Nico opens with a framing that cuts through a lot of the performative confidence that shows up in security conversations: he told his board directly that he cannot stop ransomware, and if he had figured out how to do that, he would be on an island drinking margaritas because he had found the holy grail. What he could do was shift Signal Financial's entire security posture from hope to assumption, build around recovery speed, and make the case for immutable storage by asking leadership to picture the alternative on the front page of the Washington Post. That framing worked. The immutable storage solution has been in place for more than a year, the RTOs and RPOs are being met, and Nico talks about it with the kind of quiet confidence that comes from having actually built something rather than having sold someone on a strategy. He also offers a considered acknowledgment that backups are now the first target of every ransomware attack, giving credit to the organizations who thought they had it handled and missed one thing. It is a more generous framing than most and more useful for the organizations listening.
The financial services threat section of this episode is where things get specific in a way that is rare on this podcast. Nico's members include elderly individuals who are being targeted with AI-generated voice cloning attacks where the caller sounds exactly like their grandson. That is not a network perimeter problem. It is a social engineering problem that lives at the intersection of AI capability and human vulnerability, and it is happening in Signal Financial's call center right now. His response is equally specific: voice printing systems that verify caller identity and detect stress indicators that may suggest someone is being coerced or lying when withdrawing large sums. He is direct that this is a vendor-dependent solution and that the vendors are starting to build the right tools. He is equally direct that the threat is outpacing awareness among members who have no reason to know that a call from their grandchild might not be their grandchild.
The back half of this episode is where Nico pulls back from the operational and gets into the questions that the security conversation usually avoids. Agentic AI and MCP servers are his stated personal nightmare from a security perspective, not because he cannot block them but because utilizing them securely in a way that keeps data where it belongs is a problem nobody has fully solved yet. His AI evaluation framework is the same one that has shown up across the best episodes in this season: start with the problem, ask whether AI actually solves it, and resist the pressure to spend tokens because someone bought a million of them and wants to see adoption numbers. What makes Nico's version land differently is the context he brings it from: a regulated financial institution with limited resources, a peer network that functions as a genuine intelligence advantage over banks, and 12 years of scar tissue that makes him appropriately skeptical of anything arriving in a vendor PowerPoint with AI in the title.
Resources mentioned in this episode
This episode is brought to you by CyberLynx.com
CyberL-Y-N-X.com.
CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.
The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.
Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied.
To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.
Deepfakes, Demos, and the Real Cost of a False Sense of Security with Chris Pacifico - Ep 216
AI Is Draining the Grid: Behind-the-Meter Power Solutions with Tony Uttley - Ep 215
Why Silence After a Breach Helps the Hackers with Scott Dickinson - Ep 214
SVP of IT and Operations
Signal Financial Federal Credit Union
Matthew Connor: Matthew Connor here, host of the Cyber Business Podcast. Today we're joined by Nico Stein, Senior VP of IT and Operations at Signal Financial Federal Credit Union. Nico, welcome to the show.
Nico Stein: Thank you. Thank you for having me.
Matthew Connor: Thanks for coming on. Before we get too far in, a quick word from our sponsors. Hackers are getting smarter — is your security keeping up? Cyberlynx sells industry-leading, AI-powered cybersecurity solutions that detect threats in real time, so you know about an attack before the damage is done, not after. Learn more at cyberlynx.com. And now back to our show.
Nico, for those who aren't familiar, can you tell us about Signal Financial Federal Credit Union and your role there?
Nico Stein: Absolutely, Matthew. I'm the SVP of IT and Operations at Signal Financial Federal Credit Union — a community-sized credit union based out of Maryland with several branches across the region, including DC and Virginia. I've been with the organization for over twelve years, working through various positions in IT, and now I oversee all of IT operations: the financial core, infrastructure, cybersecurity — from laptops to SANs. It's an interesting job, for sure.
Matthew Connor: I think wearing a million hats in a small to medium organization is one of the most interesting positions in IT right now — and a really timely topic given how fast cyber threats are advancing alongside AI. How do you manage keeping up when you don't have a large team behind you?
Nico Stein: It's a blessing and a curse. The blessing is the agility — if I need to check something on the firewall because a server isn't responding, I just log in and check it. I don't have to open a ticket and wait a week to find out a port was blocked. The curse is that when we don't know how to fix something, there's no other department to call. We are the department.
That said, I've found a lot of value in the credit union community specifically. Credit unions tend to be more collaborative than banks — banks see each other as direct competitors and are more guarded. Credit unions are member-owned nonprofits, so while we compete for the same market, there's more of a shared-purpose mentality. We have round tables along the Eastern Seaboard where SVPs from different institutions share knowledge openly. How do you handle this? What's your experience with that solution? That kind of peer exchange is incredibly valuable.
