Todd Foley: Hello, and welcome to the CDO Magazine interview series. I’m Todd Foley with Lydonia. Today, I have the pleasure of speaking with Nick Ritter, CISO at Worldpay. Nick, your journey to becoming CISO of Worldpay must be kind of interesting. To the extent that you can, can you walk us through the experiences that led you here and maybe share what you’re most proud of in your experience?
Nick Ritter: Yeah, absolutely. Todd, it’s great to be here. Thanks for including me in the series. Really looking forward to our conversation today.
My experience, you know, I came up as an incident responder, and I worked on some really interesting incidents. Some of them are pretty famous, and people would know them by name or some nickname that’s been assigned to them.
And that’s been a—it’s been an interesting journey because I also think I’ve been super lucky with a couple of different career accelerators associated with those incidents. Some of them, the high-profile ones and things like that, brought me in front of audiences that saw capability that I displayed or whatever they thought I displayed and that allowed me to kind of promote through the organization maybe quicker than the average person would.
For me, when you talk about what are you most proud of, I’m a really big fan of what’s called in the—the NFL—the coaching tree, right? If you’re familiar with this topic.
So, the concept is the big coaches that are famous and everybody knows—like Bill Walsh or Vince Lombardi or Bill Belichick—they have trees of coordinators that worked for them that went on to be successful head coaches. And then those people—so like, you know, Bill Walsh, who was with the San Francisco 49ers for a long time—he had, like, his coordinators, like Sam Wyche and Mike Holmgren and Dennis Green. And those guys went on to become head coaches in their own right. And then they had folks like, you know, Brian Billick and Jeff Fisher and Dick LeBeau and John Gruden. Like, these guys—Sean Payton came out of Bill Walsh’s coaching tree. So, this concept that really good coaches spawn really good coaches, who spawn really good coaches, kind of a thing. And I’d buy into that. And one of the things that I am most proud of is there are—of people who have worked for me—there are now eight CISOs, product security officers, or heads of internal audit at other companies now.
And so, I feel like my job in this industry is to build a coaching tree and to develop talent and put, you know, really great people with really good executive skills out in the marketplace and watch them succeed.
So, you know, I just kind of sit back and watch some of these folks, and they’re now my peers. And I just—an immense sense of joy and pride, I get from that.
Todd Foley: I love that. You’re talking about judging your success by the success of your team and their success as individuals throughout their career. That’s the kind of model that leads to good things and good execution among teams. I don’t think you can have a conversation these days in security without talking about AI. So, with what’s going on today, there’s kind of a couple of aspects to that, right? How is AI impacting your approach to cybersecurity? And then also, what are you doing to protect against AI attacks and secure AI use within an organization?
Nick Ritter: Yeah, so there’s a couple of really interesting things, I think, with AI. The first is I want to separate out the hyperbole from the real. So, within information security, we’ve been using unsupervised machine learning, which would theoretically be called AI. We’ve been using that for a decade or more, right? Like, you know, I actually hold a couple of patents in unsupervised machine learning algorithms for anomaly detection, and those are—I mean, those patents were like 2012, right? So, AI in the security space or, you know, large-scale data analysis with machine learning, that’s been around for a long time, no doubt about it.
So just the use of AI in information security is really a little bit of a nothing burger in the sense that it’s no big deal. I think the big change that has happened in the last couple of years with AI is the large language processing models have gotten so good that generative AI has gotten more interesting, right?
Generative AI used to look like Clippy, the little paperclip icon on Word, and now it can pass a turing test. So as we get into that, I think the big pieces that we’ve got to pay attention to as executives and companies are where the value drops associated with this, right?
Where is AI actually generating value for the organization as opposed to where it’s generating talking points or buzzwords or whatever? So, things like code generation and stuff like that are gains, good value drops associated with AI. So, I mean, that’s kind of where I think about it now.
You know, how do we protect ourselves from AI? That’s another really interesting question. And I’d love to hear what your experience as a CISO is on this too. The CISO of AWS did a video last week, I think it was, or over the weekend. AWS is seeing a 700 percent increase in the last six months of cyberattacks. It has largely been attributed to AI and specifically GenAI. And what you’re seeing is this democratization of technology such that to launch successful cyberattacks, you really don’t have to code anymore. You don’t have to have access to rootkits, ransomware-as-a-service, or any of the other popular zero-day elements. All you need is an AI engine that can integrate in a place where you can test the results. And so, it’s really democratized who can attack and how successful those, what used to be low-sophistication attacks are now becoming more sophisticated because of the AI layer that has been added in.
So, I just think that what we’re going to see is an acceleration at pace of attacks that we’re going to have to defend against. And I don’t know—what’s your experience as a CISO?
Todd Foley: I think what’s interesting is it’s accelerating initiatives that are security-focused and security-adjacent, which have been around for a long time.
We spend a ton of time now—and I would say driven a lot by AI and the acceleration of attacks leveraging AI. Focusing on data security and authentication to access applications and data per transaction. Right. And a lot of focus on non-human access to data and applications, whether it be APIs or the use of AI.
And then finally, just in terms of internal use, there’s a ton of focus now on the software development lifecycle in a way that is much greater than the emphasis used to be, because of the real risk of using all of the external API calls and generative AI in applications and exposing vulnerabilities through that. But if I had to say one thing that has increased dramatically—aside from the attacks—it’s the focus on data security.
Nick Ritter: Yeah. So, you know, it’s funny—when Verizon, I guess it was 15 or 16 years ago, started doing their DBIR reports. If you would have pulled out the first DBIR, last year’s DBIR, or the 2024 DBIR, and compared them, you would have seen that the root cause of about 85 percent of security incidents is exactly the same 15 or 16 years later as it was in year one. Right. And it all comes back—not all, but largely—to cyber hygiene. It’s things like configuration drift, vulnerability management, data security, tightening identity management—all that stuff that fits into the super boring, not particularly sexy aspect of security, which is just doing the basics really well. That turns out that if your program did nothing other than just the basics well, you’d protect yourself from a huge majority of the attacks that are out there.
Todd Foley: Without question, that’s true. I think what’s different, though, is just scale, right?
You were talking about the massive increase in the sheer number of attacks. I think the scale creates problems—scale of data, scale of attacks, scale of your threat surface for non-human access—all of those things are complicating things. But you’re right, the fundamentals haven’t changed even a little bit.
Nick Ritter: That’s right. Napoleon was quoted as saying, in a different context, obviously, “Quantity is a quality all of its own.”
Todd Foley: Yeah, that’s the truth, without question. And I think we see a lot of our peers struggling with that—not necessarily because it’s not something that can be addressed, but because a lot of the investments security teams have made over the years, have reached that point, like other things within IT, where they’ve accumulated technical debt. Maybe you’ve deployed best-of-breed toolsets at a certain point in time, but a few years later, they’re no longer best-of-breed, especially at the scale we’re dealing with today. And I think we see people struggling across the board to finance investments in things that help address that scale.
Nick Ritter: A hundred percent. I couldn’t agree more.
Todd Foley: Thank you, Nick, for joining us today. I’ve enjoyed this tremendously—it’s been a great conversation. And for those listening, for more interviews and insights, please visit cdomagazine.tech. And thank you.
