Leading Enterprise Security at Scale | Lessons from Stabilizing a $100 Billion Dollar, 70 Million Customer Operation at the World’s Largest Financial Institution During the Largest Banking Scandal in History

I didn’t apply for a crisis. In 2017, I was asked to “take over my new manager’s role so they could transition to a new one” and to “help out with some overdue security plans and risk assessments.”

What I didn’t know was that I was stepping into the middle of one of the largest scandals in U.S. banking history — the Wells Fargo Sales Practices / Cross-Selling scandal — and about to lead cybersecurity and risk operations for a $100 billion dollar, 70-million-customer business vertical under intense federal scrutiny.

Fortunately, this is the type of challenge most executives will never see.

 

Titles and Truths | Crisis Leadership

The title on my email signature said “ISC Lead” and “Acting GISO.” In practice, it meant Acting Group Information Security Officer (GISO) — effectively the de facto Chief Information Security Officer (CISO) for Wells Fargo’s Community Banking division, the largest business vertical in the enterprise. I never dreamed that would turn out to mean “enterprise cybersecurity crisis leadership.”

While working 12–18 hour days, weekends included, I was stabilizing security, compliance, and operational risk for a system the size of a small country or medium-sized nation — often without even realizing how large the crisis was at the time. Leadership didn’t advertise it. The work was designed to be invisible.

But invisibility doesn’t mean impact.


“Sometimes leadership doesn’t come with a title. It comes with a problem no one else wants to touch.” – Hunter Storm

 


Wells Fargo Asset Cap Lifted

In 2018, the Federal Reserve imposed an asset cap on Wells Fargo — a historic constraint. This year, in 2025, that cap was officially lifted. This marks a milestone in regulatory confidence and operational stability — a framework that was built, in part, during my tenure. This moment highlights the impact of targeted, strategic interventions in complex environments, and provides an opportunity to reflect on what it takes to lead in crisis and build sustainable, next-generation security practices.

This milestone feels like the right moment to share lessons learned from that experience.

Sometimes leadership doesn’t come with a title. It comes with a problem no one else wants to touch.

 

Schrödinger’s CISO | Officially Invisible, Operationally Omnipresent

I held full responsibility for enterprise security in the Community Banking division. I came up with a term to describe this: Schrödinger’s CISO: officially invisible, but operationally omnipresent, ensuring risk mitigation, compliance, and continuity across an unimaginably massive global enterprise.

This responsibility encompassed securing operations impacting over $100 billion in revenue and approximately 70 million customers worldwide—a scope comparable to the GDP of a small-to-medium country and the population of France or Italy. As fate, luck, or leadership would have it, I took this role right before the Cross-Selling scandal / Sales Practices Scandal really began to gain traction in the news.

 

Enterprise Risk and Congressional Oversight

At the time, Wells Fargo was under intense regulatory scrutiny due to the investigations involving congressional oversight, including Senator Elizabeth Warren’s team. I was tasked with stabilizing security and compliance operations while navigating a high-profile, federally monitored environment. My leadership efforts focused on:

  • Risk Mitigation: Implementing comprehensive risk management strategies to address existing vulnerabilities.
  • Compliance Assurance: Ensuring adherence to stringent regulatory requirements and internal policies.
  • Operational Resilience: Enhancing the robustness of security operations to withstand external and internal challenges.

 

Fortunately, this is the type of challenge most executives will never see.

 

Three-Letter Agencies, Congressional Oversight, and Regulatory Scrutiny at Wells Fargo

The Wells Fargo cross-selling scandal drew scrutiny from multiple U.S. federal agencies and authorities. As I mentioned above, this is a situation most will never have to face. In fact, I hope that if you’re in a similar seat, you only ever have to read about situations like these as a cautionary tale.

In the Wells Fargo cross-selling aftermath (roughly 2016–2019), the scrutiny came from nearly every layer of the U.S. financial-oversight and enforcement ecosystem.