I'm also active in the broader IT community — I'm a Vanguard at Object First and a Cisco champion, among others — so I get exposure to how larger organizations are solving problems, even if I can't implement those exact solutions today due to budget or staffing. It's like a window into the future of where we might be.
Matthew Connor: And on the ransomware and backup side specifically — I think one of the most interesting things you do is how you've approached that conversation with your board. Walk us through that.
Nico Stein: About a year and a half ago I sat down with the board for budget discussions — everyone's favorite time of year — and I told them we needed to shift our mindset from "we hope we won't get ransomware" to "we are going to get ransomware." They looked at me like I'd said something terrifying. "Why do we pay you? Why can't you stop it?" And I was completely straight with them: I cannot stop it. If I had figured out how to stop ransomware entirely, I'd be sitting on a beach somewhere because I'd have found the holy grail of cybersecurity.
So the conversation became about recovery, not prevention. Because for a small to medium organization, a ransomware event you can't recover from means the end of the business. And we're highly regulated — we have to notify authorities of breaches and there are real consequences if members can't access their accounts within a defined window. We still maintain our defense in depth, but we needed to build resilience behind that.
What we implemented was immutable storage. We went with Object First — I should be transparent that I'm an Object First Vanguard, so I clearly believe in the solution, but I'm not here to sell it. For organizations like ours, it's essentially set-and-forget. The backups can't be deleted. Our RTOs and RPOs are being met. When I pitched it to the board, I framed it simply: the alternative is having the Washington Post write that Signal members can't access their funds, the ATMs are down, and people can't pay their mortgage. There's no such thing as good publicity in that scenario. They approved it.
We've had it in place for about a year and a half. Knock on wood, no ransomware event yet — though I'm fairly certain by talking to you about it, I've just jinxed us.
Matthew Connor: Ha. And I want to add a fair point here, because I've been pretty hard on organizations that get hit and don't have solid backups. Your point is well taken — backups are actually the first target in most modern ransomware attacks. Someone can do everything right and still have their backup repositories wiped if they missed one thing. So the immutable piece is critical, and it's not as simple as "just have backups."
Nico Stein: Exactly. I've joked that I should go work for a red team because they only need to find one gap. You have to think of everything. Immutability closes that particular vector — they can't delete what they can't reach.
Matthew Connor: So let's talk AI — because the bad guys are clearly using it. Fighting fire with fire seems necessary. But I know there's also real AI fatigue out there, especially in smaller organizations. How do you cut through the noise?
Nico Stein: I'm inherently skeptical, which honestly helps. When I sit through vendor presentations and someone drops "AI" in every other slide, I'm the person in the room thinking: is this actually AI, or is it a sophisticated if-then statement in Visual Studio? That skepticism serves me well because the right question is always: what problem does this solve? Not: here's AI, now find a use for it. That logic is completely reversed, and I see it constantly.
That said, AI absolutely has real use cases for us. Like most organizations running Microsoft 365, we use Copilot — mostly for meeting transcriptions, summarizations, and improving written communications. There's genuine efficiency there. We're also looking at using AI to speed up underwriting decisions — surfacing relevant data and making a recommendation, while keeping a human making the final call. That last part is non-negotiable for me. AI is confidently wrong more often than people realize, and in a regulated financial environment, the accountability has to sit with a human.
There was a case last year where a bank used an AI chatbot in customer conversations and a customer negotiated a favorable mortgage rate based on what the bot said. The bank tried to walk it back. The court sided with the customer. So we are not giving AI final say on anything that creates a binding obligation or affects members' money.
Matthew Connor: That's a really important point. And it maps to the agentic AI conversation — which I imagine is a whole other concern for you on the security side.
Nico Stein: It's my personal nightmare, to be honest. Agentic AI with MCP servers is where I think we're headed in the next two to three years, and from a security perspective, the challenge of maintaining visibility and control over what those agents are accessing and where data is flowing is genuinely daunting. OpenAI's open agent framework is already blocked on our network — it's a security nightmare from a data governance standpoint. I don't say that to dismiss the technology; I say it because we're not yet in a place where I can deploy it responsibly.
Matthew Connor: And that self-driving car analogy applies here too, I think. A few years ago it was like a drunk toddler. Now it's more like a teenager who just got their license — doing a great job, but you can't fall asleep in the passenger seat. I had a moment recently where a car veered into my lane and the Tesla responded faster than I could have possibly processed it. It was remarkable. But that doesn't mean I'm ready to close my eyes and trust it completely.
