Greg Schaffer: Hi, I’m Greg Schaffer, and welcome to the Virtual CISO Moment.
Cy Sturdivant joins us today. He is a cybersecurity consulting principal with deep experience helping organizations navigate information security, regulatory compliance, and risk management challenges. Cy has spent nearly two decades working across public accounting, financial services, and consulting environments with a strong focus on frameworks and regulations, including lots of letters: GLBA, FFIEC, NIST Cybersecurity Framework, and IT General Controls. He is a Certified Information Systems Auditor and has held leadership roles with Forvis Mazars—hopefully I pronounced that right.
Cy Sturdivant: Mazars.
Greg: Mazars. Thank you. I tripped over that before.
Cy has also worked with BKD and other advisory firms throughout his career, helping organizations mature their cybersecurity and governance programs while balancing operational realities and regulatory expectations.
Thank you, ChatGPT in the office there, for that intro.
Cy, thank you so much for joining us today.
Cy: Absolutely. Good morning. Good to see you.
Greg: Yeah, good to see you again.
Of course, we have known each other for quite some time. I think it goes back to shortly around the time when I first started this wonderful vCISO Services experiment. I appreciate all the advice and counsel that you gave me back then, and we’ve dovetailed on certain things since then.
You were actually one of the earlier guests in Season 4 of the Virtual CISO Moment back four years ago. Why don’t you catch us up on some of the things you’ve done since then and what you’re doing today?
Cy: Yeah, it’s crazy it’s been four years. I’m probably just like most people. It’s like, goodness, what has been happening the past four years?
First and foremost, I would probably say from a life perspective, kids are growing like weeds. From a family perspective, it’s just trying to balance everything there. From a work perspective, it’s been nonstop.
We’ve gone through our own change, just like you were saying, from BKD to a merger to create Forvis and Forvis Mazars and trying to balance that expanded footprint. Obviously COVID had hit when we had originally discussed, but all of that change and shifting and the remote nature of work, and really serving clients all over the nation, has been fantastic.
But it’s also very hard to keep up with questions like: Where am I working this week? Who am I serving? Where am I going? It’s always something.
You and I always share conversations about education. You want to educate. You want to motivate. I’ve really been trying my best to get back in front of people through conferences, breakout sessions, and symposiums, just trying to get out there on the forefront of all the craziness that’s changing.
It’s been a great four years. A lot of change. But if you want to be successful in anything in our line of work, you have to be adaptable to change. You’ve got to lean in, have a positive attitude, and do your best. Learn every chance you get and give up on the idea of trying to stay one step ahead or trying to be caught up. I gave up on that a long time ago. Instead, try to stay close enough to the bleeding edge to stay informed.
For the past four years, I could probably summarize everything by saying: do your best every day. When the day is done, recharge, move on to something else, and do your best tomorrow.
Greg: I think you touched on something so important that often, particularly early in people’s careers, they don’t put as much emphasis on as they should. And that is networking and interacting with people.
When you network, you not only get to hang out with your peers, but you also get to spend time with people who have years of knowledge and experience, such as you, and even dinosaurs such as me.
This gives me a chance to plug that I’m going to be speaking about being an information security consultant at BSides Roanoke this Friday. Then, on June 13, if you happen to be in the Des Moines area—I won’t say “Des Moines”—in the Des Moines area, I’ll be speaking on the same topic there as well.
How important has networking—not the computer side, but the people side—been for your career?
Cy: Oh, it’s exceptionally important. The relationship aspect is critical, especially for somebody like myself.
If you’re working inside a bank, credit union, mortgage company, insurance company—regardless of where you’re working—networking with your peers and your team is extremely important. You have to lean on one another. You have to delegate. You have to gain insights. You need somebody on your side when you’re communicating with leadership.
But for my role, and your role too, if people don’t know who you are, why you’re doing this, what your purpose is, or what you do, then they have no way of understanding your passion, your curiosity, and your interest in the work. Nobody gets exposure to that if you don’t network, build relationships, and create friendships.
It’s a two-way street. You want to share, but you also have to consume and listen.
Greg: Absolutely.
I figured that out a long time ago because I’m not the sharpest pencil in the toolbox. I’m not the smartest person in the room. But I do have intelligence, I do have interest, and I’ll use those to the best of my ability.
I love conversations. I love meeting new people. I love getting out. I’m an extrovert, so I get a lot of my energy from people. That side of it always connected well for me.
But honestly, in the early days, I didn’t realize how important networking was. Looking back, absolutely. The relationships. Who you know. Who you help. Who you listen to. Who you connect with and share your time with. It absolutely matters.
