As a large global technology company whose products such as the Graphical Processing Unit (GPU) appear inside a wide array of other products, NVIDIA may just be “the biggest company you’ve never heard of,” says Wesley Bull, NVIDIA’s Chief Facility Security Officer (CFSO) and Head of Global Security Risk Management, Investigations and Protective Services. “While we’re well known to the gamer community, our technologies are actually involved in solving such a diverse range of technical challenges, we’re literally helping to create the future,” Bull says.
His distinction as CFSO is due to NVIDIA’s engagement in classified work for the federal government. Bull’s global responsibilities include crisis management, executive protection, intelligence, travel security, IP security, protective services worldwide, supply chain security, investigations and administering the security program for classified work with the U.S. government. “That’s where the CFSO responsibility comes in to oversee all of the government’s program requirements. That involves different security auditing and monitoring all the way through to actually helping people get their security clearances and then ensuring that they behave appropriately to keep those clearances,” says Bull.
Bull marvels at “the speed and agility of the sector and, more specifically, the company.” Besides market opportunities he sees being created at every turn by NVIDIA, “we are solving really complex problems with incredibly brilliant engineers, and that’s humbling,” he says. He feels fortunate to be able to work with people who are supporting diverse engineering challenges from cancer research to next generation visual computing to enhanced sensor technologies for automobiles.
Security at NVIDIA is quite challenging because, as a supplier of products within other products, the company has a number of joint ventures going on at any one time. This results in extremely complex security protocols. Not only might NVIDIA be dealing with pre-released and/or prototype products, but they are often working with multiple competitors at once. “We have to make sure that, for example, our lab environments are air-gapped so that we don’t have one competitor running into another competitor’s area or accidentally getting exposure to a competitor’s intellectual property,” says Bull.
The stakes increase significantly for the company when it comes to cyber threats as well because they are protecting other people’s property as well as their own. “There’s a pretty substantive insider threat or attack vector on intellectual property theft, and that’s something we have to be very, very vigilant about,” Bull says. As a result, Bull also plays a role in cybersecurity initiatives at NVIDIA and serves as the liaison for all engagements with law enforcement and U.S. intelligence community given his former work in these arenas.
Global security risk management is Bull’s team’s major focus, and he’s expanded the program scope significantly since he started. As NVIDIA began to grow rapidly and expand into many new areas in the several years before his arrival, the security program just wasn’t able to keep up. “I’m extremely happy with the excellent work by my team,” says Bull. “We’ve got some great partners across our program that have really helped us adeptly close the gaps, but there’s still a lot of work to be done.” Specifically, Bull emphasizes aligning security risk awareness in conjunction with the company focus on agility and staying scrappy. His team’s security strategy is advantageous because it’s “aligned to the business and its objectives,” he says.
The security team’s brand perception “always has room for improving” when it comes to the C-suite, peers and external stakeholders, according to Bull. “We can’t be hitting the C-suite with uncertainty, fear and doubt and coming at them with a compliance hammer. That does not comport in a technology environment where the risk appetite is much higher,” says Bull.
As for external stakeholders, “We’re working with some of the best brands in technology around the world, and, as a result of that, I think what’s been notable is that we’ve similarly developed some great relationships and strategic insights by partnering with our external stakeholders,” Bull says. This also includes law enforcement, public safety and U.S. intelligence agencies, with which the security department conducts joint trainings and briefings to advance collaboration and capabilities. “We take an all-hazards approach and align our joint training and preparedness plans to support a major incident. We are way past ‘observe & report,’” says Bull.
As is the oft-held lament among top security professionals, complacency and awareness are the most difficult parts of the job. “The fight is ensuring that despite the alignment with the business, we do have legal and fiduciary obligations with regard to security and safety,” says Bull. “We can never lose sight of the fact that we also have very specific security and protection responsibilities to the U.S. government, and it’s difficult to keep getting air time to remind people of that, despite the great work that we’re doing in terms of aligning ourselves better with the business,” he says.
Security Scorecard
- Annual Revenue: $4.7 Billion
- Security Budget: $6.8 Million
Critical Issues
- Cybersecurity
- Intellectual Property Protection
- Business Expansion – New Markets