NWG President Dave Howard recently attended CU Intersect, a conference for credit union cybersecurity leaders. While at the conference, he had the opportunity to record a podcast sponsored by BankSocial, a financial technology company focused on modernizing banking infrastructure. In this 15-minute interview, Dave discusses the importance of resilience culture, shares anecdotes from executive tabletop exercises and penetration tests, and highlights NWG’s in-depth, human-led approach to full-scope penetration testing. 

“Success for us is when our client is able to make better risk-informed decisions about how to allocate their scarce resources. You get the best return when you understand what you look like to a threat actor.”

– Dave Howard

Listen to the Podcast

Read the Interview

Jonathan Taylor: All right, ladies and gentlemen, CU Intersect 2026. We're here in New Orleans, y'all. We're down on Bourbon Street. Shoutout to NCU-ISAO. Shoutout to Pure IT for putting on this incredible event. And thank you to BankSocial for being the sponsor here on the podcast. I am your host Jonathan Taylor (JT) with BankSocial. With me as always is my cohost.

Shirley Senn: Shirley Senn with Fireman's Federal Credit Union, right here in New Orleans.

Jonathan Taylor: Shirley, thank you for coming. I know it was a commute, and uh we are getting close to lunchtime here. Day two. I am drinking my fifth coffee, I think just keeping this going. And we have with us here Dave Howard, president at Networks Group uh one of the sponsors here at the conference. Thank you for being on the pod.

Dave Howard: Glad to be here. Good afternoon.

Jonathan Taylor: Good afternoon, sir. So, for the listeners. Maybe table stakes here – just kind of set the table with how NetWorks Group supports this conference. Is this your first time?

Dave Howard: This is our first time participating in this. We have a great client of ours that we do a lot of work for that's a participant here. And he said, hey, my colleagues need to know more about you. So it was his recommendation for us to come and sponsor. We're on day two. It's been a fantastic experience.

Jonathan Taylor: I love it. Well, we talked about, I think originally, there was another guest that had signed up and then the weather was like, you're not doing this podcast. So, we appreciate you standing in. So, for the listeners, tell us a little bit about how you guys are helping credit unions. Why was your client bragging about you so hard?

Dave Howard: One of the key services that we offer we call NWG Resilience. It's perfect to talk about right now because I wasn't expecting to be the one here in this podcast, but the weather got in the way. What's the next crisis going to be? Is it going to be weather? Is it going to be health? Is it going to be cyber? 

We partner with these organizations to help them be ready to bend and not break when something unexpected happens. That comes from a variety of different activities. It usually starts with a penetration test to understand how you look to a threat actor. How do you look when somebody takes interest in your organization and wants to find their way in?

It evolves through a number of things that start to bring your executives along on the journey. One of the key things there is an executive tabletop exercise where you pull together key pillars across the organization — usually the leaders and their seconds — into a room for an afternoon and run through a scenario and see how you do against that scenario. And oh my goodness, are those enlightening.

Jonathan Taylor: From the most recent one you did, what were some of the key "aha" moments, or what was a moment that really stood out for you?

Dave Howard: The most recent one that I sat in on was for an emergency services organization, a regional ambulance company. They had their leadership team, they had leaders from the county, from neighboring counties, from their managed service provider. There were about thirty people in the room for this. Everybody was a little disappointed because their president and CEO was sick that day and couldn't join. I loved it. Because when something bad happens, the people that you would turn to for that decision aren't going to be available. I promise you that. It was the perfect thing to help feed into the scenario where this crew had to figure out how to make the decisions without that person in the room.

Jonathan Taylor: Excellent. How you help credit unions and other businesses is not unique, right? It's one of the bullets on a lot of the 3x6 pull-downs that we see at these conferences from the different sponsors. But what is it that makes you folks really unique in that space?

