Q&A: Ally Hoffman tackles cybersecurity at the Federal Reserve

Author: Dakota Castro-Jarrett
Date: 01.13.25

Ally Hoffman

Modern technology has increasingly, and at an almost exponential rate, reshaped the professional world, prompting many people to grow their tech skills through a master’s education.

Ally Hoffman, the assistant vice president of financial risk, policy, and surveillance at the Federal Reserve Bank of Dallas, is one of these professionals. After earning her bachelor’s degree in business and while working for Ernst & Young (EY) — one of the “big four consulting firms” — she decided to go back to school to get her master’s in cybersecurity.

Khoury News spoke to Hoffman shortly after she graduated from that master’s program. Now, six years later, we revisited her story to see how her cybersecurity education has helped her navigate her career in an increasingly tech-dependent world, and why she returned to Khoury College as a part-time lecturer. The interview has been edited for length and clarity.

How have you used what you learned from the master’s program for your current work at the Federal Reserve?

When I started working at EY, they were telling us that they needed cyber talent. So I sought out a program that I could go to for cyber expertise. I loved Northeastern’s program. It had all these criteria that were very attractive. So I started the program and was humbled. The courses were challenging, and I had a very steep learning curve. That first semester or two was pretty difficult, but I found my footing by the end of the program and I loved it.

When I finished, I became the foremost cyber expert on my team at EY. I got to go on these interesting projects that were in the cyber space and build this reputation for myself. Then in 2019, I left EY, moved to Dallas, and joined the Fed. I started as a cyber examiner; I would go out to banks and look at their cybersecurity policies, their network monitoring, and all these different elements. I draw heavily from my cyber experience into my role now.

Much of your work and educational experience has focused on cybersecurity. What drew you to cybersecurity?

I wasn’t a five-year-old girl dreaming of cybersecurity, but I’ve always loved technology. I grew up in a rural part of Texas and my dad loved to build computers, but to get all the pieces he needed, we had to drive at least two hours to Dallas to go to Best Buy. So it ended up being an almost ceremonial experience. I never dreamed of it as a career until I got to undergrad and needed a business major concentration. I just sort of gravitated to it.

What got you interested in working with the Federal Reserve?

When I was at EY I worked with financial services companies, which wasn’t my intent. At my final interview with the partner, he asked, “Why do you want to work with financial services companies?” and I remember thinking, ‘I don’t.’

Then I got the job. EY at the time had split up the services that they offered to companies. Financial services was its own division, so if you worked on the financial services side, you did not touch any of their other clients. When I got hired, I started working with fintech companies; it couldn’t have worked out any better because there was so much going on. I got exposure to so many different things. These companies have basically boundless resources, so I got to see a lot of neat stuff, very early implementations of blockchain for example. I was on a team that was building a chatbot 10–12 years ago. It was just fun to experience that and see it.

One of the projects that came into our purview was when banks were cited by their regulators for technology deficiencies. The Federal Reserve is one of three federal banking regulators, along with the OCC (the Office of the Comptroller of Currency) and the FDIC (the Federal Deposit Insurance Corporation). When I was at EY, these banks would hire us to help them resolve those tech issues. That was my first exposure to the bank regulatory side.

I just remember thinking that I’d rather be finding the problems than fixing the problems. When I decided to move to Texas, I was looking for opportunities and saw an opening for a cyber specialist at the Dallas Fed. So, I applied on LinkedIn. I had no connection or anything. In my interview, they said, “Oh, what do you know about the Federal Reserve?” and I was a business student undergrad, had a graduate degree, and all I could come up with was, “I know it’s a banking regulator, and I know they set interest rates.” That was all I knew about the Federal Reserve back then, but I have learned so much more and it has given me an interesting perspective on government agencies in general.

You have been a part-time lecturer at Khoury College since 2019. What sort of courses do you teach?

For the past five years, I taught a course in the summer to graduate cybersecurity students. My course focuses on governance, risk, and compliance in the cybersecurity space, which is a natural fit for me. Students get exposure to some of these — maybe on paper — less exciting cybersecurity topics, but ones they will encounter the second they get a job. As students, there’s this huge desire to take the most interesting classes with the flashiest titles. I did the same thing, but I found that most people’s jobs aren’t flashy stuff all the time.

In a way, my course is a little bit of the reality of life, of cybersecurity. When Jose Sierra, the director of the cybersecurity program, first proposed this class I was thinking, ‘This is going to be the most boring class ever.’ But we have so much fun. It’s morphed into part government source compliance and part career advising.

I’ll give you one example. For the first assignment of the year, I give students the results of a fake internal phishing campaign. The rate at which the employees of this fake company click the link is super high; basically, everyone clicks it, especially the leaders and managers. The students are tasked with writing a memo describing the results of this phishing campaign and what the company can do about it, but I don’t tell them who to address the memo to. It’s up to them.

I cannot tell you how many students address the memo to all employees and then put all that information in there. It’s a little bit of a trick assignment. You can’t share all this information in a memo that’s going to all employees, plus now your managers would hate you because you outed them. It’s supposed to show critical thinking in the cyberspace. I know they know the technology. This is more about this delivery and thinking through the bigger picture.

The Khoury Network: Be in the know

Subscribe now to our monthly newsletter for the latest stories and achievements of our students and faculty

This field is for validation purposes and should be left unchanged.