 Hey, welcome back everybody. Jeff Frick here with theCUBE. We're in Palo Alto, California at a church-off event. It's called Security in the Boardroom. And it's really about elevating the security conversation beyond the IT folks and the security folks out in the application space and out on the edge. And really, what's the conversation going on at the boardroom? Because it's an important conversation. And one you want to have before your name shows up in the Wall Street Journal on a Monday morning for not all the right reasons. So we're excited to have a real practitioner, Rich Bates. He's the Chief Information Security Officer for Wells Fargo. Welcome, Rich. And accompanying him, Jason Cooke, who's a Managing Director with the Church-Off Group. Great to see you, Jason. So we talked a little bit off camera, Rich. You've been in a lot of different seats in this game, from consulting to now you're at Wells Fargo and a few more that you ripped through this that I can't remember them all. So from your perspective, kind of integrating this kind of multi-dimensional approach, how do you see this conversation changing at the boardroom? Well, I think most importantly, the board, it's a topic of discussion, one of the top discussions over the last couple of years. There's been a lot of guidance recently that's been put out to board directors through the National Association for Corporate Directors, as well as various consulting firms providing guidance. Board members need to be able to take this complex topic and simplify it down so they can do their jobs that's expected of them. And sometimes that can be a language barrier. So I think what I see happening is boards are beginning to hire individuals with some cybersecurity expertise. My example at Wells Fargo, we hired our retired general, Susan Votino, to come in as one of our cybersecurity obviously experts in the board. And it's great having her in that board seat because oftentimes she can help me translate some of the issues and gain a different perspective from the board. So that's a pretty interesting statement. So they're actually putting security expertise in a formal board seat. That's a pretty significant investment in the space. Well, but if you think about this, I mean, why? Well, most institutions today, when you break them down, are really technology companies that just a business platform rolls on. So security is becoming part of not only the institution today, but the institution of the future as organizations move towards digitalization. So having that ability to have someone who understands the risk management side of cybersecurity as well as the practitioner side will only make I think a board room that much stronger. So what's your experience in terms of trying to communicate the issues to a board? I mean, just real, just down and dirty. You know, where do you find the balance as to what they can absorb? What can they not absorb? How do you kind of outlay the risks, if you will, and how they should think about, you know, driving investment in these areas? Well, great points. But the first and most important thing with boards is gaining trust, right? That you have the expertise and you have the information. By no means could I bring all my data to a board meeting because it's just not digestible. So there's a little bit of an art of taking that down and building the trust and focusing on certain areas. But a point you made of things really important is, is one, you have to help them understand what are the top risks and why. But when you're talking to a board, you have to be able to say, and this is what we're doing to address them and here's the timeframe and here's the risk associated with this. Because in their minds, they're thinking, what can I do to help you? And then secondly, very astute point, but it was the decision regarding prioritization. In this particular space, there's always gonna be risks, but it's really the art of deciding which ones are more important. So I'll talk to the board and I'll highlight things like probability of occurrence, right? So the higher the probability of occurrence of something happen really drives our prioritization. Then Jason, from your perspective, right? You're coming in from outside the board, trying to help out. How have you seen the security conversation and priority change over time, especially in the context of this other hot topic that everybody's jumping on, which is probably the agenda item just before Rich comes in the room, which is digital transformation, right? We got to go, we got to go, we got to go. Everybody's evolving, we got to go, we're getting left behind. And then oh, by the way, Rich is going to come on afterwards and tell us what some of these risks are. Yeah, and I think actually Rich started to touch on it. So all organizations, especially when you're looking at the Fortune 500 and around that shape and size, are global and they're all in a digital journey. Whether they acknowledge they're actually a digital product company, all of them now digitizing is happening. So as a result of that, security is an absolute critical component of anything linked to that for all of the reasons that you can just read the headlines around. And actually at the boardroom level, it's more now hopefully becoming a conversation that's about how do we as board members take responsibility and accountability for how to protect our organization? And it's framed now more and more so in a risk management conversation rather than just saying security. Because security is outside when actually the reality is security and cyber activity because you're a digital organization is embedded into everything whether you realize it or not. So the board needs to be educated to what that means. How do you take risks in the context of digital activity and assign it to a risk management program approach rather than just saying it's the security guy that's got to come in and do that. And the security guy is most probably gonna be the guy that absolutely has to understand that boardroom issue and then execute upon it and bring options to the table every time in and around that space. But the main message I would say is take this from a risk management perspective and start using language like that. And that's probably the other point that we were discussing just earlier in the security series today that actually it's about risk management and educating everyone very clearly as to what do we mean? What are we actually protecting? How are we protecting it? And what are we doing as a set of board members and as a leadership team to actually take forward enablement of the business from a security perspective understanding it but then also protecting the business. Right. So are you building models then for them to help them assign a value to that risk so now they know how much that they have to invest because the crazy about security I'm sure you could always invest more, right? You could always use a little bit more budget and there's a little bit more that you could do to make yourself a little bit more secure than you were without that investment but nobody has infinite resources. So as you said that bad things can happen it's really risk mitigation and kind