Chief information security officers should be regarded as a supporter of business growth and innovation rather than a bottleneck, according to Wells Fargo CISO, Rich Baich.
Speaking to ComputerworldUK about the role of the CISO at Palo Alto Network's 2015 Ignite conference last week, Baich said that security teams can help an enterprise become more agile by feeding into product and service development at an early stage.
"What that means is that — if security is working right — before a product, a partnership or third party is signed, security is part of the cycle," he said. "You understand the risks, the cost to secure it. You are accepting some risk, but you are going in with your eyes wide open and all of the facts are known.
"So it is not a matter of 'no', it is a matter of 'if we do this here is the risk, does everyone agree to it, let's document it and let's move on'. Those are business decisions."
He added: "If you are going to build a mobile app and it is going to house PII and is vulnerable to exploits, you might want to say 'no' to that app, and be able to go to the right level of the organisation for that. But that is the one percent, not the 99 percent which is [where security teams say] 'that app is good, it is secure, here are the risks, but for our view it is an acceptable level' and you move on."
Baich joined the US banking giant in 2012 as its first CISO after a wide-ranging career as a security executive, with roles at Deloitte, Pricewaterhouse Coopers and the Federal Bureau of Investigation, as well as serving in the United States Navy for two decades as an information warfare officer, cryptology officer, and surface warfare officer.
He said that, as the CISO role becomes more mainstream and embedded in organisations, security execs can assist in transforming the business, for example by supporting digital strategies.
"The mature CISO shops are innovators. They are filing patents, they are doing things around security that is enabling the business and being part of any solutions that are being built," he said.
"Everyone is talking about going digital. But if you are going digital, where is your security strategy? When is it appropriate to use two-factor authentication, biometrics, voice? You also need to understand your customer base, in different parts of the world a retina scan is not going to be acceptable."
Buy-in at board level
Baich said that an important factor in providing feedback at an early stage is for the CISO to hold sway at the board level. While this has not always been the case, as board members become more attuned to the threats facing companies, CISOs are finding it easier to have an influence at a strategic level.
Sign up for CIO Asia eNewsletters.