Cy: Relationships are probably the most important thing you have, personally and professionally.
Greg: So building off of that, I’ll ask: why are you doing this? You spent a lot of your career in financial institutions, regulated organizations, and environments like that. What originally drew you into this crazy world?
Cy: Yeah. To keep it short and sweet, my grandpa.
I always tell this story. My grandfather sold life insurance, but through his relationships with families and individuals, he also had a very close relationship with our small local bank in the little town where I grew up.
As a little kid, I’d be downtown by the flashing red light—we didn’t even have stoplights—and he’d say, “Hey, I’ve got to go to the bank. Want to come?” It didn’t matter what was going on. He always seemed to have a reason to stop by the bank.
So I’d go with him. And for whatever reason, I always thought the bank was this really cool concept. That stuck with me.
As I went through high school and college, I just wanted to work in banking. So I got an accounting degree and a finance degree and landed my first job in banking.
It wasn’t in IT. It wasn’t in security. It wasn’t in cyberspace. This was back in 2005, so cybersecurity wasn’t really a buzzword back then. Information security definitely was, but cybersecurity wasn’t what it is today.
I tried a variety of things, and honestly, I didn’t like most of them.
There’s that old phrase, “Know thyself.” I don’t know the Latin version, but I knew I wasn’t enjoying what I was doing. So I started asking questions.
I asked if there was anything else in the trainee program that I could get exposure to.
Luckily, the risk management officer said, “Actually, we just got written up. We don’t have an IT auditor. We don’t have an IT specialist in this division. Would you like to take a shot at it?”
I loved technology. Computers and the internet were really starting to take off, and I wanted to learn more.
It was strange how everything came together. The business background, the banking background, the love of banking, and then the technology overlay. It created this perfect recipe.
It’s hard to keep my attention, but things were changing so quickly and there were so many interesting things happening that I dove right in and loved every second of it.
Literally, that one lucky happenstance conversation turned into twenty-plus years.
Greg: I love that story.
You didn’t necessarily have a plan that said, “This is exactly where I’m going to end up.” You just kind of let opportunities happen and stayed open to them.
I heard something recently that stuck with me. I don’t remember where I heard it, but it was, “Do you know what makes God laugh? When you make a plan.”
Cy: Maybe we heard that at the same place.
Greg: Maybe so.
My story is similar. My undergraduate degree is in mechanical engineering. I got involved in technology because I was a part-time student assistant doing network work.
Now, thirty-six—actually, thirty-seven—years later, I’m still doing it.
One of the things I always like to tell people who are trying to get into the field is that it’s okay if you don’t know exactly where you’re headed yet.
Try different things.
Figure out what you like.
Figure out what you don’t like.
Because you don’t want to spend the next thirty or forty years doing something you hate.
Cy: Agreed.
Even if you’re really good at something, if you don’t enjoy it, you’re never going to be engaged. You’re never going to lean in. You’re never going to have that consistent energy.
That perfect formula of doing what you love and doing what you’re really good at—that’s the secret sauce.
Greg: A lot of things change in our field, which is one of the reasons it stays interesting. But there are also things that haven’t changed despite all the technology changes.
What are some of the things you’ve seen throughout your career that have remained consistent?
Cy: This may not be where you were expecting me to go, but I’d say being positive, being helpful, and looking for ways every day to do your best.
That mindset of no matter what happens, I’m going to look for the bright side.
Greg: That’s interesting because it literally happened this morning.
There’s a guy down the hall from me. My office is in a coworking space that’s sort of an incubator environment for startups and small businesses. We all share common facilities like the concierge, printers, and things like that.
There’s a gentleman down the hall I always wave to because every time I walk toward the kitchen area, I’m looking right at him.
A few days ago, I noticed he was moving things out of his office. I didn’t get a chance to talk to him then, but I saw him this morning.
I asked, “Hey, what’s up?”
He said, “We had to shut down the company.”
The offshore company they were affiliated with apparently went under.
And it’s exactly what you were talking about. I tried to be positive. I tried to be supportive. I tried to be a resource if he needed one.
That actually leads into something you and I talked about before: TEA.
Cy: Oh, yeah.
Greg: Let’s jump into that. First, though, we probably need to explain what TEA stands for.
Cy: Yeah. So it goes back to what you were saying about what’s changed over the last four years. The demands of life, career, family—everything just seems more intense.
TEA stands for Time, Energy, and Attention.
I’ve become extremely focused on the fact that we’re all given the same amount of time every day. We all get twenty-four hours. A big portion of that is spent sleeping, so the question becomes: how intentional are you going to be with the time you have left?