of knowing the profile and then what you do about it. So how do you help them model that? I can answer that and I know Rich can jump in. So what you're seeing is a brand new leader role emerging from the traditional IT security guide to now the guy that isn't all or person should I say more accurately that's engaged at the boardroom that's there to talk about risk in the context of how the board sees it. And so what does that mean? It means that absolutely you need to know what you've got from a digital perspective everything from the traditional network to all of the IT assets and everything there and the key thing is you need to know what you've got but you have to then contextualize all of that against business risk and pulling those two things together is the challenge that you see across the industry today because they have been silos and usually underneath those silos are many other silos so bringing that together is really important and I think if you look at how we're gonna see disruptors in how things are managed in a risk management perspective actually that's what you're gonna see come together how do you bring those models together to give actionable intelligence that the board can react to or predict against and that's not an easy thing to pull together. Yeah and to take it kind of more down to a tactical arena so at some point like you said you can't just keep asking for more money because you're not practicing good business attributes because everybody could ask for more money so I think as organizations mature their security programs they're gonna be able to go to the board with issues like this. Endpoint security, right? There's so many different endpoint security products out there that you could buy but if you're practicing good risk management you're starting off by saying what is the risk? Let's just talk about malware. So malware is the risk. Well how much malware gets to your endpoint? And let's just say in this particular instance you're here. You go into a program where you're enhancing your tools, your techniques, you're shutting down USB ports, you're not allowing people to connect to the internet to go through the VPN, you're buying endpoint solutions to put on there, you're encrypting the endpoint, you're doing all these things and you suddenly see your monthly average of malware go from here to here. And then when you do that and you walk into a boardroom and you can show them that and then you say this is kind of our risk appetite because we're never gonna be able to reduce it. But I could go spend some more money. I could go spend five million more dollars but I'm gonna move it this much. I'd rather take that five million, move it over to this risk which is right here to reduce it to that area. So I think that goes hand in hand with what Jason's saying but when you can get to that level, to the board to help them understand your decision, they have a greater comfort level that the money is being spent in prioritization is occurring. Yeah. So go ahead. If I may. So one of the things that you just touched on I think is really useful for us to kind of expand upon more. One of the advice points Chertof Group had in our series session was around bring in cybersecurity experts to the boardroom. I know obviously you're very active in the whole finance sector providing advice and direction in that space. Can you tell us more about that? Sure. So in particular what in my role also as the chair of the Financial Services Sector Coordinating Council, what we do is we work closely with the government with policy and doctrine and then the FSIS Act Financial Services Sector Analysis Center is the group that really goes out and kind of operationalizes it through information sharing and the FSARC. But what we've seen is a desire to have honestly more security professionals on boards. So CISO is potentially being asked to sit on public and private company boards to provide that expertise back to the company so that the boardroom can help understand and transcend what is going on. And again, from my standpoint I feel very privileged to have one of them on my board today. And she's been just a wonderful addition. Not only does she bring cyber expertise but being a retired general brings a lot of it to other additional. So I would predict we'll see more and more CISOs being asked to sit on public and private boards to bring that perspective as the business models move to digitalization. We could go on forever and ever and ever but we can't unfortunately. But I have one more question for you Rich. Is kind of this change in attitude amongst the CISO community and other people at Deals Security in terms of sharing information? You mentioned you're on this group and it used to be we didn't want to share if we got attacked for a lot of different reasons. But there's a real benefit to sharing information even across industries about the profile of some of these things that are happening. How are we seeing that kind of change and how much more valuable is it to have some other input from some other peers than just kind of you with your jewels that you're trying to protect? Sure, so in general from an industry standpoint the financial services are much further ahead than a lot of the other industries because we've been doing this a long time. So sharing occurs officially through the FSIS Act but also you'll pick your phone up and call a friend right away and say hey I've just seen some of your IP space associated with so and so. So that informal sharing is there. It's a very tight community and particularly from the financial services we don't think of security as a differentiator necessarily because the reality of it is when an adversary chooses to point their direction at you it's just a matter of time before they get around to your institution. So sharing occurs and secondly the government's been doing a great job of trying to break down as barriers, work through all the issues that are related with sharing of classified, unclassified information. So there exists a model today that seems to be working pretty well, formal as well as informal and if you look at some of the past history that sharing has really helped a lot of organizations. So I see it only getting better and better as time goes by. And the point I would add to that is the financial services ISAC for example is one of the most mature out there. In fact is probably the most mature at a global level out there but that's taken time to establish the trust and the collaboration there. And the one recommendation that we would all give out to the industry as a whole is you need to be getting those type of things stood up and you have to invest time into them to generate the collaboration and trust. You're not going to get it overnight but you have to start somewhere in doing the same because really what good work is happening here needs to be happening across the global industry as a whole. Right. All right Rich, Jason will have to leave it there unfortunately, really great insight and thanks for sharing your insight with us. Thank you. All right, I'm Jeff Frick, you're watching theCUBE. We're at security in the boardroom with the church off event in Palo Alto. Thanks for watching.