Wells Fargo CISO: Security should be viewed as business enabler, not innovation bottleneck

ComputerworldUK talks to Wells Fargo's first chief information security officer, Rich Baich

Chief information security officers should be regarded as a supporter of business growth and innovation rather than a bottleneck, according to Wells Fargo CISO, Rich Baich.

Speaking to ComputerworldUK about the role of the CISO at Palo Alto Network's 2015 Ignite conference last week, Baich said that security teams can help an enterprise become more agile by feeding into product and service development at an early stage.

"What that means is that - if security is working right - before a product, a partnership or third party is signed, security is part of the cycle," he said. "You understand the risks, the cost to secure it. You are accepting some risk, but you are going in with your eyes wide open and all of the facts are known.

"So it is not a matter of 'no', it is a matter of 'if we do this here is the risk, does everyone agree to it, let's document it and let's move on'. Those are business decisions."

He added: "If you are going to build a mobile app and it is going to house PII and is vulnerable to exploits, you might want to say 'no' to that app, and be able to go to the right level of the organisation for that. But that is the one percent, not the 99 percent which is [where security teams say] 'that app is good, it is secure, here are the risks, but for our view it is an acceptable level' and you move on."

Supporting innovation

Baich joined the US banking giant in 2012 as its first CISO after a wide-ranging career as a security executive, with roles at Deloitte, Pricewaterhouse Coopers and the Federal Bureau of Investigation, as well as serving in the United States Navy for two decades as an information warfare officer, cryptology officer, and surface warfare officer.

He said that, as the CISO role becomes more mainstream and embedded in organisations, security execs can assist in transforming the business, for example by supporting digital strategies.

"The mature CISO shops are innovators. They are filing patents, they are doing things around security that is enabling the business and being part of any solutions that are being built," he said.

"Everyone is talking about going digital. But if you are going digital, where is your security strategy? When is it appropriate to use two-factor authentication, biometrics, voice? You also need to understand your customer base, in different parts of the world a retina scan is not going to be acceptable."

Buy-in at board level

Baich said that an important factor in providing feedback at an early stage is for the CISO to hold sway at the board level. While this has not always been the case, as board members become more attuned to the threats facing companies, CISOs are finding it easier to have an influence at a strategic level.

"The role is becoming a very important one. One of the big indicators is that people with cyber security experience are being asked to be on public boards, to help them understand the risks that are associated with technology and security. The role is moving to the upper echelon," he said.

"Years ago you were trying to explain what the potential threats were. Today, you don't have to do that because the newspaper does it for you. So when board members today read about those things, they are thinking 'what is happening in this company, I would like to understand what we are doing, how are we closing those gaps, and what type of help do we need to get there?'. Those types of conversations weren't necessarily happening five or ten years ago."

'Voice of reason'

However, to ensure trust of the wider business, a key responsibly for successful CISOs is to provide a sense of perspective on risk.

"First of all, be factual. Provide trustworthy information on the material state of the environment," said Baich. "There are various tools and technologies out there to help you do that, but try to shy away from opinion and personal view: here is the material state, here are the gaps, here are the recommended steps and here is the funding timeframe to get there. You have to be able to come in and not just identify the issue, but come up with a plan for how to resolve it."

"Second, not everything is 'the sky is falling'. They have to be the voice of reason. The most successful CISOs I know are actually calming the organisation, because when a 'Heartbleed' hits the press, people want to stay up for the next 18 days to secure their environment, but there are other vulnerabilities that are equally as bad that they have to get to.

He added: "Being a voice of reason is important, because if people go online they see all of these breaches and the reality is that there is risk with anything."

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycomputerworld

More about DeloitteFederal Bureau of InvestigationWells Fargo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matthew Finnegan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts