It’s a Chimed Life: Meet Jeff Trudeau, our Chief Information Security Officer
When you ask Jeff Trudeau why he ended up in security, he’ll tell you that he has an overdeveloped sense of right and wrong. “I get personally outraged at injustice and people who try to harm others,” he explains. “I really like stopping the bad guys, I guess.”
Jeff is Chime’s Chief Information Security Officer, or CISO, but he didn’t always run in the security world. In college, he founded a company that built computers and deployed applications and networks for law offices and medical practices. Then he got involved in investment banking, which he quickly realized wasn’t for him.
After a pivot to Security and IT, Jeff stuck with it and ended up running Security and IT for the Western US region, of the largest bank in Switzerland, UBS. In his role, he learned about firewalls, encryption, and security, and became fluent in running technical systems for a very security-conscious organization. Fast forward a few years and Jeff was helping Fortune 500 companies solve their security challenges — he was officially a ‘security person.’
Jeff’s career then took him to the healthcare world and back to finance — where he got to put his beliefs in right and wrong to work at Credit Karma. One of the 30 unicorns (a billion-dollar pre-IPO company) at the time, Jeff joined Credit Karma to get the company into tip-top security shape for an IPO or acquisition. When the company was acquired by Intuit in early 2020, Jeff considered his work there done.
“Most of the companies I’ve worked for have made a difference in the world–whether they were nonprofit healthcare companies or Credit Karma, which is committed to never charging their customers for anything,” he explains. “When I was looking for another role, I wanted a mission-based company with great people.”
So he turned to the companies he’d heard of while at Credit Karma — and Chime topped the list. “Chime was my top choice for my next move because they are the leader in the space, have a great reputation and are mission-based — I was really drawn to that,” he says.
When he interviewed, Jeff says he was impressed. “The environment was friendly and caring — I thought it might be too good to be true, but I knew I had to give it a chance to find out.” Jeff joined the team in early 2020 as Chime’s first CISO and got to work.
His approach
Jeff approaches his work based on all the things he’s learned from his security experiences — and those of others. For example, in 2017, Equifax, a credit reporting agency, experienced a data breach, during which the records of over 150 million people were compromised. Jeff has taken many lessons from this incident and how it could have been lessened: “The Equifax breach happened over the course of several months — the records weren’t actually taken until many weeks after the initial break-in,” he explains. By catching something after it had happened but before the damage was done — like discovering the initial breach and responding accordingly — Jeff believes that users’ data would have been largely protected.
This reflects Jeff’s overarching security method, which is like an onion — a layered defense. “My goal is to put in enough friction for the bad guys, so that it’s hard for them to cause harm here.” When he’s not able to completely prevent any harm at all, his approach is to identify and stop it as fast as possible.
“Making sure a security breach never happens is the thing that keeps me up at night.”
“We put as many controls in place as we can,” he says. “If someone gets past the first control, they will always encounter another, and hopefully, in the meantime, we will see it and stop them from going any further.”
While a layered defense is Jeff’s first course of action, he’s also humble enough to realize that try as they may, his team will never think of every possible vulnerability. “You have to have as many controls as you can upfront and supplement them with a well designed, quick response plan,” he says.
Starting from scratch
When he joined Chime, Jeff was the company’s first CISO. And since security is recognized as one of the most important pillars to build as Chime grows, Jeff had the opportunity to build the best security program out there without inheriting another CISO’s work. For him, this was a bonus: “I really liked that I have the chance to build from scratch and put my stamp on something,” he says
So he set out designing the company’s approach to security, which is based in his deep sense for right and wrong, his layered method, and one guiding principle: “I believe that security should never be like a traffic cop: We’re not here to tell anyone ‘no,’ we’re here to identify risks and to come up with ways to partner with the business to understand, address, and lower those risks in a way that serves the business.” To that end, he’s architected a security organization that can partner with the entire business. It falls into four branches:
- Product security: This team makes sure that the product — the face of Chime — is secure so that Chime never loses members’ money or data.