Dave Howard: First and foremost is the people that we have doing the work. We usually lead into these engagements with what we call a full-scope penetration test. You walk around any event like this and everybody and their brother does pentesting. You can get your car detailed from them as well. They could do all sorts of different things. But this is a key focus for us. It's about half of our business and the folks that we have doing the work are seasoned folks late in their career that have been leaders in their space. Either the technology or the business leaders. 

I've got a couple folks on the team that were leaders in the red team for the US Air Force. So extremely competent folks, I've got folks that held C-level positions before. So what we don't have are the script kiddies, the folks that you picture as a hacker, the hoodie and the Mountain Dew in the basement kind of thing. We've got folks that have held executive positions, and they understand why we're doing this. It's not to prove that we can get into our client's environment. I'll tell you right now, we can get into our client’s environment. Most organizations can, but it gives you the ability to see what you look like to an attacker. So success for us in an engagement like this has less to do with how fast we're able to take over the domain, how many passwords we're able to crack along the way, what sort of data we can get access to. Those are all tactics; we're going to do all those things. They're very important. 

Success is when our client comes out of this with a couple of things. They have some suspicions that they already had about their risks validated by a third party. Nobody's going to know their security better than they do, and so they get that validated. The other thing they get is they get to see around the corner. They get to see the things that didn't exist a week ago. That our team keeps up on and shows them how their environment stands up to that, how their people, how their infrastructure stands up to the most modern attacks. The real success for us in these is when the organization is able to make better risk-informed decisions about how to allocate. Everybody's got scarce resources. Nobody has enough money. Nobody has enough people. Nobody has enough tools. And so, how do you focus those resources to get the best return? You get the best return when you understand what you look like to a threat actor and what your risk profile is.

Shirley Senn: Some of the organizations that we've been talking to are unique and specific to banks and credit unions. Because you're covering such a wide array of organizations, what benefits does that provide you with things that you may see outside of a financial institution realm that actually are helping you help credit unions with this? 

Dave Howard: That's a great question. Thank you. We've been doing this for a long time. We're thirty years at this, and we've been working with organizations of every size imaginable, every industry imaginable, every technology imaginable. So, we've been there and we've seen some things. Now, we do have a lot of specialization in the whole financial services space. A couple of key markets for us are financial services and health care. We've done a lot of work there. We've seen what the peer organizations are doing, where people struggle, and we can offer really practical insights as to what to do next.

Jonathan Taylor: I love that. What's been interesting here at the conference so far? What's been a good takeaway for you that you've seen here at the conference?

Dave Howard: Well, I've got two answers for that. First of all, as I've been sitting in the sessions, I've really loved how much I've seen people talking about the human element and the culture of resiliency. It's been a constant theme and I'm just so refreshed that we're talking about that. That's been awesome.

And then the fascinating thing is, I've been talking to people in our booth as organizations have come up. I'll ask, "Hey, how's your experience been with pentesting?" And an answer I've heard a whole lot today is, "Eh, I don't know. We've been working with these guys for a couple of years, and they're not really finding anything. Does that mean I'm secure? I'm a little uncomfortable with that.” So I thought that was pretty fascinating.

Jonathan Taylor: Mmhmm. That indicates the opposite, just so you know. Cause you made that comment a few minutes ago, that it's not like you can't get in. You can always get in. Right? There's always a way in.

Dave Howard: Yeah. Your humans are going to be human. Right? And with AI technology now, oh my goodness! One of the funnest things about my job is I'm the last set of eyes that goes on to a report before it gets issued to a customer. So every week, that's three or four big pen test reports that I get to read, and they read like a spy novel. It's just fantastic. I was reading one the other day where we were able to grab this CIO's voice off of an old YouTube clip. We were able to feed that through a free AI tool, and suddenly we had full control of their voice.

And, we were able to drop voicemails into the cell phone inboxes of a variety of employees that we selected. That said, "Hey, it's Joe. I just want to let you know, somebody just tried to log into your account from Eastern Europe. We were able to stop it, but I need you to go to such-and-such domain and change your password for us." And we'll take something that has the organization's name and add “dot security.” Something that sounds completely legitimate. It works 100% of the time.

