Q&A with Kathy A. Michalko, Chief Security Officer – Wells Fargo & Company
Kathy Michalko serves as chief security officer for San Francisco-based Wells Fargo & Company, leading a team of experienced corporate security professionals working to keep employees, customers and assets safe. Based in Charlotte, she has more than 20 years of security and risk management operations experience.
Before joining Wells Fargo in May 2021, Ms. Michalko worked for the United States Secret Service for more than two decades, most recently serving as special agent in charge of the field offices in both New York
City and Rome. She led various divisions throughout her career,
including the Office of Protective Operations, Washington Field Office, Office of Professional Responsibility, and the Dignitary Protective Division. As part of her role, Ms. Michalko served on presidential detail in the last two years of the Clinton Administration and the first term of the second Bush Administration, and she planned and executed all aspects of protective operations for the 2008 Democratic National Convention in Denver.
We talked with her about the main risks against which she protects her company and its executives, how she works in tandem with the bank’s cybersecurity leaders, how her Secret Service background informs and inspires her work, and the growing ranks of women in the security profession, among other issues. This Q-and-A is edited lightly for length and clarity.
Keith Oringer: What are the main security risks you manage daily at Wells Fargo?
Kathy Michalko: My responsibilities are protecting our people, our facilities and our assets from physical threats. Financial institutions face multiple security risks due to the sensitive data that we handle, and the role that we play in the economy. That’s everything from (preventing) robberies, to (guarding against) unauthorized access to our facilities, to making sure we keep our people safe while they’re working. And then making sure that our physical assets are safe, as well, across the enterprise. It’s not just the U.S. We’re in more than 30 countries. My team collaborates with others, like on the technology side, within Wells Fargo, making sure that we have effective technology. We’re making sure our policies and our procedures, training and compliance are all aligned so we’re protecting everyone and our assets. The goal is to always find a multi-layered defense strategy to protect the data and not impede the business that has to go on: it’s important to find that balance to keep our security posture stable.
KO: Has COVID resulted in any lasting changes in security procedures at Wells Fargo?
KM: Some of the lasting changes include how we approach remote work. And that’s required some enhanced security measures to make sure that people could access the systems and view the data that they needed to do their job securely from home. We’ve had an increase in our business continuity planning, and with the evolving health and safety guidelines, we’ve reconfigured some of our physical worksite spaces, as well, to facilitate social distancing. In short, I would say that the lessons that we learned have given us a new playbook that we can use to create a safer environment, should we ever face something like that again.
KO: Has the increased use of artificial intelligence in the development of security technology had an impact on the company’s security program?
KM: Artificial intelligence (AI) is everywhere. It’s really revolutionizing the way that security measures are designed, implemented and managed. Some of the key impacts of that on our technology includes advanced threat detection, giving us the ability to analyze massively larger amounts of data in real time, to identify patterns or anomalies that may indicate anything from a cyberattack to some other kind of security breach. In the area of analytics, AI gives power to our information and event management systems and can correlate and analyze that data from different sources. That enables us to be more effective in coordinating what threat information we’re seeing, and then transitioning our incident response to whatever that landscape looks like. AI helps us in incident response because we can find those threat vectors much quicker, and then initiate our predefined actions to mitigate them. That reduces the manual workload on our teams by allowing us to look at a much smaller, more defined group of vectors, which makes us more nimble in what we do. And so, I’d like to see it play a larger role, especially in shaping our future technology.
KO: How does Wells Fargo approach collaboration between physical and IT security? Is that all under your roof?
KM: It is not. We have a separate CISO (Chief Information Security Officer). We’re not in the same chain. But, we do collaborate, and the collaboration between the physical side and the information technology side is the key to making sure that we protect the bank. We work with them very routinely, both making sure that the physical aspects of who can come into our buildings, or where they can go, protects the most critical assets. We work with them to make sure that we’re doing whatever we can, from a physical perspective, to support them. We’re making sure that we have a very coordinated incident response function here on the resiliency side. And so there’s not a call that goes on that, that we’re not both in, so both sides are heard.
KO: Do you use in-house guarding or you use contract security?
