(clicking) >> Hey welcome back everybody. Jeff Freck here with theCUBE. We're in Palo Alto, California at the Chertoff Event. It's called Security in the Boardroom and it's really about elevating the security conversation beyond the IT folks and the security folks out in the application space and out on the edge and really, what's the conversation going on at the boardroom, 'cause it's an important conversation. And one you want to have before your name shows up in the Wall Street journal on a Monday morning for not all the right reasons. So we're excited to have a real practitioner, Rich Baich. He's a chief information security officer for Wells Fargo. Welcome Rich. And in the company of Jason Cook who's the managing director with the Chertoff group. Great to see you Jason. So we talked a little bit off camera Rich. You've been in a lot of different seats in this game from consulting to now you're at Wells Fargo, and a few more that you ripped on this, but I can't remember them all. From your perspective, integrating this multi-dimensional approach. How do you see this conversation changing at the boardroom? >> Well I think most importantly, the board is a topic of discussion, one of the top discussions over the last couple of years. There's been a lot of guidance recently that's been put out to board directors through the National Association for Corporate Directors, as well as various consulting firms providing guidance. Board members need to be able to take this complex topic and simplify it down so that they can do their jobs. It's expected of them, and sometimes that can be a language barrier. So I think what I see happening is boards are beginning to hire individuals with some cybersecurity expertise. My example at Wells Fargo, we hired a retired general Suzanne Vautrino to come in as one of our cybersecurity, obviously experts in the board. And it's great having her in that board seat because often times, she can help me translate some of the issues and gain a different perspective from the board. >> So that's a pretty interesting statement. So they're actually putting security expertise in a formal board seat. >> Yes. >> That's a pretty significant investment in the space. >> But if you think about this. I mean why? >> Right. >> Right. >> Well most institutions today when you break them down are really technology companies that's just a business platform rolls on. So security is becoming part of not only the institution today but the institution of the future as organizations move towards digitalization. So having that ability to have someone who understands risk management side of cybersecurity as well as the practitioner side will only make, I think a boardroom that much stronger. So what's your experience in terms of trying to communicate the issues to a board? Just down and dirty. Where do you find the balance as to what they can absorb? What can they not absorb? How do you outlay the risks if you will and how they should think about driving investment in these areas? >> Well great points, the first and most important thing with boards is gaining trust. Did you have the expertise and you had the information. By no means could I bring all my data to a board meeting because it's just not digestible. So there's a little bit of an art of taking that down and building the trust and focusing on certain areas. But a point you made I think it's really important is one you have to help them understand what are the top risks and why. But when you're talking to a board, you have to be able to say, and this is what we're doing to address them and here is the time frame and here is the risk associated with this. Because in their minds, they're thinking what can I do to help you? And then secondly, Stu point was the decisioning regarding prioritization. in this particular space, there's always going to be risks but it's really the art of deciding which ones are more important. I'll talk to the board and I'll highlight things like probability of occurrence. So the higher the probability of occurrence of something happening really drives our prioritization. >> Then Jason from your perspective. You're coming in from outside the board trying to help out. How have you seen the security conversation and priority change over time, especially in the context of this other hot topic that everybody is jumping on, which is probably the agenda item, just before Rich comes in the room, which is digital transformation. We got to go, we got to go, we got to go. Everybody is evolving. We got to go, we're getting left behind, and then oh by the way. We're just going to come on afterwards and tell us what some of these risks are. >> Yeah and I think actually Rich started to touch on it. All organizations especially when you're looking at the Fortune 500 and around that shape and size are global. And they're all on a digital journey, whether they acknowledge they're actually a digital product company. All of them now, digitizing is happening. So as a result of that security is an absolute critical component of anything linked to that for all of the reasons that you can just read the headlines around. And actually at the boardroom level, it's more now, hopefully becoming a conversation that's about how do we as board members take responsibility and accountability for how to protect our organization. And it's framed now more and more so in a risk management conversation. Rather than just saying security 'cause security is like outside. But actually the reality is security and cyber activity because you're a digital organization. It's embedded into everything whether you realize it or not so the board needs to be education to what that means. How do you take risks in the context of digital activity and assign it to a risk management program approach rather than just saying it's the security guy that's got to come in and do that. And the security guy is most probably going to be the guy that absolutely has to understand that boardroom issue, and then execute upon it and bring options to the table every time in and around that space. But the main message I would say is take this from a risk management perspective and start using the language like that. And that's probability the other point that we were discussing just earlier in the security series today, that actually it's about risk management, and educating everyone very clearly as to what do we mean. What are we actually protecting. How are we protecting it and what are we doing as a set of board members, and as a leadership team to actually take forward enablement of the business. From a security perspective, understanding it but then also protecting the business. >> Right, so are you building models then for them to help them assign a value to that risk, so now they know how much that they have to invest. 