Amy Nichols is one of the many high-caliber IT Executives who will be facilitating group discussions at NCS Madison’s Virtual CIO & CISO Strategy Meeting on June 9, 2020 for executives in Charlotte, NC and its surrounding areas.

Amy, the Executive Vice President and Head of Technology Integrity at Wells Fargo, will be leading a thought-provoking group discussion on Building an Enterprise-Wide IT Security Strategy. Here is a preview of what will be discussed on June 9, 2020.

“Having the technology team as a proponent of a risk-first culture is the key to a solid and effective implementation of security practices.”

What are the critical elements for building an enterprise-wide IT security strategy?

It starts with your business model, your appetite for risk and agreement on the risk appetite by all the areas of an organization – business, risk management, technology and information security. With a top-down and universal perspective on IT security, a comprehensive strategy can be defined and maintained. Without full support top-down and end-to-end integration of security processes, the organization will have gaps that will prevent the effective delivery of technology security requirements. For instance, vulnerability management processes must align to secure development lifecycle and change management practices. Vulnerabilities are best taken care of well before they enter the production environment. Every single technology process must have its understanding how how it meets the security posture and reinforces it’s aligned processes for a unified secured environment.


What capabilities do you think organizations need to strengthen their security posture?

Each organization needs to begin with the basics. Though technology has become very complex, the fundamentals are still core. Know your assets and then manage your asset and configuration management lifecycles with effective processes. Also, ensure that you know who is doing what to the technology assets and when (i.e. access management and segregation of duties). While this sounds simple, it does require work to keep up with the details. This has led many companies to take short cuts in these fundamental areas, such as keeping up with patching. These areas have created security holes and are key areas where technology shops are exposed to threats. Security frameworks such as COBIT or NIST are useful resources to ensure that all areas are covered and assessed for applicability at your company, again, based on the company’s risk appetite.


What advice would you give organizations in determining their risk tolerance and appetite? What role does it play in building the organizational IT Security Strategy?

It starts with your company’s mission and vision, primarily focusing on your customer. If you have a technology failure or breach, what would be the impact on your customers? Following that, what would be the impact on your company, specifically your brand and financials? Working backwards on the impacts to your business helps your organizational leaders define the amount of effort and the actions that need to be taken to prevent technology security impacts. Additionally, it helps leaders see what it will take to recover from an action that does occur.

Technology leadership is critical to helping businesses understand these possible scenarios, the impact on both people and cost estimates as well as to help make business determinations to understand risk thresholds and boundaries. Once defined, it needs to be documented, formally approved (by the executives of the company and the board if applicable) and communicated. It also needs to be assessed periodically for changes in the business and technology to ensure that it is still accurate. I would recommend reviewing on an annual basis at the very least.


What is a risk-first development culture? How would you create it?

Technology security and risk management is not an activity that happens once in the secure development lifecycle or something that can be checked off at the end. The processes and actions to make up effective technology risk management is a part of nearly every action taken by every individual in the technology organization. The only way to ensure that effective technology security is happening is by educating the organization on the purpose behind the procedures and helping them to understand the business impact if a technology breach or security incident were to occur. Having the technology team as a proponent of a risk-first culture is the key to a solid and effective implementation of security practices.


What is one thing you would like the attendees of your discussion group to leave knowing?

That an effective IT security plan can be created and implemented for every company. However, it requires consensus across the company for risk tolerance based on the business model and the basic technology processes with a risk-first development culture that understands why this is important and how they can accomplish and deliver security in their everyday practices.


Why have you decided to join us at the 2020 Virtual Charlotte CIO and CISO Strategy Meeting?

I believe it is important as a Charlotte-based technology professional to participate in the Charlotte technology community and share experiences as well as to listen to best practices from peers and other industries. At the speed that technology change is occurring, we must learn from each other to continue to build safe and secure technology to support the various industries that support our Queen City.


We have limited spots available for this Virtual CIO and CISO Strategy Meeting for IT Executives in and around Charlotte, NC. If you are interested in joining the conversation on CIO Leadership: Responding to COVID-19 or any of the other great discussion groups available register here: or contact Jason Walter at for more information.