Tom Quinn On Buying Cyber Products
Choosing Cybersecurity Heroes: Insights from T. Rowe Price CISO Tom Quinn
In a recent Gula Tech Adventures video, we introduced the animated short “Cyber Hero Auditions” — a lighthearted take on selecting cybersecurity tools as if they were superhero candidates, each boasting powers (and weaknesses) like backup recovery, compliance automation, and two-factor authentication. Following the sketch, we sat down with Tom Quinn, Chief Information Security Officer (CISO) at T. Rowe Price, to discuss the serious challenges of evaluating, selecting, and integrating cybersecurity products in the financial sector.
Quinn’s perspective, shaped by decades of experience across the Navy, technology, and finance, offers invaluable lessons for cybersecurity professionals, startups, and enterprises alike.
Cybersecurity Superpowers Come with Weaknesses
Much like the animated characters—Backup (who no one tests), Insider Threat (who risks over-surveillance), or Lock-in (who punishes disloyalty)—Tom Quinn emphasizes that all cybersecurity tools have strengths and trade-offs. The real challenge is balancing those within the specific risk profile of an enterprise.
“We don’t expect a single tool to solve all problems,” says Quinn. “We design hiring strategies around best-of-breed tools, and our engineers knit those solutions together.” His approach prioritizes solving problems over consolidating vendors prematurely.
Three Lines of Defense in Finance—And What SMBs Can Learn
Quinn explains that financial firms operate with a regulated “three lines of defense” model:
Operations (Tech + Business)
Risk Teams
Audit Functions
While smaller organizations like dental offices or nonprofits may not have these divisions, Quinn suggests approximating them through peer review, external consultants, or periodic third-party audits. “Ask a peer to be your ‘audit function,’” he says. “Or bring someone in, just like you would for your taxes.”
Vendor Evaluation: Getting to ‘No’ Faster
For startups trying to pitch to Fortune 100 financial institutions, Quinn offers simple but powerful advice: “Get to the point. Tell me what problem you solve.”
He recommends a crisp five-slide pitch deck—echoing the Gula Tech Adventures’ own startup resources—as the ideal format. “It helps vendors get to ‘no’ faster, which is a win for both sides,” Quinn says.
He personally meets with four to six vendors a month, often through introductions from trusted VC and private equity contacts. “If they’ve invested in a startup, it shows conviction. That’s a strong signal for me to take a meeting.”
When Cyber Products Go Bad
Quinn sees most vendor exits or replacements resulting from:
Lack of R&D investment
Misalignment between perceived and actual product value
Vendor arrogance or poor renewal negotiations
“It’s usually not the tech—it’s how the vendor manages the relationship,” he says. He stresses that while platform vendors offer economies of scale, firms must remain cautious about vendor lock-in, especially in cloud environments.
The Role of Startups in National Cyber Defense
Quinn champions startup innovation, especially in addressing emerging or niche risks. “Startups often see the future first,” he notes. “Their unencumbered thinking lets them spot gaps the big players miss.”
He regularly engages early-stage companies, not always to buy—but to learn. “I might not be a customer, but I can be a partner. Or at least help them avoid wasting time chasing the wrong market.”
He also emphasizes the value of structured landing zones—programs within financial institutions that simplify procurement and piloting of startup solutions. “They offer easy contracts, test environments, and fast feedback,” Quinn says.
Cloud, Resilience, and Preparing for the Worst
T. Rowe Price, like many large firms, is “cloud first” where feasible. But Quinn highlights the need for “diesel generator” thinking: backup systems in case your cloud provider goes down. “We must be able to continue to fight, to operate, and to protect—even if the cloud is unreachable.”
He also values the intelligence sharing that comes with cloud platforms. “With enough users, these systems gain real-time insights from everyone’s attacks. That scale is a huge advantage.”
Evaluating Next-Gen Threats
What keeps Quinn up at night? Deepfakes and social engineering top the list—not because the tech is perfect, but because human fallibility is predictable. “Tech won’t save us from everything. We train our people to trust their instincts and pause before acting.”
He advises that defense comes not only from tools, but from culture: “Space and time are your allies. Take a breath, make a phone call, ask questions.”
The Power of Virtual CISOs and Giving Back
Quinn practices what he preaches—by volunteering as a virtual CISO for nonprofits and serving on the board of Girl Security. “It’s a chance to help people feel confident in asking questions and trusting their judgment,” he says.
He believes nonprofit service also benefits seasoned CISOs: “It reconnects you to the fundamentals and helps you stay humble.”
Final Advice for Cyber Startups in 2024
Quinn’s closing advice for startups?
“Know what problem you solve. Be honest if you’re solving for revenue or awareness instead of the customer’s real pain. And make it easy to understand what you do—and don’t do.”
Connect with Tom Quinn
While Quinn isn’t inviting cold pitches en masse, he’s open to thoughtful, respectful outreach. You can connect with him on LinkedIn or through forums like the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Conclusion
The cyber landscape is a team sport—and as our animated superhero sketch shows, not all heroes wear capes. Some wear APIs, dashboards, and compliance reports. Whether you're a startup founder, enterprise buyer, or nonprofit volunteer, Quinn’s message is clear: focus on solving real problems, build trusted partnerships, and always keep your cape—and your cloud—patched.