'Cause the crazy thing about security, I'm sure you could always invest more right. You can always use a little bit more budget. There's a little bit more that you can do to make yourself a little bit more secure than you were without that investment. But nobody has infinite resources so as you said bad things can happen, it's really risk mitigation and knowing the profile and what to do about it. So how do help them model that? >> I can answer that and I know Rich can jump in, so what you're seeing is a brand new leader role emerging from the traditional IT security guy to now, the guy that isn't or person should I say more accurately that's engaged at the boardroom. That's there to talk about risks in the context of how the board sees it. And so what does that means? It means that absolutely, you need to know what you've got from a digital perspective. Everything from the traditional network to all of the IT assets and everything there. The key thing is you need to know what you've got, but you have then contextualize all of that against business risks. And pulling those two things together is the challenge that you see across the industry today 'cause there have been silos. And usually underneath that silos and many other silos so bringing that together is really important. And I think if you look at how we're going to see disrupt it is and how things are managed in the risk management perspective. Actually, that's what you're going to see come together. How do you bring those models together to give actionable intelligence that the board can react to or predict against, and that's not an easy thing to pull together. >> Yeah, and to take it more down to a tactical arena so you know at some point, like you said, you can't asking for more money. Because you're not practicing good business attributes because everybody can ask for more money. So I think as organizations mature their security programs, they're going to go to the board with issues like this. Endpoint security, there's so many different Endpoints security products out there that you could buy. But if you're practicing good risk management. You're starting off by saying what is the risk. Let's just talk about malware. So malware is the risk, well how much malware gets to your Endpoint. Unless just say in this particular instance, you're here. You go into a program where you're enhancing your tools, your techniques, you're shutting down USB ports. You're not allowing people to connect to the internet unless they go through the VPN. You're buying endpoint solutions to put on there. You're encrypting the endpoint, you're doing all these things and you suddenly see your monthly average of malware go from here to here. And then when you do that and you walk into a boardroom, and you can show them that and you say this is kind of our risk appetite. 'Cause we're never going to be able to reduce it but I could go spend some more money. I could go spend five million more dollars that I'm going to move it this much. I'd rather take that five million move it over to this risk which is right here to reduce it to that area. So I think that goes hand in hand with what Jason's saying but when you can get to that level to the board to help them understand their decision. They have a greater comfort level that the money is being spent and prioritization is occurring. >> Yeah, so if I may so that one of the things that you just touch on, I think is really useful for us kind of expand upon more. One of the advise points Chertoff Group had in our series session was around bringing cybersecurity experts to the boardroom. I know obviously, you're very active in the whole finance sector, providing advice and direction in that space. Can you tell us more about that? >> Sure so, what's particular in my world also as the chair or the financial services sector coordinating council. What we do is we work closely with the government, with policy and doctrine and then the FSI sector, financial services sector, analysis center is the group that really goes out, and kind of operationalize it through information sharing and that sort. But what we've seen is a desire to have, honestly more security professionals on boards. So CISOs potentially being asked to sit on public and private company boards to provide that expertise back to the company. So that the boardroom can help understand and transcend what is going on. Again from my standpoint, I feel very privileged to have one of them on my board today. And she's been just a wonderful addition, not only does she bring cyber expertise, but being a retired general brings a lot it to other additional. So I would predict, we'll see more and more CISOs being asked to sit on public and private boards. They bring that perspective as the business models move to digitalization. >> We can go on forever, forever and ever but we can't unfortunately, but I have one more question for you Rich. Is kind of this change in attitude amongst the CISO community and other people ideal security in terms sharing information. You mentioned on this group and you use to be, we didn't want to share if we got attacked for a lot of different reasons, but there's a real benefit to sharing information even across industries about the profile of some of these things that are happening. How are we seeing that kind of change and how much more valuable is it to have some other input from some other peers, than just kind of you with you're jewels that they're trying to protect. >> Sure so in general, from an industry standpoint, the financial services are much further ahead than a lot of the other industries 'cause we've been doing it along time. So sharing occurs officially through the FSI site but also you'll pick you phone up and call a friend right a way, and say hey, I've just seen some of you're IP space associated with so and so. So that informal sharing is there. It's a very tight community, in particularly from the financial services. You don't think of security as a differentiator necessarily because the reality of it is when an adversary chooses to point their direction at you. It's just a matter of time before they get around to your institution. So sharing occurs and secondly, the government been doing a great job of trying to break down those barriers. Work through all the issues that are related with sharing of classified, unclassified information. So there exists a model today, it seems to be working pretty well. Formal as well as informal and if you look at some of the past history. That sharing has really helped a lot of organizations. I see they only getting better and better as time goes by. >> And the point, I'd add to that is the financial services I said for example is one of the most mature out there. In fact, it is probably the most mature or global even out there. But that's taken time to establish the trust and the collaboration there. And the one recommendation that we would all give out to the industry as a whole is you need to be getting those types of things stood up. And you have to invest time into them to generate the collaboration and trust. You're not going to get it over night but you have to start somewhere in doing the same. Because really what good work is happening here, needs to be happening across the global industry as a whole. >> Right, alright Rich and Jason, we'll have to leave it there unfortunately. Really great insight and thanks for sharing your insight with us. >> Rich: And thank you. >> Alright, I'm Jeff Freck. You're watching theCUBE. We're at Security in the Boardroom at the Chertoff event, Palo Alto. Thanks for watching. (clicking)