a traditional product. What's your stance on embracing AI in security?
Sean Murphy: I'm an optimist on this too. And they also say Murphy was an optimist, so I'll lean into that.
I will reframe one thing, though. The idea that the adversary only has to be right once is technically true, but it assumes that if they get through one layer, the game is over. Most of us are building defense in depth — layered architecture where you have to be right multiple times to get to the crown jewels. Whether it's protection, detection, response, or recovery — as an attack progresses through the kill chain, our defenses are designed to catch it at multiple points. We're not relying on a single shot. That's what the work of architecture and engineering in cybersecurity is really about: making it as difficult as possible, layer by layer.
That said, the challenge is real. The frequency, sophistication, and sheer volume of attacks — now augmented by non-human identities coming into the battlefield — make it genuinely hard to lean on traditional tools alone. But I want to be clear: the security hygiene fundamentals still matter. Patching, security awareness training, configuration management, governance — those tried-and-true principles are still the foundation. You have to have that foundation in place before you can effectively layer in AI capabilities.
On your email security example specifically: there's data loss prevention, URL analysis, CASB and SASE technologies — and then layering in AI components to analyze content and meaning within the email structure. That gives you four or five different opportunities to catch an attack before someone clicks a bad link. Those emails are coming in faster and better crafted than ever before. What used to be tens of thousands of attacks a day is now tens of millions in a matter of minutes or hours. That's genuinely hard to defend against without AI-powered tools working in parallel.
Matthew Connor: Exactly right. And what makes the layered approach even more critical is what we're seeing with groups like the Quilin and Warlocks affiliates — loading vulnerable signed drivers to disable endpoint security tools before encryption runs. Microsoft separately reported that the Storm 1175 group, behind the Medusa ransomware, is chaining n-day and zero-day exploits in high-velocity intrusions. What that illustrates is that when your EDR gets taken offline by a signed driver exploit, you'd better have something at the network layer watching for anomalous traffic. If Darktrace or a similar tool isn't watching your network and EDR goes dark, the drawbridge just came down and the bad guys walked in. And with the pace of zero-day exploitation now outrunning patch cycles — sometimes by weeks or months — you're essentially having to defend a fully unpatched environment at any given moment. We have to be using AI to defend against AI-powered attacks.
Sean Murphy: You make me think about something I wasn't going in expecting to raise, but you've struck a nerve — in a good way. The manufacturers don't get a pass here. The Microsofts, the Trend Micros, the Fortinets — I expect them to be just as fast as the adversaries at identifying and remediating these vulnerabilities, before I as an organization whose core business is not cybersecurity have to bear that burden alone.
That's not excusing my own responsibilities. We have a defined level of security maturity we're expected to maintain. But if manufacturers continue to push out hardware and software that is riddled with vulnerabilities — and continue to be, increasingly — then I expect them to be using AI to find those vulnerabilities proactively before release, not after the fact.
I have a healthcare background — I started in the Air Force in military medicine, then moved into civilian healthcare before coming to BECU. And in healthcare, this point becomes even sharper. A hospital's core mission is patient care — it's life and death. How do we reasonably expect a healthcare organization to have the same security posture as a national security agency? That's essentially what it takes to defend against vulnerabilities being shipped in the products they're buying. We need to shift the mindset away from "organizations, defend yourselves — and if you get it wrong, here come the penalties" toward expecting the supply chain itself to take ownership of what they're shipping.
When we get it wrong at BECU, we're impacting members' lives. That's not something I take lightly, and my team is dedicated to getting it right. But I want to hear the story of how the companies I'm paying significant amounts of money to are actually taking that burden off me — not publishing a news report about a discovered exploit and stopping there. I need the fix to come before the problem, not after.
Matthew Connor: And I think that's a call to action that needs to be said. The manufacturers have better AI, better people, more resources than the criminal organizations finding these exploits. They should be winning that race. Maybe some of them are doing more than we know — but if they are, they need to be communicating it, because the news headlines don't reflect it. Every vendor with the means should be publicly committed to using AI to discover and remediate vulnerabilities continuously, around the clock, and staying ahead of the bad actors. I haven't heard that from a single major vendor, and I think it needs to happen.