Federal and Regulatory Oversight

  • Consumer Financial Protection Bureau (CFPB): imposed the largest fine ($100 million in 2016) for the creation of unauthorized accounts. Levied the original fine and monitored restitution and remediation programs.
  • Department of Justice (DOJ): pursued criminal and civil settlements around falsified records, misleading sales metrics, and executive accountability.
  • Federal Reserve (Fed): in 2018, took the rare step of restricting Wells Fargo’s growth via an asset cap until governance and risk management issues were corrected.
  • Financial Industry Regulatory Authority (FINRA): reviewed practices in wealth-management and brokerage channels.
  • Office of the Comptroller of the Currency (OCC): levied a $35 million fine and issued supervisory actions. Imposed consent orders, replaced senior risk leadership, and conducted ongoing exams.
  • Securities and Exchange Commission (SEC): investigated and fined Wells Fargo for misleading investors about cross-selling metrics, investor disclosures, and internal-control reporting.

 

Legislative & Public Accountability

There was significant congressional oversight as well, including multiple hearings before both chambers of Congress:

  • Government Accountability Office (GAO) also issued follow-up reviews at Congress’s request, assessing regulators’ responses to the scandal. Published evaluations of regulatory responses at Congress’s request.
  • State Attorneys General: coordinated additional inquiries (notably California and Illinois).
  • U.S. House Committee on Financial Services held its own hearings soon after, continuing the oversight into 2017 and beyond.
  • U.S. Senate Committee on Banking, Housing, and Urban Affairs held a high-profile hearing in September 2016, where then-CEO John Stumpf testified (and was famously grilled by Senator Elizabeth Warren, among others). Conducted televised hearings, demanded testimony from executives, and followed up through 2017-2019.

 


Under intense federal scrutiny from agencies including the CFPB, DOJ, Federal Reserve, OCC, and SEC during the Wells Fargo cross-selling investigations, our tiny team stabilized the most complex vertical in the bank. Against that challenging backdrop, we successfully maintained compliance and achieved 100% completion on more than 850 certifications with no unresolved audit findings.

At a time when the organization was under some of the most intense federal and congressional oversight in its history, my team stayed focused on the work in front of us. While others handled the headlines and hearings, we delivered — closing hundreds of certifications and passing every audit without exception.

– Hunter Storm

 


Stabilizing Security in the Eye of the Storm

At the time, federal regulators and congressional committees were intensely focused on the Community Banking division — where the sales practices issues had originated. As part of that organization, my team was directly affected by the resulting oversight and reorganization efforts.

While senior executives managed direct interactions with agencies including the CFPB, OCC, Federal Reserve, and congressional staff, our responsibility was to deliver flawless execution at the operational level. Despite the heightened scrutiny, we completed hundreds of control certifications and passed every audit without exception.

 

Wildcard at Wells Fargo

As much as I’m a rebel and a wild card I never wanted to be in conflict with the system. Instead, I try to work in harmony with it. I am a musician, after all.

I’m not anti-system; I’m pro-integrity. I don’t fight structure — I tune it so it works properly again, like a musician bringing a full orchestra back into harmony after one section goes off key. I push boundaries only when the melody’s gone wrong, and I do it not for rebellion’s sake, but to bring everything back into balance. Bringing this business vertical back into balance under fire was a complex composition, but it was one I was prepared to play.

 

Chaos, Responsibility, and Judgement Calls

Here’s a look at how I delivered results and transformed security operations during one of the most scrutinized periods in the bank’s history. During and after my tenure, Wells Fargo faced intense federal oversight and an asset cap, applied broadly across the enterprise. An asset cap is a regulatory limit imposed on a bank’s total assets, which restricts its growth.

In Wells Fargo’s case, the Federal Reserve placed a $1.95 trillion cap in 2018 due to scandals involving fake accounts, requiring the bank to improve its governance and risk management before the cap could be lifted. While these measures were intended to enforce accountability, the specific security and compliance improvements we had already implemented in Community Banking were not the focus of these constraints, underscoring the gap between regulatory action and operational reality.

This year, 2025, is the end of the asset cap. You can read more about it in the Reuters article, Wells Fargo Escapes Fed’s Asset Cap After Seven Years, Able to Pursue Growth.

 

Seamless Security

How would I describe my role to an executive board?