- Security engineering: This team builds the security tools to help secure Chime and assist the security teams and engineering be more effective. The team also partners with IT to protect our employees’ systems and data — thereby protecting the company. They use tools like firewalls, endpoint security, and VPNs, to protect the systems that our employees use.
- Security operations and incident response: Always looking for a breach or issue, this team has eyes on everything that’s happening, will respond if they notice something awry, and make sure any security gates that do get breached are identified and closed as quickly as possible.
- Governance, risk, and compliance: This team implements the policies, procedures, standards, guidelines, risk assessments, as well as security awareness training to help everyone understand the risks of working in fintech (like the phishing scheme that got Equifax).
For Jeff, security matters at Chime because its mission is to help its members. “Helping our members means getting them the best financial products to improve their financial future, but it also means protecting them from a breach or the loss of any of their money,” he explains. “It’s an integral part of our mission that helping our members equals protecting them, which means using common sense, having good diligence and security practices, and never putting their data or money at risk.”
“Security exists because we are member-obsessed. We have to do everything possible to protect our members.”
Foundations in fun
Keeping members in mind, Jeff is now focused on building out his team. One of his priorities is cultivating a supportive security culture that embodies our Team Up value: “I care a lot about building an organization where we support each other because ultimately, we’ll build a better product together than alone.” To do that, he emphasizes empathy, enthusiasm, and fun — yes, fun.
“I’m one of the rare CISOs who isn’t super serious — I don’t see security as a war,” he says. “As a team, we work together, we’re allies, we’re friends doing serious work — but let’s have fun doing it. If I can’t spend my days with my children and am going to be with this group of people, I want to enjoy working with them.”
The culture Jeff is intent on building is one that’s unusual in security — in many meetings, you’ll find him and his team joking, laughing, and smiling. And though it’s unusual, he’s found that it works really well — especially in times of stress. “When there’s an incident, it’s very stressful and can be hard to think clearly, but if you’re amongst people you trust and like, it’s easier to break the tension and stay focused on solving the problem at hand.”
The value of empathy
In addition to fun, Jeff encourages all members of his team to be empathetic — for Chime’s members and for other employees. “Empathy helps you focus on what is the right outcome, and for us, the right outcome is always helping our members,” he says.
For example, the security team will be asked to weigh in on certain tools for other teams to use — the easiest response to which is often ‘no’. In these situations, Jeff encourages his team to find ways to remove risks and say ‘yes’ instead.
“Empathy helps you focus on what the right outcome is for our members and keep in mind the goals of other teams at Chime,” he says. “It’s a lot harder than just saying ‘no,’ but it ultimately empowers our own teams to better support our members — which is core to our mission and our values.”
What’s more, empathy helps everyone — whether they’re on the security team or not — share knowledge and improve Chime’s offering. “If I share my knowledge with someone, then somebody else will likely share something with me — all boats rise,” Jeff says.
Security is a group effort
With the foundations laid in fun and empathy a core value of his team, Jeff is hoping that security becomes something that every Chimer — and Chime member — feels empowered to contribute to. Part of that work will be introducing controls that might add friction to Chimers’ days — something Jeff is apologetic about, but reiterates is necessary. “If we’re member-obsessed, there are things we need to do to prevent anyone from harming our members, even though it might make our work a little bit harder,” he says. “But I’m willing to add two minutes a day to every Chimer’s work to make it harder for them to get into the system so that it’s really hard for a bad guy to get in.”
But Jeff isn’t starting by making things hard off the bat — he’s starting in one of his core principles of supporting and teaching others. He’s planning a company-wide security day to help all Chimers understand security and why it’s important. The day will feature various trainings, talks from leaders, and aim to arm every Chimer with a defense system against risk.
“My goal on our upcoming security day — and every day — is to build awareness about and empathy for security so that every Chimer understands the measures and behaviors we must adopt to protect our members.”
If you see yourself joining Jeff’s team, we’ve love to hear from you. Visit our careers page to see our open roles.
