Baich would not assign a letter grade to Wells Fargo’s information security program, saying that even a good grade might invite scrutiny from prospective hackers. But Elvis Moreland, who worked at the bank as an independent cybersecurity contractor from November 2015 to May 2016, applauds the steps Wells Fargo has taken to boost security, including its move to adopt federal NIST cybersecurity standards, which he helped plan as part of the bank’s hybrid security framework. “They’ll work their way up to a B easily” if those efforts continue, he says.
Moreland recommends the NIST cybersecurity framework because it applies to both the private sector and the federal government, and because it offers three decades of documented lessons learned that can be applied to any organization. “It’s hundreds of millions of dollars in free research,” says Moreland, who is now a senior cyber-security and risk management consultant at Atos BDS North America. “Companies would cover 80 percent of the security vulnerabilities and weaknesses we see today” just by realigning the security hierarchy and adopting the NIST framework, he adds.
Give it a spin
Even before the 2011 attack, Waters had been working on Booz Allen’s information security framework. However, “it was challenging to get the attention and budget I needed,” he recalls.
He soon learned that the tone and perspective he used to communicate infosec needs to the IT department, executives and business units were critical to getting things done.
Today, Waters says that when he and his team discuss security needs with their business colleagues, they might say, “It’s not that I want you to do something, but it’s this new regulation we need to comply with, and I can help you figure out how to do it.” Or, “Outside attackers are trying to steal our data or wreck our systems; I’m here to help implement the protections and controls because of these outside forces.”
Gary Vause, founder and president of cybersecurity consultancy VSC, says many companies keep tight caps on their infosec budgets because they expect to need resources to put out the next security fire. “They know it’s coming, but rather than be preventive, they choose to be reactive,” he says.
On the other hand, he cautions, throwing money at the problem isn’t the answer either. Developing an understanding of a company’s security maturity level — a view that includes people, processes and technology — can help organizations prioritize budgets based on the most critical vulnerabilities, he says.
Emily Mossburg, principal of Deloitte’s Resilient Services practice, agrees that it’s not about spending more money. The question, she says, is this: “Are you prioritizing the things that could actually hurt your business the most?” And are you remediating the areas where your business is the most vulnerable? She advises focusing on the areas where “the threat actors are really after your business and, ultimately, where the impact would be the greatest.”
Sign up for CIO Asia eNewsletters.