Success, at least for me, isn’t just about career success. It’s about family. It’s about happiness. It’s about fulfillment. It’s about being tired at the end of the day because you gave everything you had to the things that matter most.
That’s where the Time, Energy, and Attention concept came from.
I also happen to love tea. I drink green tea two or three times a day. During the winter it’s even more because it’s cold outside. Every morning when I make a cup of tea, it’s a reminder. I ask myself: How am I going to protect my time? How am I going to protect my energy? How am I going to protect my attention?
If you do those three things exceptionally well, you’ll accomplish tremendous things. And by tremendous things, I mean the things that are important to you. That’s the key.
Because if you’re great at time management, you’re taking care of your energy, you’re limiting distractions, and you’re incredibly productive—but you don’t have clear goals—you’ll be tremendously successful accomplishing somebody else’s goals.
That’s the trap.
Over the past several years, I’ve become much more aware of it because everything is on screens now. I started noticing this energy drain at the end of the day that I had never really experienced before.
I kept asking myself, “What’s going on? Am I just getting old?”
I’m forty-three years old. I expected that feeling maybe at fifty, not now.
So I started reading books and paying attention to what was causing it.
Greg: He says that to a fifty-eight-year-old, so I should be dead by now.
I saw a funny meme recently. It said something like every hour you’re on a Zoom call reduces your life expectancy. Based on my calculations, I should have died sometime around 1844.
Cy: It was so good. And honestly, it feels true some days.
But that’s why I think Time, Energy, and Attention are all equally important.
Greg: They are.
Although when I’m talking to people externally, I often focus on time first because time is the one resource that’s truly non-renewable.
If you give someone your time, that’s a meaningful gift because you can never get it back.
One of the things that always bothers me is when somebody reaches out completely out of the blue and says, “Can I have fifteen or thirty minutes to pick your brain?”
I generally have to say no.
Part of it is that I’d rather have a relationship with someone first. But part of it is practical. If I said yes to everyone, I’d spend all of my time, energy, and attention helping other people achieve goals that aren’t aligned with my own priorities.
The challenge is that I’m a people pleaser by nature. I like helping people. So sometimes I struggle with where to draw that line.
In my information security consulting presentation, I tell people that they have to ruthlessly protect their time.
How do you do that?
Cy: Any time I hear a concept like that, I try to create a visual picture in my head.
I think it was Brian Tracy who talked about viewing time as your most valuable asset.
Imagine protecting that asset.
A lot of people think of protection as building a wall, but a wall is impenetrable. Nobody can get in and nobody can get out.
Instead, I think of it as a locked door. The door isn’t permanently closed. I can open it whenever I choose. But I’m the one deciding when it opens.
Whenever somebody asks for my time, I run it through the same filter:
Does this support what I’m trying to accomplish?
Sometimes what I’m trying to accomplish includes helping other people grow and succeed. Conversations like this are a great example.
If somebody reaches out and it aligns with those goals, I’ll often say yes. But I may not say yes today. I might say, “Absolutely. I’d love to help. Can we do it next Thursday at three o’clock?”
What I constantly evaluate is this: What is the most important thing I need to accomplish today Usually I know that answer several days in advance.
If I have capacity and somebody says, “Hey, I’m struggling with something and would love your perspective over lunch,” that’s often an easy yes. But if saying yes creates consequences elsewhere, then I need to think harder about it. That’s where one of my favorite concepts comes in:
Every yes is a no to something else.
If I unexpectedly say yes to one thing, what am I saying no to? Am I saying no to a commitment I’ve already made? Am I saying no to something that’s more important? Am I saying no to something that’s more urgent?
That’s why I like thinking about the Eisenhower Matrix. The important-versus-urgent framework is a great way to evaluate these decisions. Sometimes something is absolutely worth doing. It just isn’t worth doing today.
And that’s okay.
Greg: That’s a great way to think about it.
I know your time is valuable, so I appreciate you spending some of it with us today. Now that I’ve picked your brain about TEA, let’s pick your brain about something else. Let’s talk about community banks and financial institutions.
You work with community banks, credit unions, mortgage companies—the whole spectrum. The environments differ, but today what are the most common gaps you’re seeing in security programs? And have things matured over the last four years, or are you seeing many of the same challenges?
Cy: That’s a tough question because we work with a significant number of institutions across the country, so it’s hard to make a blanket statement.
I’d probably split them into two groups. The first group took the biggest bag of lemons that COVID handed everybody and made some really good lemonade out of it. They were able to recruit exceptional talent, build strong cultures, and become much more proactive.