Nico Stein: That's exactly it. And the Microsoft Copilot adoption data illustrates the same principle. They expected 85% heavy usage after 90 days and found it was only 15%. The people who succeeded weren't the most technically sophisticated — they were the ones treating it like a new employee. Explaining context, giving clear direction, building a relationship with it over time. Leadership and communication skills, not technical skills. That shift in mindset is what unlocks the value.
Where I get truly excited about AI in security is on the machine learning side — and I think machine learning has been wildly underappreciated until the LLM wave brought AI into the mainstream conversation. Products like Darktrace are doing things that matter: building a behavioral baseline for every user and every device, so when Nico is suddenly sending emails at 2 AM and they don't sound like Nico, the system flags it. When an application starts doing something it's never done before, something catches it. That's not an LLM bolted onto an email gateway — that's machine learning applied correctly. You can't slap an LLM onto your email security product and call it AI-powered. Now you have prompt injection vulnerabilities on top of everything else.
I think we're heading toward a world where AI lives on your machine and on your network, continuously watching, and when it sees something anomalous — a vulnerability being exploited in Adobe, an unusual outbound connection — it acts immediately. And eventually, your phone gets a notification that the person claiming to be Microsoft support is not, and you should hang up. That's the future I'm excited about. Not AI for AI's sake, but AI solving specific, meaningful problems.
Matthew Connor: Completely agree. And to keep from getting overwhelmed by the volume of products out there, I've found things like the Gartner Magic Quadrant genuinely useful as a filter. Not perfect, but it narrows the field to industry-leading solutions that have been evaluated by professionals who do this full-time. You go from a hundred options to a handful, and you can actually evaluate those meaningfully.
Nico Stein: I use it the same way. It's not gospel, but when I'm trying to solve a specific problem and I have limited time and a limited team, knowing that Darktrace or Veeam has been evaluated and ranked by people whose job is exactly that evaluation — that gives me a reasonable starting point. The goal is to spend my energy solving problems, not sifting through noise.
Matthew Connor: And ultimately, if we can collectively raise the cost and difficulty of attacking organizations — cut off the money supply to cybercriminals — that's how we win this. Right now they're making billions because the barrier is too low. Make it hard enough and the economics shift.
Nico Stein: That's exactly the right framing. I'm an optimist. I think the good guys win this. But the only way we get there is by making attacks so difficult and costly that the return on investment for criminals collapses. That requires using the right tools, deploying AI intelligently, and not treating every shiny new product as the answer. Use it where it works. Filter out the noise. Solve the actual problem in front of you.
And on the bigger societal questions — what happens to identity, work, and purpose when AI can do most of what we do — I don't think anyone has it figured out yet. I have a thirteen-year-old son and I genuinely worry about the world he's inheriting. The career ladder that worked for our generation is already broken for his. Student debt, unattainable housing, a credential that may not translate to a job. And on top of that, the jobs that do exist may not exist in ten years. The younger generation seems to intuitively understand this — they're less likely to tie their identity to their work, which might actually make the transition easier for them than for those of us who built our sense of self around our careers.
For me, personally? I'm Nico. I've been in IT my whole life. If you take that away, I genuinely don't know who I am outside of it. That identity question is something I think we're collectively unprepared for.
Matthew Connor: That's a really honest and important point. And I do think we're going to see a future where the social currency shifts — away from what you do and toward how you grow, what you know, what you've experienced. That was true in ancient Rome when the wealthy didn't have to work and the premium was placed on learning, travel, culture. I suspect something similar is coming, though the transition is going to be messy.
Nico Stein: I hope so. I'm slightly more pessimistic about the average person's default behavior — the concern is more Netflix than Da Vinci. But I'd love to be wrong. I think the key is exactly what you said: making the transition in a way that preserves dignity and purpose, not just material comfort.
Matthew Connor: Nico, this has been a blast. Before we go, can you tell everyone where they can find out more about you and Signal Financial?
Nico Stein: Sure. I blog occasionally at makerstein.com — there's a contact form there as well. You can also find me on LinkedIn under Nico Stein. For Signal Financial, our website is signalfinancialfcu.org — we have competitive rates and we take care of our members. If you're in the DMV area — DC, Maryland, or Virginia — come check us out. We'll make membership work for you. And we occasionally run community sessions on staying safe online, so keep an eye out for those.
Matthew Connor: And to confirm — being in the DMV area is basically the only requirement to join?
Nico Stein: We'll make it work for you.
Matthew Connor: Perfect. Nico, thanks again for coming on. Until next time.
Nico Stein: Thank you so much. Take care.