Jonathan Taylor: Oh my god. Wow.

Dave Howard: People will go to this site and they will give us their credentials. And it's people being people, right? So we need to educate them on that. But the thing that we find fascinating with that is, so what happens, JT, when you give me your name and password? Is it game over? Do we have full access to everything in your organization? Or are there layers of things that will stop us or detect us along the way? We're not out to shame anybody. I could fall for that just as much as you could or anybody else. But, are you resilient enough to be able to detect and respond to those types of attacks? Because that's what's happening today, and nobody could have heard of that two years ago, right?

Jonathan Taylor: Yeah, we were talking earlier about how I've had a few of those. You know, I've gone through this SOC 2 a few times with different organizations and for me recently, it's been “Hey Jonathan, it's John Wingate.” Our CEO. And I’m like, he doesn't call me Jonathan. You know what I mean? Like he calls me JJ. So that's an easy one, but it's just important — no matter what — to trust but verify, right? Like, just check in with that person, regardless if it's a phone call or any outreach whatsoever.

Dave Howard: And reach out through a different venue than you were reached out to by. We get attacked all the time. In fact, we get attacked by ourselves all the time. I have an open order for our hackers to come at us. Anything you want to do, anytime, you've got free reign to come at and attack our own organization. I get spoofed all the time. The recommendation is, if I hit you up on Slack, send me a text. If I leave you a voicemail, send me an email. Find something that's out of band from that and confirm that it's legit.

And don't just run and do it 'cause the boss asks you to. That's how people fall for these gift card things. It seems absurd to us, right? But when you're in the moment and you're trying to take care of somebody and do the right thing, everybody's heart's in the right place.

Jonathan Taylor: People fall for that. And it's like, wow, you know, but like you said, you can't shame it. You've got to shine a light on it and just train everybody to think differently.

Dave Howard: We went through a very similar exercise in our office a few years ago. I'm sure you've gotten the call from tech support that there's some problem that only they can fix. They inadvertently called one of our hackers with that, so he put it on speakerphone. The entire office gathered around, and this was about an hour-long experience where he spun up a virtual system and allowed them access and watched everything that they did. It was just fascinating. And, unsettlingly sophisticated, what they were able to do. But it puts us in a better position to see it from the eyes of the attacker and really help educate people.

Jonathan Taylor: So, Dave, we need to do another podcast, and we'll have one of your people fly in because I have a Bluetooth channel so they can call my phone. We'll bring them in and then they can try to spoof us. I think that would be really fun. It's just a little idea for later. If folks liked what they heard and wanted to learn more. Just to open up a conversation and start there, where would they go?

Dave Howard: The best way to reach out to us is through our website or through LinkedIn. We're networksgroup.com and we're NetWorks Group on LinkedIn. That's a great way to start a conversation. 

Shirley Senn: And if they reach out by email, you reply by text?

Jonathan Taylor: Yes, exactly just to verify just, Trust but verify. Yeah, I love it. Dave Howard, president with Networks Group, thank you so much for being on the show. We really appreciate it. Fascinating stuff.

Dave Howard: Thanks, glad to be here.

Jonathan Taylor: Absolutely. Shirley Senn, Thank you for being on as always.

Shirley Senn: Thank you, Jonathan (I mean JT).

Jonathan Taylor: Yeah, that's how I know we've been breached. Thank you to NCU-ISAO. Thank you to Pure IT, of course, and BankSocial, the sponsor of the podcast for supporting all of this and making this happen. We've got a lot more great content today, some great sessions as well as tomorrow. So excited to capture some more stories and shine a light on some important topics here. I am Jonathan Taylor (JT) with BankSocial, and we are out of here.

‍

Publish Date: April 2, 2026