A CISO is, first and foremost, a storyteller, says Dave Ruedger, CISO of Risk Management Solutions Inc., a catastrophe risk modeling company that helps financial institutions and public agencies understand, quantify and manage risk.
“Many security professionals may think our job is about data – presenting statistics, graphs and charts and drawing up lots of pretty pictures. But at the end of the day, the pictures are really designed to reinforce the story we are trying to tell.”
That story may well be “Look how we are reducing risk” or “Look how we have grown our organization to this level of creative maturity,” he says.
“That’s definitely better than throwing in a lot of charts that say ‘look how good we are in patch management!’”
The challenge comes in crafting that message for a specific audience – the Board of Directors and executive management, for instance, speak a greatly different language than engineers and other front liners do. “It’s a critical part of the CISO’s success.”
In fact, teaching tech skills to a good communicator is an immensely easier job than teaching communication skills – the written and spoken word, not to mention body language – to a technology expert, Ruedger says.
An extensive preparation
Ruedger has had vast experience working with tech professionals from various countries: Japan, India, Iraq, Singapore and some Eastern European countries.
He also did not take the path usually taken by his peers: his undergraduate degree is in English literature even as he has always been interested in – fascinated with, actually – computers from a young age. At that time, he had already decided he wanted to incorporate working with computers into his job, whatever that job turned out to be.
Ruedger has had practical experience with most aspects of IT: tech support, databases, consulting, data warehousing, coding, infrastructure. With a partner he also built a company focused on customer data acquisition and marketing.
“This was about 20 years ago, so at that time I had to be cognizant of data security, encryption and similar things in the product that I built. This was what set me on the security path – I was interested in how you can hack, how you can prevent it, what you have to do to be secure,” he says.
The past two decades have seen him build a mindset of establishing good hygiene, which means processes and practices of ensuring he does not expose himself to additional risk. “All this has led me to where I am now,” Ruedger says. Today, as CISO for RMS, his single, overarching goal is “to ensure that my company does not become a headline.”
How one makes that happen, he says, is a combination of many years of experience and the way one thinks about implementing security programs. “It’s building a road map.”
As a security leader, Ruedger also ensures that his team has the resources it needs to meet commitments to both internal and external clients. “I am lucky because my company has invested wisely, and continues to commit resources to security. In other organizations, that is not always the case.”
Then versus now
When Ruedger was starting his career, Europe was at the forefront of protecting data privacy. “In the US, we were still responding to spam or unsolicited email. I had to harmonize a lot of what we were doing with Europe which was so far ahead of the curve,” he says.
Where we are now is so much different. The US has caught up with many states passing privacy laws, and even a US-centric law is being studied. “Data protection is just going to get more and more important.”
Then, too, security was concerned with malware that exploits an application or system, with the objective of eliciting a certain behavior.
“But now it is much easier to phish a human than to attack a system or software.”
Social engineering is so simple that it’s not about tech prowess. “People are inherently vulnerable if you appeal to them psychologically. All you have to do is know a little bit about a person by looking them up online, and then speak to them in terms that they are familiar with. If you effect a good con, they will easily trust you and give you sensitive information willingly,” he says.
This information will ultimately compromise their system. “It’s definitely less work than using brute force or attacking the technology.”
The ‘human’ element
“Soon it will be so much more difficult to discern whether we are interacting with an actual person, or a machine,” Ruedger says. “A machine will be able to emulate my personality, my character, via an email or voice message. Once that occurs, our ability to protect ourselves against things would be threatened.”
Artificial intelligence has indeed become a double-edged sword. “On the one hand, it is helping us identify things that are difficult for people to detect. Things are moving at the speed of light in machine time. But as those AI algorithms become tuned, they will be used against us, and it will become more difficult to determine whether the AI that used to be a benefit is now actually a detriment to society as a whole.”
Ensuring that AI becomes a force for good rather than bad is, Ruedger says, an evolving exercise. “There will have to be a little more art than science into this. As much as we will let the machine tune themselves, and as the algorithms are pitted against each other, ultimately the human element has to be considered,” he says.
“Machines are very predictable. Once they are given a path and told what to do, they execute that same path flawlessly. By contrast, humans are inherently unpredictable. The injection of the human element which is essentially unpredictable is the thing that will guarantee that AI will not evolve completely in a vacuum.”
It boils down to people, whether in technology or plain and simple management.
Over the years, Ruedger has learned to surround himself with good people, “preferably those who are better than I am.”
They give him the opportunity to learn from them as much as they can learn from him. “When you stop surrounding yourself with people who challenge you to rethink the way you implement things, that’s when stagnation sets in, and complacency tends a foothold.”
The big breaches we hear about all likely had good security programs in place. “But they did not have the right people working in the right places to enable the organization to stay ahead of the game.”
To survive in a field as vast and unpredictable and dynamic as security, one has to constantly rethink how one approaches certain types of problems, Ruedger says.