More importantly, they care. I don’t know a better way to say it than that. They genuinely care about protecting their institutions and protecting their customers. They want to provide great services while still maintaining strong security. Those organizations have matured significantly and have done exceptionally well.
Then there’s the second group. They’re still very reactive. The conversation tends to go something like, “Cy, thanks for your time. Thanks for the report. We’ll get those findings addressed. See you next year.”
Greg: So it’s more about maintaining compliance than continuously building and improving a security program?
Cy: That’s actually a great way to phrase it.
The organizations that really mature don’t wait for a regulator, an auditor, or a penetration test to tell them what to do. Those things happen once a year—maybe a couple of weeks out of the year if you’re lucky.
The organizations that are successful have a true security mindset. They’re constantly looking for ways to improve. They’re not necessarily trying to become Fort Knox and add endless layers of controls. Instead, they’re asking, “What resources do we have? What risks do we face? What changes are coming? How do we layer controls together effectively?”
The creative organizations that stay engaged and think strategically do really well. Unfortunately, there’s still a large segment that only moves when there’s a finding or when the examiners start asking uncomfortable questions. Otherwise, they’re just putting out fires.
Greg: From the vCISO perspective, that aligns with what we see as well.
A lot of times we’ll recommend enhancements to a security program and hear things like, “Well, the examiners are fine with it,” or, “The auditors are fine with it.”
I always think about the Office Space “minimum flair” speech. Meeting the minimum isn’t bad. It’s great that you’re meeting the minimum. But it’s still the minimum.
The bad guys don’t care about minimum requirements.
You can become more robust without making dramatic changes. You can improve your security posture incrementally. But sometimes there’s resistance to that.
I don’t necessarily judge it as good or bad. It’s just reality.
Financial services is so heavily regulated that regulation becomes both an accelerant and, at times, an impediment depending on the culture of the organization.
Cy: Well said.
Greg: One of the biggest topics in the industry today wasn’t even on our radar four years ago: AI.
Generative AI and everything that comes with it.
What are you seeing from financial institutions regarding AI adoption? Some are embracing it. Some are avoiding it. What’s your perspective?
Cy: It’s fascinating.
You can have a four- or five-billion-dollar institution that’s very aware of AI and monitoring developments closely, but they aren’t really doing much with it. Then you’ll find a five-hundred-million-dollar institution that’s in exactly the same place.
On the other hand, you’ll see another five-billion-dollar institution that’s fully engaged. They’re excited. They’re experimenting. They’re actively looking for use cases.
For years, organizations have struggled with repetitive manual processes. Maybe somebody spends four hours every week reconciling ATM reports. Now Copilot can perform most of that work in minutes, and the employee simply reviews the output.
Those organizations are leaning into productivity gains and eliminating repetitive point-and-click work. It’s similar to what happened when spreadsheets became mainstream. Nobody wants to go back to doing everything manually with a calculator.
The organizations that view AI through a productivity lens are doing some really interesting things. They’re using it for vendor management, governance, and compliance. They’re feeding large volumes of regulations, policies, and requirements into systems that can quickly surface relevant information.
When implemented properly, it can feel like having the world’s smartest consultant sitting next to you with a photographic memory.
The organizations that understand that potential are doing some great things.
The organizations that concern me are the ones saying, “Everybody else is turning it on, so we’re turning it on,” without any real planning, governance, or understanding of the risks.
Most of them are using Copilot, which provides some protections, but only if it’s configured correctly.
Greg: Right.
Cy: Exactly.
If enterprise protections are enabled and they’re staying within the tenant, that’s one thing. But sometimes executive teams have enterprise licensing while everyone else is using public AI tools.
Nobody has explained the difference. Nobody has explained that if you’re using a free public tool, you may be training the model with the information you’re submitting.
That’s where the risk comes from.
It’s usually not malicious. It’s ignorance. It’s a lack of understanding.
People upload information they shouldn’t upload. They ask questions they shouldn’t ask. They don’t understand acceptable-use requirements.
At the end of the day, it comes back to the same fundamentals we’ve always talked about: Did you classify your data? Did you secure it appropriately? Did you communicate expectations? Did you train your employees? Did you identify where your crown jewels are located?
Those fundamentals haven’t changed. Unfortunately, I’m still seeing a lot of organizations struggle with those basics.
Greg: And I think that’s the biggest takeaway.
No matter what the technology is, it always comes back to the basics. Whether it was social media, cloud adoption, or now AI, people tend to react as though the technology itself is the problem. But usually it isn’t. The real issue is governance. Knowing what information you have. Knowing where it lives. Knowing who has access to it.
