Information Security Is Like an F1 Pit Crew — Worldpay CISO

Nick Ritter, CISO at Worldpay, speaks with Todd Foley, Chief Digital Officer and CISO at Lydonia, in a video interview about the techniques to manage transformation challenges, new focus areas to address risks, and his approach towards developing or adopting new technologies.

When asked to shed light on the effective techniques that help manage transformation challenges, Ritter refers to transformation as an interesting process. He uses COVID-19 as an example to convey how the workforce underwent rapid change.

Regarding transformation, much of the risk is cultural, says Ritter. He adds that people generally fall into different categories in change management. Some individuals are advocates; evangelists are eager to move forward.

Then, there is the largest group of individuals who take a “wait and see” approach, and finally, the smaller percentage of people who actively resist change, says Ritter. “Within change management and organizational theory, you try to activate the evangelist as much as possible,” he adds.

Further, a small percentage of the people from the wait-and-see group can be turned into active evangelists, preventing them from joining the detractors. At the same time, it’s crucial to isolate the detractors so they don’t hinder progress.

This dynamic plays out in information security, says Ritter. There are always people who fully embrace security measures — they can serve as champions, helping spread awareness and train others.

Meanwhile, detractors need to be monitored to ensure they aren’t undermining efforts, says Ritter. The same principles that guide organizational change management are essential when building a security program around transformation, he notes.

Moving forward, Ritter states that he strongly prefers automated controls over manual ones and preventive controls over detective ones. He advocates any innovation that allows a shift towards a model where human interactions with data and decision-making are programmatically defined in an operational sense.

Having said that, Ritter remarks, “I don’t want to take all humans out of all decisions, but in the operations of things, we can accelerate the capability to programmatically put in controls.” He believes that puts information security in a much stronger position, and he would want to push the organization that way forward.

Additionally, Ritter says, information security is not the department of toll gates or speed bumps. “I think of information security as the pit crew of the F1 car, and we want the car to go as fast as possible,” he adds. Expanding the analogy, Ritter says, while the car would inevitably make pit stops to be refueled, it is information security’s job to do it as fast as possible.

Speaking of pivoting to new focus areas while addressing arising risks, Ritter says that while many things are incremental, there have also been new focus areas. Mentioning data security and identity management, he says that earlier, identity management occurred inside the help desk.

Gradually, organizations realized the need for governance around it, and now identity management is a key strategic element of the information security program, says Ritter. Also, in the SaaS and cloud world, there are no terrestrial data centers with crown jewels, as they are everywhere, he adds.  

Delving deeper, Ritter says he has twenty copies of customer data, thanks to third-party services, which need protection through identity management and data security. The two areas are interlinked, he adds, which makes them a major focus area.

The third key aspect, according to Ritter, is insider risk. Stressing this aspect, he opines, “I don’t think organizations spend enough time addressing their insider risk and dealing with it.”

Insider risk is not about moving data around anymore, says Ritter, as it extends to hiring practices, pre-employment background checks, and onboarding processes. This issue may feel like a sudden shift, but it’s really been an incremental evolution, he notes, and these three aspects form the critical pillars of a solid security strategy.

Sharing his approach towards developing and adopting new technologies, Ritter states that while looking at different technologies, he notices where the value drops and what gaps need to be filled. Moreover, he also assesses whether it would be faster to build a tech or buy it.

Speaking of the rapid evolution and influx of technologies, Ritter remarks that what was a state-of-the-art system at one time is not the same after five years. For instance, if he installs Splunk, then Splunk engineers need to be hired. Whereas, if something is built, then the need is to hire developers, which is much easier than getting Splunk engineers.

Concluding, Ritter states, “I ebb and flow on this. For me, it’s all about value drop and it’s about long-term supportability. It’s about the total cost of ownership.” He adds that ultimately the decision made is case-specific.