KM: We have a combination of the two.
KO: What attributes do you look in a contract security vendor or provider? What’s like the two or three most important things to you?
KM: The three most important things to me are that they’re vetting the people that they’re getting for us, and that they’re training them to suit our needs, and they’re current in all of their certifications.
KO: When do you find working with security system integrators offers better alternatives than doing that work in-house?
KM: The choice between those two models depends on various things. And for each organization, it’s going to be different: your size, the resources you have, and your expertise, internally. But I do believe there can be advantages working through integrators. Sometimes, there’s a certain expertise that the integrator you’re working with is more specialized in. It can be harder for a firm to keep up with people, training, and keeping abreast on the latest trends, and being subject-matter experts in specific security systems. So they bring extensive knowledge. They’ve been in that space, they know their best practices, they know how things interact. And while they don’t know your specific business, they do know what their product is good at, and what benefits it brings. Relying on them to bring in that expertise is something that we do here to make sure that we haven’t missed something. Because we do operate in an environment that’s so different, how can we apply those newest strategies? In some cases, outsourcing may be more cost-effective, rather than keeping the in-house staff and hiring, especially for short-term, specialized projects. It can also lead to quicker implementation and reduce downtime.
KO: What criteria do you use, and where do you, go to find and implement the most advanced security programs for Wells Fargo to manage risk?
KM: We start with conducting comprehensive risk assessments internally, prioritizing our critical assets, ensuring that the systems we have integrate seamlessly with our existing infrastructure and technology. And then, scalability is a huge piece of that. Future expansion and regulatory compliance are factors that we have to consider to make sure that we’re effectively managing risk. I also want to make sure that any programs we implement here can be future-proof. So we’re choosing systems with the ability to adapt to future technology investments, because the technology of today will not work for tomorrow, potentially. And we want to make sure that we’re giving as long a lifespan as we can for our investment. Prioritization will depend on your specific needs, the risk profile, and your budget.
KO: What are you doing to effectively communicate and implement company-wide security protocols at Wells Fargo?
KM: We have a pretty routine cycle of going through our policies, making sure that they’re refreshed, they’re well-written, that we’re spelling out expectations, and roles and responsibilities among the different lines of business. And then making sure that we’re providing education, and training, and support to them, and support from us, top-down in the organization. Our leadership’s commitment is crucial, and senior leaders here endorse and follow our security protocols. They set such a positive example, and it encourages our people to take it seriously. We use various types of communications, everything from email, to newsletters, to portals, to regular townhall meetings to consistently reinforce the messaging. And we’ve established a mechanism for employees to provide feedback to us on security protocols. They have identified areas that may need further clarification, or adjustments. So that allows us to ask ourselves, “What else can we do to hone in and drive our message home?”
KO: How does the company’s large geographical footprint affect how you manage the diverse needs for security at Wells Fargo?
KM: We’re always looking at, “What is the risk assessment in that country? What are the potential threats, wherever we are? What vulnerabilities do we have?” We utilize regional teams, in those areas, to be responsible for the security measures. They can address the local threats, the local regulatory requirements that change from country to country, while adhering to our centralized corporate security viewpoints.
What assets might we have there? Do we need to bring in assets? How are we thinking about where they’re doing their meetings? How are we thinking about how they’re getting there? What assets are we putting in place before they get there to be familiar with where they’re going? Your emergency protocols – what would we do if something happened? Those practices are part of what we do here, every day, for our executives, and across the company.
KO: How have your views about executive protection evolved over the last 10 to 15 years?
KM: Since I am a former secret service agent, obviously that’s something I contemplate often, when I watch the news every night, and in response to the changing threats, technology advancements, and organizational priorities. Some of those include an increase in awareness of cybersecurity as it pertains to our executives here, for example. Protecting them against cyber threats, data breaches, unauthorized access to sensitive information, and online reputation management has become a significant facet of executive protection groups. In addition to all the traditional physical threats from 10 years ago, which remain. Lastly, it’s important that we protect their privacy, always trying to find that balance of doing things to protect them. It’s a broader understanding as you work through it. Executives need to be able to function, and the things that we’re doing to protect them can’t interfere with that. But we need to keep them safe.
