How AT&T CISO Rich Baich manifested his career

How do you become a CISO? You make a step-by-step plan and follow it. At least, that’s how Rich Baich, who currently holds the title at AT&T, recalls getting his start.

“I was actually getting my MBA, and my last class was product marketing, and they said, ‘You are the product. Take yourself to the market,’” Baich said. “So, I literally came up with a plan to become a CISO, and I executed on it.”

That plan eventually ended up landing Baich his first gig as a CISO at data broker company ChoicePoint. At the time, he said, the idea of a C-suite role for information security was still nascent.

“When I look back on it was very interesting about what the role and the expectations in the boardroom and the C-suite was for CISO,” Baich said. “The challenges primarily were around helping the organization culturally understand: What does a CISO do and what value does it bring to the organization?”

In the beginning. Baich, who has now worn the CISO hat five times, sat down with IT Brew to discuss his career journey, recalling the first time he realized his interest in computers.

“We started doing computer programming in the Pascal language, and I thought just how interesting it was to create a Boolean logic if-then type of thing which could then cause you to take certain actions,” Baich said.

That fascination stuck with Baich even as he attended the Naval Academy and later completed military service: “I focused in areas like surface warfare and then cryptology, information warfare, and space.”

Critical point. The similarities between the military and Baich’s CISO role at ChoicePoint and later, American Insurance Group and Wells Fargo, were striking.

“Luckily for me, cybersecurity is as close to being in the military as you can get from most jobs, because you’re constantly trying to defend against adversaries that are trying to obviously, either do harm or form some type of mischievous activity.”

When reflecting on his experience at several top companies in the critical infrastructures sector, Baich said regulations have their value, but believes it can slow down organizations.

“Oftentimes, it can cause you to have to focus in areas that may not be the most important, but you need to make sure you meet those regulatory requirements,” Baich said. He was up for the challenge, joining the CIA in 2022 as CISO and director of the office of cybersecurity.

Jennifer Ewbank, founder of Andaman Strategic Advisors and a former deputy director of CIA for digital innovation, told IT Brew that Baich was her pick for the role, given his “ability to translate complex matters into simple,clear priorities” and his “desire to serve his country.” She added that Baich came into the organization with the goal of understanding its needs and made a large impact, despite his short stint there.

“He came in sincerely wanting to study and understand and meet everyone and appreciate the unique skills that they had and the strengths that they brought to the mission,” Ewbank said. “That approach, I thought, was very effective.”

AT&T…&Rich! After a year at the CIA, Baich joined AT&T as CISO and SVP in 2023, with the goal of helping the company modernize.

“Technology has not been [standing] still. Everything from satellites to quantum to AI, all those emerging technologies,” Baich said. “As a result of that, we need to have an appropriate workforce to be able to defend against all those.”

Part of that included building AI literacy among AT&T employees. Baich estimates that, in the past year, his team spent more than 16,000 hours completing AI training and labs. Employees are also creating short videos of AI use cases that are circulated within the organization for learning purposes.

“It’s not just about learning about AI, because it’s like going to school. Just because you learn about biology does not mean you’re going to operate on somebody,” Baich said. “We want to give that foundation for either new employees or older employees, to get everyone comfortable, to understand how AI works.”

The company has also spent time boosting its security down its customer stack. The company disclosed a breach in March 2024 containing a data set from 2019 that impacted 7.6 million current account holders, along with another incident in July 2024 involving customer data from a third-party cloud platform. Earlier this year, it disclosed a strategic agreement with Palo Alto Networks to deliver “secure connectivity solutions” to aid businesses and their security needs. Meanwhile, the company’s threat protection offering, AT&T Dynamic Defense, that “filters out bad traffic” has been hard at work. The company estimates it blocks 30 billion threats per month.

Baich also spends time bolstering the company’s collective defense against threats by collaborating with others in the industry. The company established an information-sharing agreement that allows it to share information with CISOs and operators in 7 countries.

“We’re only as strong as the weakest link amongst us all,” Baich said. “We all want to learn from each other.”