“Led enterprise-wide initiatives and risk mitigation strategies that ensured operational continuity for millions of customers and billions in revenue, often navigating complex crises and regulatory challenges behind the scenes. While outcomes were seamless to most stakeholders, the work required orchestrating teams, systems, and processes at a level rarely visible outside executive oversight.”

 

Or perhaps:

“Led enterprise security and risk operations for a Community Banking business unit under intense federal oversight, delivering strategic turnarounds, measurable risk reduction, and operational resilience. Oversight was recently lifted, reflecting the lasting impact of these efforts and the restoration of robust compliance and security practices.”

 

However, these polished descriptions do not come close to describing the highly complex, discreet, and behind-the-scenes work, all of which was deigned to make the impact of the crisis invisible to executives and teams. People who weren’t directly in my workflow likely only saw the polished “it’s done” outcome, not the battlefield of chaos, risk mitigation, and coordination underneath.

That’s why this article matters. It finally makes visible the scope, scale, and impact of what we accomplished. It’s like showing the blueprint of a skyscraper after everyone only saw the finished building.

 

The Rebel Alliance | 855 Security Plans in 9 Months

The regulatory scrutiny, coupled with the global media coverage, added pressure to the timelines. We needed to complete annual certifications and evaluate over 855 environments, platforms, third-party vendors, applications, data transmissions, encryption, datacenters (information processing facilities), and hardware infrastructure.

To make things even more challenging, I had the smallest, least experienced team in the enterprise. One was a new contractor from outside the bank, another was a junior level team member, the third was nearing retirement. To put it in perspective, my team was not only less experienced, but it was also 85% smaller than the other enterprise teams.

However, difficult times are what define us. I could have stepped aside and taken another role, but I’ve always enjoyed a challenge. So, I thought I’d take the opportunity not only to do what was required, but to strive to exceed the already difficult requirements.

I didn’t want to stop with just completing risk assessments and enterprise action plans. Instead, I wanted to remediate or mitigate every risk that could be remediated. We needed to do this with both speed and the highest level of quality. If we failed, that would have resulted in additional negative consequences to Wells Fargo. That meant we needed to get creative with limited resources.

However, we only had nine months to finish the job.

 

Operation: Decimate the Dashboard

So, I obtained leadership buy-in to try something novel and by enterprise standards, highly unconventional and drastic. I called it Operation: Decimate the Dashboard. What did this entail? I cancelled all non-essential meetings and reporting, reevaluated everything from the ground up, created a completely novel workflow architecture and training materials, and then we got to work.

I trained and mentored my team, and got them up to speed and meeting enterprise security plan quotas. I started my days at 5 AM because my junior person was on the East Coast. I stayed until 9 PM most nights because I worked side-by-side with my team in the trenches so we could get the job done. This meant I wrote 77% of the risk assessments myself.

 

Happy Endings and Risk Reduction 5X the Enterprise

The reward for our efforts? Community Banking (CB):

  • Reduced risk in CB at 5 times the rate of the WF enterprise. CB attained the lowest risk profile in the enterprise due to dramatically reduced risk ratings and dedicated focus on remediation, testing, and tracking efforts
  • Was the only business vertical within the enterprise to achieve 100% compliance with all FFIEC testing requirements. 
  • Passed enterprise FFIEC authentication audit with no findings.
  • Was only team in the WF enterprise to complete not only the Corrective Action (CA) plans, but to prevent a new CA by completing all overdue security plan certifications from 2016.
  • Generated a 3-month lead time for 2017 annual certifications.

 

Ethics at Scale

As wonderful as these accomplishments were, I’m sure people still have questions about the Cross-Selling scandal. Here’s my take on the situation from my insider perspective.

Before I stepped into this role and fully understood the scale and complexity of massive global enterprise security, every time I saw a scandal in the news – whether at a company, government agency, or NGO – I was quick to join the crowd and point fingers at how “terrible” it was. What I’ve learned since is just how easy it can be for bad actors to infiltrate, disrupt, or even take over an organization, despite the best intentions of those inside. It’s not about “evil” organizations—it’s about systems, incentives, and vulnerabilities that exist everywhere.

