Wells Fargo CISO: Security should be viewed as business enabler, not innovation bottleneck
Speaking to ComputerworldUK about the role of the CISO at Palo Alto Network's 2015 Ignite conference last week, Baich said that security teams can help an enterprise become more agile by feeding into product and service development at an early stage.
"What that means is that - if security is working right - before a product, a partnership or third party is signed, security is part of the cycle," he said. "You understand the risks, the cost to secure it. You are accepting some risk, but you are going in with your eyes wide open and all of the facts are known.
"So it is not a matter of 'no', it is a matter of 'if we do this here is the risk, does everyone agree to it, let's document it and let's move on'. Those are business decisions."
He added: "If you are going to build a mobile app and it is going to house PII and is vulnerable to exploits, you might want to say 'no' to that app, and be able to go to the right level of the organisation for that. But that is the one percent, not the 99 percent which is [where security teams say] 'that app is good, it is secure, here are the risks, but for our view it is an acceptable level' and you move on."
Baich joined the US banking giant in 2012 as its first CISO after a wide-ranging career as a security executive, with roles at Deloitte, Pricewaterhouse Coopers and the Federal Bureau of Investigation, as well as serving in the United States Navy for two decades as an information warfare officer, cryptology officer, and surface warfare officer.
He said that, as the CISO role becomes more mainstream and embedded in organisations, security execs can assist in transforming the business, for example by supporting digital strategies.
"The mature CISO shops are innovators. They are filing patents, they are doing things around security that is enabling the business and being part of any solutions that are being built," he said.
"Everyone is talking about going digital. But if you are going digital, where is your security strategy When is it appropriate to use two-factor authentication, biometrics, voice You also need to understand your customer base, in different parts of the world a retina scan is not going to be acceptable."
Buy-in at board level
Baich said that an important factor in providing feedback at an early stage is for the CISO to hold sway at the board level. While this has not always been the case, as board members become more attuned to the threats facing companies, CISOs are finding it easier to have an influence at a strategic level.
"The role is becoming a very important one. One of the big indicators is that people with cyber security experience are being asked to be on public boards, to help them understand the risks that are associated with technology and security. The role is moving to the upper echelon," he said.
"Years ago you were trying to explain what the potential threats were. Today, you don't have to do that because the newspaper does it for you. So when board members today read about those things, they are thinking 'what is happening in this company, I would like to understand what we are doing, how are we closing those gaps, and what type of help do we need to get there'. Those types of conversations weren't necessarily happening five or ten years ago."
'Voice of reason'
However, to ensure trust of the wider business, a key responsibly for successful CISOs is to provide a sense of perspective on risk.
"First of all, be factual. Provide trustworthy information on the material state of the environment," said Baich. "There are various tools and technologies out there to help you do that, but try to shy away from opinion and personal view: here is the material state, here are the gaps, here are the recommended steps and here is the funding timeframe to get there. You have to be able to come in and not just identify the issue, but come up with a plan for how to resolve it."
"Second, not everything is 'the sky is falling'. They have to be the voice of reason. The most successful CISOs I know are actually calming the organisation, because when a 'Heartbleed' hits the press, people want to stay up for the next 18 days to secure their environment, but there are other vulnerabilities that are equally as bad that they have to get to.
He added: "Being a voice of reason is important, because if people go online they see all of these breaches and the reality is that there is risk with anything."