Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Patching: A Defensive Measure That's Not Always Available

Bank of the West's David Pollino on the Challenges of Working with Vendors
David Pollino, deputy chief security officer, Bank of the West

Security experts often contend that potential damage from cyberattacks can be avoided if organizations just patch their systems. But Bank of the West Deputy Chief Security Officer David Pollino says applying patches sometimes is more easily said than done.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

Pollino explains that the cooperation of the third-party vendors that develop and support many systems is required for patching, and that's not always furnished.

"Sometimes security isn't the biggest priority of third parties," Pollino says in a video interview with at Information Security Media Group's recent New York Fraud and Breach Prevention Summit.

Pollino also discusses the importance of:

  • Understanding how malware works and how it can have an impact on your IT systems;
  • Conducting tabletop exercises with key business leaders, based on recent cybersecurity events such as the WannaCry ransomware attacks; and
  • Knowing who to contact within the enterprise as well as with other stakeholders such as vendors and customers when a cyber event occurs;

At the summit, Pollino served as a panelist in two sessions: In the Wake of WannaCry: Creating a Data Security Action Plan that Addresses the Core Elements and We've Been Breached: Now What? How to Effectively Work with Law Enforcement and Regulators.

Before joining Bank of the West in 2011, as senior vice president and enterprise fraud prevention officer, Pollino served as vice president of online risk strategy and analytics at Wells Fargo. He also held managerial positions at Washington Mutual and Charles Schwab.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.