In many ways, it’s like the Stanford Prison Experiment, but at an organizational scale. In other words, even average people can do questionable things under the right (or wrong) conditions. The reality is more nuanced than the headlines ever let on, and understanding that complexity is what allows real change and risk mitigation to happen.

 


Reflections from the Field

What was in like sitting in my chair during this tumultuous time? Eighteen-hour days. Wrestling systems and politics alike to move the needle. Negotiating under pressure, training people who weren’t ready but had to rise fast, and fighting every day to protect my team.

I built a force out of uncertainty — turning information security consultants into an impressive unit that delivered when others froze. When the information security risk assessments fell behind, I wrote them myself.

When the pressure hit, we stood our ground. It wasn’t glamorous, but it was necessary — and it kept the lights on when it mattered most.

 


Lessons Learned | Leading Enterprise Security at Scale

What did I learn from leading enterprise-wide initiatives and risk mitigation strategies that ensured operational continuity for millions of customers and billions in revenue, while navigating complex crises and regulatory challenges behind the scenes? Here are my takeaways from the experience:

  • Crisis Leadership Requires Calm Visibility: High-stakes operations often appear seamless to executives, but the work behind the scenes is chaotic. Leading effectively means absorbing the chaos, prioritizing what matters, and delivering results without creating unnecessary panic.
  • Teams Can Be Transformed Rapidly: Even small, inexperienced teams can achieve extraordinary results with the right guidance, mentorship, and structured workflow. Building morale, instilling accountability, and providing hands-on training are critical levers for success.
  • Risk Mitigation Isn’t Just Compliance: Meeting regulatory requirements is one thing; truly reducing operational risk demands proactive assessment, remediation, and continuous improvement across people, processes, and technology.
  • Unconventional Approaches Can Be Necessary: Enterprise systems and bureaucracies often resist change. Sometimes, creative workflow redesigns, prioritized focus, and decisive action are essential to meet time-sensitive objectives.
  • Regulatory Oversight Doesn’t Always Reflect Operational Reality: Compliance and risk improvements can be invisible in the larger narrative. Being aware of the gap between perception and reality helps leaders focus on tangible outcomes rather than optics.
  • Documentation and Communication Matter: Even behind-the-scenes achievements need clear articulation for posterity. Distilling complexity into tangible results ensures that the value of efforts is recognized, internally and externally.

 

Leading in crisis isn’t glamorous—it’s about results, resilience, and people. I’d love to hear your experiences or questions about high-stakes security and risk leadership. Feel free to comment below or reach out directly—I’m happy to connect.

 


Glossary of Key Terms

Asset Cap – Regulatory limit imposed by the Federal Reserve on a bank’s total assets, restricting growth until certain compliance and governance improvements are demonstrated.

Chief Information Security Officer (CISO) – Senior executive responsible for enterprise-wide information security strategy, governance, and risk management.

Enterprise Security Plan / Risk Assessment – Comprehensive evaluation of systems, applications, infrastructure, and processes to identify and mitigate potential security risks.

Federal Financial Institutions Examination Council (FFIEC) – U.S. government interagency body that prescribes uniform principles, standards, and reporting for financial institution regulation, including cybersecurity assessments.

Group Information Security Officer (GISO) – Executive responsible for overseeing cybersecurity strategy, risk management, and compliance for a specific business unit within an organization.

Information Security Consulting Lead (ISC Lead) – Role focused on providing expert guidance, risk assessments, and remediation strategies across enterprise systems. In Wells Fargo’s CB unit, this role carried de facto CISO-level responsibilities.

Operational Resilience – Ability of an organization to continue delivering services in the face of disruptions, including cybersecurity threats, technology failures, or regulatory challenges.

Regulatory Oversight / Congressional Oversight – Monitoring and enforcement of compliance by government bodies to ensure institutions operate safely and adhere to laws and regulations.

Risk Mitigation / Remediation – Steps taken to reduce vulnerabilities, address deficiencies, and prevent security incidents.

 


Discover More from Hunter Storm

Enjoy this article about enterprise cybersecurity crisis leadership? Explore more of Hunter Storm’s articles, pages, and posts in the links below.

