Wells Fargo’s chief information security officer Rich Baich has to be very strategic about the way he spends his budget in order to protect the bank from the endless stream of cyberattacks launched at it every day.
At the 2017 Borderless Cyber event in New York City, Baich went through the formula he uses to decide his cybersecurity risk strategy. Baich, who is the chair of the Financial Services Sector Coordination Council (FSSCC), also broke down the four categories of cyberthreats in order to help cybersecurity professionals understand how to deal with the overwhelming number of attacks.
1. Cybercrime: This is the most prominent category today and the one that banks spend much of their resources fighting. A large portion of current cyberattacks are professional in nature, and profit-motivated—which is why banks are the favorite target. But as we’ve seen with retail hacks like TJX, cybercriminals have also figured out how to skim money off any business that handles transactions. Every organization needs to prioritize protecting those high-value processes from attackers.
2. Cyberespionage: This is the one that organizations with trade secrets and invaluable information have to worry about the most. So, pharmaceutical companies and government agencies like the NSA are the most at risk. Nevertheless, all organizations should triage their most sensitive data and put policies in place to guard against data leakage of those valuable targets.
3. Cybernuisance: This is where script-kiddies, web defacements, hacktivism, and even some DDoS attacks come into play. If you’re in a company, industry, or field that is a target for activists wanting to make a statement then these attacks are obviously important to keep on your radar so that they don’t embarrass your organization or turn into a PR nightmare. As we saw with the hack of emergency sirens in Dallas, making a statement is also starting to affect public safety as well.
4. Cyberwarfare: Nation states attacking private entities for commercial gain, competitive advantage, or national interest represents one of the newest and most sophisticated forms of cyberattacks. It’s become enough of a problem that in 2015, US president Barack Obama and Chinese president Xi Jinping signed an agreement to de-escalate government hacking of private companies between the two countries. Nevertheless, “the Digital Pearl Harbor has already come and gone,” said Baich. Cyberwarfare is happening and organizations of all sizes need to be prepared if they get caught in the crossfire.
Throughout his career, Baich said he has used the following formula to decide how to deploy resources to the right things:
Risk = vulnerabilities x threat x asset value
Like other speakers at the Borderless Cyber conference, Baich encouraged the audience to think about cybersecurity as risk management—an approach TechRepublic has been writing about for over a decade.
In his talk “Defense at Machine Speed,” security consultant Duncan Sparrell suggested that it’s time for IT to start using mathematical models to analyze cybersecurity risk and set priorities.
Baich’s formula is clearly a step—albeit a general one—in that direction.
Unlike former AT&T CISO Ed Amoroso, who criticized the Trump administration’s executive order on cybersecurity, Baich welcomed it.
“The most recent presidential executive order [on cybersecurity] did a nice job of driving home accountability,” said Baich.
He added that the Trump administration has already put more energy into cybersecurity than the last three administrations combined. Tim McBride from the Department of Homeland Security—who joined the agency during the Obama administration—also spoke at the event and reported that the EO on cybersecurity has generally been very well received by business community.
Finally, Baich echoed two similar themes to Amoroso. He said that cybersecurity regulations need to be greatly simplified. “Can’t we just get one framework to regulate to?” he said. (Amoroso recommended consolidating solely on the NIST framework).
And, Baich said one of the best things the US can do for the future of cybersecurity would be to expand and better promote the Cyber Corps. He pointed out that today’s students can get a full scholarship to study cybersecurity, get internships at the intelligence agencies, and then have a job waiting for them when they graduate. It’s a program that should be much more widely known, he said.