If you don’t have a good inventory of your information assets, you can’t control them.
AI is another tool. A powerful tool, certainly. But it’s still a tool. Apply the fundamentals and you’ll be in a much better position. Would you agree?
Cy: Generally, yes. Although I do have one caveat
I try to be optimistic. I don’t like being overly skeptical. But the caveat is this: the large organizations building these systems—Microsoft, Meta, OpenAI, and others—have a tremendous responsibility. Are they going to build these systems in a secure and safe manner? I hope so.
That’s really a separate issue from how organizations use AI.
Greg: Right. That’s less about usage and more about how the technology itself is built.
Cy: Exactly.
Think about it like a car. I can be the safest driver in the world, but if the car wasn’t built safely, eventually I’m going to have problems.
If it doesn’t have seat belts, if the brakes don’t work properly, or if the wheels fall off when I turn too sharply, it doesn’t matter how carefully I drive.
The same concept applies here. The builders of these systems have to build them securely. They have to think about safety. They have to think about quality control. They’re building products that could be used by a seven-year-old or a seventy-year-old. They have to account for all of those scenarios.
It really comes down to the age-old question: it’s a hammer. Is it a weapon or is it a tool? The answer depends on how it’s built and how it’s used.
Greg: Exactly.
There’s obviously a lot of stress associated with everything we’ve talked about today. Technology changes quickly. Security changes quickly. The learning never stops.
One of the things I always like to ask people is what they do to recharge.
What’s something you do to decompress from all of this?
Cy: For me, it comes right back to Time, Energy, and Attention.
From an energy perspective, I’ve spent a lot of time trying to understand what genuinely recharges me. The answer is pretty simple: family and being outside.
If I’m sitting around a campfire, that’s my happy place.
We took our travel trailer out over Memorial Day weekend and went camping. I can be completely exhausted when I arrive, but within fifteen minutes of sitting around a campfire, it’s like somebody flipped a switch. All of a sudden I’m energized again. I’m ready to play a game. I’m ready to do something fun. I’m ready to stay up and have conversations.
It’s amazing how quickly it changes my energy level.
Being around the kids helps too, although that depends on which version of the kids shows up that day. If they’re happy, energetic, and ready to go do things, that’s fantastic. If they’re whining and arguing, sometimes that’s a little less energizing.
But overall, it’s being outside. It’s being away from screens. It’s getting off the phone. It’s reading a good book. It’s having a meaningful conversation with a friend. It’s grabbing breakfast with somebody like you.
Sometimes the recharge comes from nature. Sometimes it comes from somebody else’s positivity and encouragement. But those are probably the two biggest sources of energy for me.
Greg: I love that.
What do you have coming up this summer?
Cy: It’s going to be a busy summer.
We’ve got some family trips planned. I’ve got a couple of banking conferences that I’ll be attending, and my wife and daughters are going to tag along for some of those. We’ve got some camping trips planned, and we’ve got a Dollywood trip coming up.
Greg: Oh my goodness, Dollywood.
I’ve never been. I don’t know whether I want to go or not, but I feel like I need to go at least once.
Cy: My ten-year-old is a roller coaster junkie.
Every year I tell her the same thing: we’ll go to Dollywood, we’ll ride everything, we’ll have a great time—just don’t make me go to Disney.
Greg: Because Disney requires a second mortgage these days.
Cy: Exactly.
And I’m not interested in taking that on right now.
We’re trying to keep things balanced. Not overcommit. Protect the time. Protect the energy. Protect the attention.
Greg: Well, Cy, as I expected, we’ve gone a little over our planned time, but that’s okay. Good conversations tend to do that.
Before we wrap up, do you want to explain where “Cy the Cyber Guy” came from, or is it just a nickname you decided to embrace?
Cy: Honestly, I don’t even remember exactly where it started.
I think it was either a client or a coworker about ten years ago. They introduced me and said, “This is Cy the Cyber Guy.”
Everybody laughed. The name stuck, and apparently I’m still carrying it around all these years later.
Greg: I love it.
Cy: I use it every chance I get because it’s memorable.
Greg: Well, Cy the Cyber Guy, thank you, my friend, for joining us today and sharing your wisdom once again. I’d love to have you back on the show. Hopefully it won’t take another four years.
I appreciate the update on what’s been happening in your world. I appreciate your insights into security, leadership, and personal growth. And I especially appreciate you sharing the concept of Time, Energy, and Attention because I think that’s something everyone can benefit from.
Thank you for joining us.
Cy: Absolutely. My pleasure.
Protect it the best you can, everybody.
Greg: And everybody, stay secure.