We were able to sit down between Summit sessions and talk with Rich Baich, Chief Information Security Officer at Wells Fargo, in which he offered a CISO's perspective on defending a large enterprise and working to make it as resilient as possible. As was fitting for a conference devoted to investment, Baich had some advice for entrepreneurs in the cybersecurity sector.
Due diligence with respect to security products, services, and solutions.
When considering an enterprise's defenses, Baich would argue that due diligence begins with already having a playbook. He advises having controls and standards you want to apply. And then your team should perform control testing, conducting a holistic security assessment of the organization and its IT environment.
The perimeter today is found at access points, for which there are effective controls. "Can APTs get around containers?" he asked, to take one example. "Sure, but then there are only a handful of those."
Every CISO's organization is different. Roughly speaking, they fall into three tiers: organizations with staffs of up to fifty, those with staffs of up to five hundred, and, finally with staffs running into the thousands. Vendors who are interested in selling to those enterprises need to take the time to understand the environment they hope to enter, Baich said.
He and his team for their part stay aligned with what's going on in the start-up world. They make an investment of time in the vendor, and they do a great deal of integration. Baich sees no room, anymore, for standalone products. The CISO's team looks at the problems they confront, and then looks for vendors in whom, again, it will be worth investing their time.
Advice for start-ups.
When you're starting, Baich observed, "you're still doing R&D with your clients." You don't execute a statement of work and then forget about it. He advised start-ups to look for a few clients as partners, and not to try to "boil the ocean." "You'll have bugs and kinks," he said. "It's better to have five or six clients to respond to, not thirty."
When he looks at future opportunities in the sector, Baich thinks he see room for a better decision matrix, and especially for better prioritization of risk. "There's no glide path yet for determining how to invest" as you work to draw down risk. There are some products coming, he thinks, that are designed to help CISOs make better decisions with the resources they have. "You won't eliminate risk, but you want to drive it down to a tolerable level." There's some analogy between tolerable levels of cyber risk and what retailers consider tolerable levels of inventory shrinkage.
Driving down risk through testing and training on ranges.
Asked if he saw a shortage of actuarial data, and if this represented a problem for risk management, Baich thought there was a prior issue: "Have we, as an industry, defined what's good?" He sees an important place here for cyber ranges, which are good places to attain some perspective on risk management. There is, he thinks, an interesting analogy with testing and training conducted by special operations forces: you have to test it for real. Cyber ranges are where we do this.
In Baich's view cyber ranges represent the future. Wells Fargo operates a virtual range, set up by their cyber fusion center. He thinks Wells Fargo was a pioneer among financial institutions in the use of cyber ranges, and now he sees other big financial outfits using cyber ranges. They're valuable not only for training and testing, but also for threat evaluation.
He thinks it important that the CISO report to the Chief Risk Officer, not the Chief Information Officer. This not only helps the CISO get appropriate resources, but it also "helps put a risk lens on everything."
Organizations too often fail to understand their high-risk areas. You cannot be reminded too often, he thinks, that risk is the product of vulnerabilities, threats, asset value, and probability of occurrence. Baich thinks the last element, probability of occurrence, the most important, and the most easily overlooked. He's observed, in speaking with other executives, that where once it was difficult to communicate cyber risk to them, now he finds himself often the voice of moderating reason, the one saying, calm down; it's not as bad as all that. (Baich offered journalists covering the industry a left-handed compliment: one thing the press with all of its sensational alarmism has done is make corporate leadership aware of the reality of cyber risk. And that's no small thing.)
On the topic of incident response drills, he said that he's found that most senior executives love them. He hasn't encountered much difficulty in getting needed attention and participation.
He closed by comparing a big financial institution like Wells Fargo to a neighborhood. Its perimeter is a wall; its patches are doors and windows. You also install locks and motion detectors, and you bring in a rowdy dog. You might construct a safe room in a house. But with all of this you're fundamentally trying to ensure that you're alerted to a threat, and that you can better protect what's important to you. And that is an exercise in risk management.