Blackstone CISO Adam Fletcher walks a fine line between innovation and risk

Blackstone is responsible for over $1.1 trillion in assets, making it the largest alternative investment firm in the world, one that has to deal with acquisitions, leveraged buyouts, venture investment and more. CISO Adam Fletcher is charged with keeping the company safe in an increasingly aggressive threat environment. His overall philosophy to deal with this daunting responsibility is to “train like you have to fight.”

That means stress testing his systems, running table top exercises, training his employees to recognize threats and educating executives and board members about the state of the threat landscape, all while putting software systems in place that make sense to keep the company as safe as possible in a world where a large financial services company has to live with a target on its back.

In spite of those ongoing challenges, the company still needs to be innovative to continue to grow and thrive. The problem is that innovative technologies usually come with a healthy dose of risk, and CISOs typically want to mitigate risk whenever possible. As Juniper CIO Sharon Mandell told us recently, the level of risk tolerance you have varies a lot by industry.

“I think different industries have different levels of risk tolerance. Different organizations have different levels of risk tolerance and belief in their people's level of responsibility in using the technology. And so the more risk you're willing to take, probably the more early gain you're getting,” she said.

As a substantial investment firm, Blackstone requires more rigorous risk mitigation than most. “We obviously have to protect, as you said, the confidential information that we routinely have access to as part of the business of buying and selling companies or investing in real estate or making trades on the public markets,” Fletcher told FastForward.

A big part of keeping the company safe involves constantly educating employees about risk and to be vigilant for any attempt to infiltrate the company. “It is fundamental to teach our employees how to make good decisions, how to recognize suspicious behavior or suspicious emails and how to alert the security team in a ‘See Something, Say Something’ model,” he said. Regardless, the attacks get ever more sophisticated, especially as attackers begin using AI to write emails, send texts, make calls or even create deep fake videos that sound and look more realistic than ever.

Of course, he has to balance human education with software for keeping his systems safe to thwart attacks to the extent possible. “The better technical controls you have in place, and the more layers of technical controls that you have in place, the less likely it is that you're going to suffer [an attack] that can result in reputational damage, financial loss, data loss or some other business disrupting impact,” he said. Those four elements are always the main things every company needs to guard against.

Balancing innovation and risk

But there is always going to be some risk of attack in today’s world. There’s no avoiding it, so in his conversations with the board and other executives, Fletcher uses news of the latest breaches as a teaching tool. “More often than not, I like to take every opportunity to look at what has happened in the public eye, things that appear in the Financial Times, The New York Times, Wall Street Journal, whatever, and then reflect on that and ask how that would impact us? Do we have the controls in place to prevent that? If not, would we be able to detect it and respond to it to minimize the risk or impact?”

Speaking of innovation, Fletcher says he often works with startups providing innovative solutions to tough problems because they tend to move faster than the incumbents, but again, he tries to mitigate the risk of working with a young, sometimes unproven company. “You have to look at the whole picture, and that comes down to looking at who their investors are, who the founders are, what the hypothesis is and where they can potentially go,” he said.

Even when he likes the answers to those questions, he doesn’t just kick out the incumbent. Instead, he works to build a relationship with the startup and makes sure whatever product they are developing is rigorous enough for a company like Blackstone. That could involve a PoC that lasts months or even years, depending on how important and sophisticated the product is. Only after it’s proven itself will he incorporate it into his toolkit, and perhaps drop the incumbent if it makes sense.

In spite of all that, he says he wants to avoid being the guy who says no all the time when it comes to implementing new innovative technologies, so he takes a team approach to getting stakeholders involved to make sure new systems, whether cloud, AI or any new technology, are being implemented with the level of security required by a company like Blackstone.

“There's an opportunity to build controls and capabilities in step with the people who are innovating. It just takes a really agile team, and it takes a team of intelligent, skilled people to take everything that they've learned up to this point and apply that to a net new technology or a net new set of systems” he said. That means always paying attention to the fundamentals of cybersecurity – confidentiality, integrity and availability – and applying them to whatever new technology you are implementing.