 


 

About the Author | Hunter Storm | Technology Executive | Global Thought Leader | Keynote Speaker

CISO | Advisory Board Member | SOC Black Ops Team | Systems Architect | Strategic Policy Advisor | Artificial Intelligence (AI), Cybersecurity, Quantum Innovator | Cyber-Physical-Psychological Hybrid Threat Expert | Ultimate Asymmetric Advantage

Background

Hunter Storm is a veteran Fortune 100 Chief Information Security Officer (CISO); Advisory Board Member; Security Operations Center (SOC) Black Ops Team Member; Systems Architect; Risk Assessor; Strategic Policy and Intelligence Advisor; Artificial Intelligence (AI), Cybersecurity, Quantum Innovator, and Cyber-Physical-Psychological (Cyber-Phys-Psy) Hybrid Threat Expert; and Keynote Speaker with deep expertise in AI, cybersecurity, and quantum technologies.

Drawing on decades of experience in global Fortune 100 enterprises, including Wells Fargo, Charles Schwab, and American Express; aerospace and high-tech manufacturing leaders such as Alcoa and Special Devices (SDI) / Daicel Safety Systems (DSS); and leading technology services firms such as CompuCom, she guides organizations through complex technical, strategic, and operational challenges.

Hunter Storm combines technical mastery with real-world operational resilience in high-stakes environments. She builds and protects systems that often align with defense priorities, but serve critical industries and public infrastructure. She combines first-hand; hands-on; real-world cross-domain expertise in risk assessment, security, and ethical governance; and field-tested theoretical research with a proven track record in high-stakes environments that demand both technical acumen and strategic foresight.

Global Expert and Subject Matter Expert (SME) | AI, Cybersecurity, Quantum, and Strategic Intelligence

A recognized subject matter expert (SME) with top-tier expert networks including GLG (Top 1%), AlphaSights, and Third Bridge, Hunter Storm advises Board Members, CEOs, CTOs, CISOs, Founders, and Senior Executives across technology, finance, and consulting sectors. Her insights have shaped policy, strategy, and high-risk decision-making at the intersection of AI, cybersecurity, quantum technology, and human-technical threat surfaces.

Projects | Research and Development (R&D) | Frameworks

Hunter Storm is the creator of The Storm Project: AI, Cybersecurity, Quantum, and the Future of Intelligence, the largest AI research initiative in history.

She is the originator of the Hacking Humans: Ports and Services Model of Social Engineering, a foundational framework in psychological operations (PsyOps) and biohacking, adopted by governments, enterprises, and global security communities.

Hunter Storm also pioneered the first global forensic mapping of digital repression architecture, suppression, and censorship through her project Discrimination by Design: First Global Forensic Mapping of Digital Repression Architecture, monitoring platform accountability and digital suppression worldwide.

Achievements and Awards

Hunter Storm is a Mensa member and recipient of the Who’s Who Lifetime Achievement Award, reflecting her enduring influence on AI, cybersecurity, quantum, technology, strategy, and global security.

Hunter Storm | The Ultimate Asymmetric Advantage

Hunter Storm is known for solving problems most won’t touch. She combines technical mastery, operational agility, and strategic foresight to protect critical assets and shape the future at the intersection of technology, strategy, and high-risk decision-making.

Hunter Storm reframes human-technical threat surfaces to expose vulnerabilities others miss, delivering the ultimate asymmetric advantage.

Discover Hunter Storm’s full About the Author biography and career highlights.

Professional headshot of Hunter Storm, a global strategic leader, AI expert, cybersecurity expert, quantum computing expert, strategic research and intelligence, singer, and innovator wearing a confident expression. The image conveys authority, expertise, and forward-thinking leadership in cybersecurity, AI security, and intelligence strategy.

Securing the Future | AI, Cybersecurity, Quantum computing, innovation, risk management, hybrid threats, security. Hunter Storm (“The Fourth Option”) is here. Let’s get to work.

Confidential Contact

Contact Hunter Storm for: Consultations, engagements, board memberships, leadership roles, policy advisory, legal strategy, expert witness, or unconventional problems that require highly unconventional solutions.