For Fred Kwong, hands-on experience and formal education went hand in hand in shaping the kind of CISO he has become.

He first discovered he genuinely liked interacting with people and helping them with their concerns when he lost interest in his computer science degree and took a helpdesk support job instead.

“I helped our customers with things like getting connected online, resetting passwords, or solving account lockouts. The mindset of helping others came naturally to me.”

When he decided to go back to school, it was with a rather bold twist.

“Rather than try something from a computer’s perspective, why not try understanding people instead?” Kwong ended up with a double degree in psychology and professional communications.

What Kwong missed from his academic delay he more than made up for by pursuing advanced degrees after college – he soon enrolled to get his MBA – and all while honing his technical skills on the job.

“I took a management position where I managed the network, server and telephony systems. My tech training came from this or by reading on my own,” he says. Meanwhile, his MBA, where he focused on executive leadership and organizational development, helped him understand the language of the business. “I understood what the priorities were.”

He remembers his PhD studies as “a pretty daunting time.” He found himself interacting with classmates who were COOs, VPs, HR executives. “I was a network engineer at that time. I was awestruck!”

In the end he realized the intimidation was unfounded. “I learned a lot from them, but they didn’t have strong backgrounds in tech either so we were able to learn from each other. Even if they knew something that I didn’t, I also knew something that they didn’t. In the end, I made a lot of good friends.”

 

From the ground up
Kwong is the first-ever CISO for Delta Dental Plans Association, a healthcare insurer. Their crown jewels are the personal information of their customers – things they must guard at all times, at all costs.“Their was no one person that focused on security before I came onboard.” His role has allowed him to develop a security program from the ground up, drawing from all his experiences and lessons throughout his career.

“I feel fortunate that I am able to do that – build a program from scratch and bring in new technology and techniques,” he says. In the past two and a half years, Delta Dental Plans Association has grown to be seen as a security leader and this new status has allowed it to provide additional service to its member-companies. The company now also has a Security Operations Center which does alerting and monitoring 24/7.

As a CISO, Kwong has a twofold responsibility: First, he needs to align the security systems of 39 member-organizations, each of them separate entities. “If you have a breach in one, it’s associated with the brand.”
The second is to always ask whether the organization is moving fast enough. “The threat actors are not going to wait for you to be fully secure before they attack.”

Kwong’s approach is risk-based, approaching the highest risks first and then mitigating those. “Then again, if the risks have low potential, it also does not mean that nothing will happen.”

 

Anticipating the next attacks

Kwong is constantly mindful that the attacks are becoming quicker. “Once somebody gets into a system, they can propagate very quickly. So how can we react to that speed?” New technology – AI – makes all these possible; just as it helps to make attacks faster, it also provides the tool to detect these attacks.


A second trend is the need to secure the humans by transforming the culture such that security becomes top of mind for people who are on the driver’s seat.


“This is as simple as wearing a seatbelt,” Kwong says. “There is a law that says we have to. But it’s ingrained in us that we have to do it as soon as we start the car. Now the challenge is, how do we make sure that others strap on their seatbelts as well?”


He has also taken a holistic view of his career. “I think I will always be involved in cyber, but not necessarily only in security. Leadership demands that one understand all aspects of technology as they relate to the business.”