Being a voice of reason. CxO of the Week: Wells Fargo CISO Rich Baich
Today's CxO of the week is Wells Fargo Chief Information and Security Officer (CISO) Rich Baich. Baich leads the Enterprise Information Security organisation, within Corporate Risk, with four teams: Enterprise Information Security Strategy and Oversight, Enterprise Access Management, Information Security Engineering and Services, and Cyber Defence and Monitoring.
Baich joined the American banking giant in 2012 as its first CISO. Previously he had an impressive career with a variety of security executive roles with organisations such as at Deloitte, Pricewaterhouse Coopers and the Federal Bureau of Investigation. In addition he worked for the United States Navy for two decades as an information warfare officer, cryptology officer, and surface warfare officer.
Baich holds an MBA and a master's degree in management from the University of Maryland and a bachelor's degree from the United States Naval Academy. He is also a graduate of the Joint Forces Staff College and the Naval War College and the author of Winning as a CISO.
Due to his vast and diverse experience Baich has a truly unique view as to what CISOs should be. "The mature CISO shops are innovators. They are filing patents, they are doing things around security that is enabling the business and being part of any solutions that are being built," he told CSO.com.au.
"The role is becoming a very important one. One of the big indicators is that people with cyber security experience are being asked to be on public boards, to help them understand the risks that are associated with technology and security. The role is moving to the upper echelon," he added.
With such impressive accolades, Baich is well suited to give some excellent advice to his peers. His advice is practical, enforceable and most importantly very useful:
"First of all, be factual. Provide trustworthy information on the material state of the environment. There are various tools and technologies out there to help you do that, but try to shy away from opinion and personal view: here is the material state, here are the gaps, here are the recommended steps and here is the funding timeframe to get there. You have to be able to come in and not just identify the issue, but come up with a plan for how to resolve it.
"Second, not everything is 'the sky is falling'. They have to be the voice of reason. The most successful CISOs I know are actually calming the organisation, because when a 'Heartbleed' hits the press, people want to stay up for the next 18 days to secure their environment, but there are other vulnerabilities that are equally as bad that they have to get to.
"Being a voice of reason is important, because if people go online they see all of these breaches and the reality is that there is risk with anything."
Lucky for us Baich lent that voice of reason to CSO Online when they asked him what three cyber predictions he could make for 2018. Security professionals everywhere read carefully:
“First, renewed focus on IT & application hygiene/modernised IT Infrastructure which will harden and reduce the attack surface but also provide greater visibility enabling more big data value through cyber correlation engines.
“Second, greater use of cyber ranges to evaluate new technologies and improve cyber defense operations. Organizations will enhance their cyber effectiveness through the various lessons learned that will be a result from moving from paper exercises to reality of virtualized attacks which require the actual deployment of defense technologies and tradecraft.
“Third, in 2018, a vendor's security posture will become fully integrated into companies' purchasing decisions. Companies will work to better integrate their own security operations with their key vendors, ensuring that vendors are held equally accountable for security incidents that occur throughout the life of the relationship. 2018 will also see a greater awareness of and concern with so-called “4th party vendors”—the suppliers of your suppliers.”