Sean Murphy: I want to be clear — I'm not calling out any specific company. I'm a significant Microsoft customer, and I have firsthand visibility here in Seattle into what they've been doing in the security space over the last three to five years. It's been a genuine paradigm shift and I benefit from it every day. The overall principle is simply that I need to see more of the prevention and detection coming from the people shipping gear into my environment — versus me having to absorb the risk that my suppliers are also inadvertently supplying me vulnerabilities. That's a different kind of supply chain risk than what we were trained to think about, and it's real.
Matthew Connor: Absolutely. And circling back to the layered approach — even if manufacturers are doing a perfect job, the adversaries will occasionally find a way in. That's always going to be true. The goal is to make it so rare and so difficult that it stops being the consistent, profitable business it is today. The volume of successful exploits and the money being made from them is a sign that we as an industry aren't yet where we need to be. Proper layering, combined with AI-powered tools at every layer, changes those odds materially.
It's like the self-driving car analogy — it helps, it works, it's getting better. But ultimately you're still in the driver's seat. If something goes wrong, the responsibility doesn't transfer. So you keep your eyes on the road and you make sure the layers around you are as strong as they can be.
Sean Murphy: That's exactly right. And the question then becomes: with hundreds of AI-powered security products now in the market, how do you decide what to actually deploy? It's choice overload — you walk into the grocery store and you're facing a wall of a hundred mustards. This is not a decision you make haphazardly.
Matthew Connor: That's the challenge. And I think for mature organizations especially, you have to look at things like the Gartner Magic Quadrant as a filtering mechanism. These are professionals whose full-time job is evaluating these products. It's not a perfect filter — great startups won't be on the quadrant yet — but the risk of deploying an unvetted early-stage tool to protect critical infrastructure is real. It's similar to the .com era: you couldn't invest in every .com without losing money. You wait for the cream to rise. And it's a lot easier to justify to the board when you're pointing to objective industry analysis rather than, "this was a cool startup with great investors." How do you approach it?
Sean Murphy: A few principles come to mind. First, you mentioned Gartner — I think of what Gartner calls the cybersecurity mesh as essentially the best solutions that work best together. That leads to a principle of simplification: can I get a platform that addresses multiple problems I have, rather than a collection of niche point products? Start there. That immediately reduces the universe. Then from a layered defense perspective, you look at whether there are specific gaps that warrant a more specialized solution. That narrows things further.
The other thing I'd highlight is the CISO peer network. Nothing beats it. Word of mouth still matters enormously. I had a colleague tell me that if they hadn't been using a particular product, they would have had a data breach. That was compelling. That was the phone call that prompted me to go learn more. Vendors talk about features; peers tell you what actually happened in their environment. Most CISOs I know are very open to sharing — what worked, what didn't, sometimes what they'd never say on a podcast but will absolutely tell you over an adult beverage. That kind of direct peer intelligence drives real decisions.
So the three principles: start with the problem you're trying to solve, lean on objective analysis like Gartner for the platform-level decisions, and maintain a strong peer network for the real-world signal. That's how you build and defend a portfolio without chasing every shiny object that shows up at RSA.
Matthew Connor: Wise words. I couldn't agree more. Sean, this has been an absolute blast. We've surfaced some really compelling ideas today — particularly around the manufacturer accountability piece, which I intend to dig into further. Before we go, can you tell everyone where they can find out more about you and BECU?
Sean Murphy: I'll start with BECU — becu.org. If you live, work, or worship in Washington state, I'd encourage you to look into membership. We have plenty of room, and as a member-owned cooperative, it really does work for you. Great products, great reputation in the community.
For me personally, you can find me on LinkedIn — search Sean Murphy at BECU and you'll find me easily. Happy to connect.
Matthew Connor: Perfect. Thanks, Sean. Until next time.
Sean Murphy: Thank you.