KO: Are you finding that women are becoming more involved in the security industry, whereas traditionally, there have been fewer women working as professionals?
KM: I would say so, and I like to think that I’m somewhat of an example of that. With the Secret Service, we had our first female agents who joined in, like, 1971. Since then, you see the progression in the security field with more women. Are there still challenges in that regard? Yes. But more women are getting into higher positions, ascending into roles of leadership both within the law enforcement community and in industry. They’re taking on more roles such as the one that I have here, as a chief security officer, or as director of security. And they’re in many senior management positions across the industry – and everyone’s responsible for security, in some form or fashion, across all the lines of business here. Everyone is always thinking about, “How are we protecting our people, and our assets, and our investments?” So I do think that there is increased representation.
KO: As an accomplished senior security executive with large corporation, what advice would you give to anyone considering a career in security?
KM: It takes time to understand yourself, and how you would fit into those various roles and responsibilities, and the industry as a whole. There are so many facets of it, and the landscape is constantly evolving. So staying updated on the latest trends, and expanding your network wherever you can, is key. If you’re a hard worker, and you’re paying attention to trends, and attending workshops and webinars, and you do a good job with what you’re working on, you’ll find your advocates. And staying in touch with those advocates that you find, in your peers or mentors throughout the industry over the years, that’s what’ll help you, in your career as you go forward.
KO: With all the lessons learned over the course of your career, what’s your single best piece of advice for security professionals?
KM: Don’t get tunnel vision. Be proactive, holistic, and keep your mind open. There’s a broad range of strategies to solve for risk. Finding the right balance and those right attributes to apply to your problem, and thinking about it holistically, I think is key to being successful. I’ve spent a lot of time in a lot of countries, and so how we, in the U.S., have a certain viewpoint that we approach security from and other countries and other environments, they have different approaches. So just keeping your mind open that there is more than one approach that will solve your problem.
KO: You spent time in Rome, and you were probably able to travel to other countries in Europe, which probably made you more valuable from a CSO perspective.
KM: I’d like to think so. I always worked overseas in different portions of my job at the Secret Service. We travel internationally all the time. But living overseas is different than traveling overseas. And then in my old assignment, (in Rome), we covered 63 countries from there, so when you’re problem-solving for investigations, or protection in those environments, you need to do it with the locals. We have no authority, right? I’m not from that country. But you still have a mission to do. You still have a problem to solve. When I say look at it holistically, I ask, “What do they do there?” They have security people, just like we do here. And you have a like mindset. So you talk security to security people, their approaches might be different, but they understand what you say, when you talk about risk. They understand, when you talk about mitigation. Being open to how they might do it, versus how you might do it, here in the U.S., I think is key.
KO: How has your approach to security training and awareness changed in recent years?
KM: Training programs need to focus on real-world scenarios and be interactive. That really helps employees understand why they’re being asked to take certain measures. You explain to them, and educate them on, “There are reasons that we ask you to do things.” We practice getting out of buildings: “Hey, don’t hold the door for people. Make sure you’re verifying that this is someone is who supposed to be in here. Just don’t let them in”. And you have to make your training real-life, and be practical in context. Doing role playing or walk- throughs of different scenarios, because we all have security plans, and we all have emergency plans. People read them, but then getting them to adopt them and really internalize them, because, as you know, in a security situation, you don’t have time to read the book.
KO: I noticed one of the words you use a lot is balance. And, I think you’re probably a very balanced person in your outlook in life, not just in security.
KM: In my old world, security was the mission. In private industry, I’m a support entity. I am an enabler for the business to be able to do the things that they want and need to do. I have a very important role to play in keeping them safe and keeping their facility safe while they operate. But this company is not a security business.
KO: You’ve had a very interesting adventure. And now you’re on another adventure.
KM: People ask me, “How did you end up there (at Wells Fargo)?” We worked with bankers all the time in the Secret Service – bank fraud, credit card fraud, all of that. Remember, the Secret Service was responsible for suppressing counterfeit currency – protecting the nation’s financial infrastructure is what we were founded to do. Banking seemed like a logical next step.