Rich Baich, CISO, Wells Fargo & Company, has worn many security hats. In the course of his career he’s been a principal at Deloitte & Touche where he led its Global Cyber Threat and Vulnerability Management practice. He’s also been a naval information warfare officer for the NSA, and special assistant to the deputy director for the National Infrastructure Protection Center at the FBI. Baich has also authored Winning as a CISO.
In this interview, Baich talks about what it takes to deal with the security challenges that accompany social media, cloud, mobility, and big data and analytics; the use of real-time intelligence in security; and how IT leaders should interact with their boards where security is concerned.
Mick Jagger once sang “You can’t always get what you want”. Is this always going to be true of how we deal with enterprise risk?
We can get what we want, but first we need to understand the current enterprise operational risk posture. We need to look at enterprise risk as a journey, not a destination. We need to have risk “binoculars” to focus on the current state of enterprise risk (near) and the impact that the evolving risk landscape, new technologies and business processes (far) present during this journey. By ensuring proper maturity in the current (near) operational risk management processes and innovating operational risk solutions to deal with the evolving (far) threat landscape we can mitigate the bumps during the enterprise operational risk journey.
The way that enterprise security has moved forward, it’s a lot about adding controls on top of risk models that appear overwhelmed. How do CIOs, CSOs and CISOs navigate past this, especially in a world that’s getting increasingly complex?
For enterprise operational risk management, one size does not fit all. From this perspective, we need to look at risk models and controls with ambidexterity in mind. We have to become efficacious at running enterprise operational risk operations, business-as-usual processes need to be mature, while at the same time innovate and prepare to manage risks for disruptive technologies (social media, cloud, mobility, and big data and analytics). The ultimate goal is to allow the business to excel in this changing landscape by being ambidextrous risk managers (operationally sound risk management and innovative risk solution providers).
Social, cloud, mobility and big data, while great levers for growth, but they also tend to increase an organization’s attack surface. How can enterprises strike a balance between embracing new technology and staying within appropriate levels of risk?
As I’ve said before, the ultimate goal is to allow the business to excel in this changing landscape. In order to strike a balance, we need ensure that business-as-usual operations are robust. We also need to develop innovative solutions to ensure that, in this changing threat landscape, we can reduce the attack surface. This is accomplished by understanding how new technologies work and the level of protection, authentication, monitoring, and response that is available to integrate with your current risk appetite. Once this is accomplished you may find that some of these disruptive technologies, at times, offer more robust protection mechanisms when properly configured. This may lead you to actually reduce your risk exposure.
Is real-time intelligence a direction where the entire security industry has to go toward?
Similar to enterprise operational risk management, real-time intelligence is a journey. In the past few years, we have learned that preventive technologies are great for certain components of your environment, but we need to focus on real-time intelligence; detection is the key to limiting exposure. Intelligence without action results in frustration. The key to effective real-time intelligence is to try to keep the concept simple. Know what intelligence you should collect, get the intelligence in a timely fashion, and most importantly put the intelligence into action somewhere in the enterprise or within industry. Real-time intelligence, or active detection, is what we need to strive for in order to effectively respond to potential attacks.
Given the inevitability of attacks today, how should organizations prepare to respond to them? In the aftermath of an attack what should CIOs, CSOs, and CISOs be telling their boards?
For cyber threats it is not how, it is who, how much, when, and are we prepared? Organizations need to prepare a robust incident response process to deal with cyber threats. This process should not be just an idyllic tome; it should be a straight-forward playbook that involves key decision-makers. Key decision-makers should be well-versed in their roles and responsibilities. In order to be effective, periodic scenario-based incident response testing should be conducted to identify any lapse in processes or weaknesses in the current plan. Inasmuch as communicating with the board is concerned, a periodic line of communication should be established so that they are cognizant of the current risk posture and exposure. Boards should be aware of risk exposure areas prior to an incident.