Wells Fargo's chief information security officer Rich Baich has to be very strategic about the way he spends his budget in order to protect the bank from the endless stream of cyberattacks launched at it every day.
At the 2017 Borderless Cyber event in New York City, Baich went through the formula he uses to decide his cybersecurity risk strategy. Baich, who is the chair of the Financial Services Sector Coordination Council (FSSCC), also broke down the four categories of cyberthreats in order to help cybersecurity professionals understand how to deal with the overwhelming number of attacks.
The four types of threats
1. Cybercrime: This is the most prominent category today and the one that banks spend much of their resources fighting. A large portion of current cyberattacks are professional in nature, and profit-motivated—which is why banks are the favorite target. But as we've seen with retail hacks like TJX, cybercriminals have also figured out how to skim money off any business that handles transactions. Every organization needs to prioritize protecting those high-value processes from attackers.
2. Cyberespionage: This is the one that organizations with trade secrets and invaluable information have to worry about the most. So, pharmaceutical companies and government agencies like the NSA are the most at risk. Nevertheless, all organizations should triage their most sensitive data and put policies in place to guard against data leakage of those valuable targets.
3. Cybernuisance: This is where script-kiddies, web defacements, hacktivism, and even some DDoS attacks come into play. If you're in a company, industry, or field that is a target for activists wanting to make a statement then these attacks are obviously important to keep on your radar so that they don't embarrass your organization or turn into a PR nightmare. As we saw with the hack of emergency sirens in Dallas, making a statement is also starting to affect public safety as well.
4. Cyberwarfare: Nation states attacking private entities for commercial gain, competitive advantage, or national interest represents one of the newest and most sophisticated forms of cyberattacks. It's become enough of a problem that in 2015, US president Barack Obama and Chinese president Xi Jinping signed an agreement to de-escalate government hacking of private companies between the two countries. Nevertheless, "the Digital Pearl Harbor has already come and gone," said Baich. Cyberwarfare is happening and organizations of all sizes need to be prepared if they get caught in the crossfire.
The formula to combat threats
Throughout his career, Baich said he has used the following formula to decide how to deploy resources to the right things:
Risk = vulnerabilities x threat x asset value
Like other speakers at the Borderless Cyber conference, Baich encouraged the audience to think about cybersecurity as risk management—an approach TechRepublic has been writing about for over a decade.
In his talk "Defense at Machine Speed," security consultant Duncan Sparrell suggested that it's time for IT to start using mathematical models to analyze cybersecurity risk and set priorities.
Baich's formula is clearly a step—albeit a general one—in that direction.
The Trump administration
Unlike former AT&T CISO Ed Amoroso, who criticized the Trump administration's executive order on cybersecurity, Baich welcomed it.
"The most recent presidential executive order [on cybersecurity] did a nice job of driving home accountability," said Baich.
He added that the Trump administration has already put more energy into cybersecurity than the last three administrations combined. Tim McBride from the Department of Homeland Security—who joined the agency during the Obama administration—also spoke at the event and reported that the EO on cybersecurity has generally been very well received by business community.
Finally, Baich echoed two similar themes to Amoroso. He said that cybersecurity regulations need to be greatly simplified. "Can't we just get one framework to regulate to?" he said. (Amoroso recommended consolidating solely on the NIST framework).
And, Baich said one of the best things the US can do for the future of cybersecurity would be to expand and better promote the Cyber Corps. He pointed out that today's students can get a full scholarship to study cybersecurity, get internships at the intelligence agencies, and then have a job waiting for them when they graduate. It's a program that should be much more widely known, he said.
- Report: Companies are wasting massive amounts of money on ineffective security solutions
- Video: The 3 cybersecurity initiatives the Trump administration should focus on
- Cybercrime industry growing rapidly, cybersecurity can't keep up
- Top 5: Things to know about ransomware
- How to make your employees care about cybersecurity: 10 tips
- 198 million Americans hit by 'largest ever' voter records leak (ZDNet)
- CIA has been hacking into Wi-Fi routers for years, leaked documents show (ZDNet)
- Backdoors, encryption and internet surveillance: Which way now? (ZDNet)
Jason Hiner has nothing to disclose. He doesn't hold investments in the technology companies he covers.
Jason Hiner is Global Editor in Chief of TechRepublic and Global Long Form Editor of ZDNet. He's co-author of the book, Follow the Geeks.