Todd Foley: Hello, and welcome to the CDO Magazine interview series. I’m Todd Foley with Lydonia. Today, I have the pleasure of speaking with Nick Ritter, CISO at Worldpay. You know, when you’re talking to your peers or just for the benefit of the listeners here, what advice do you give on how you build a strong cybersecurity culture? Not just teams, not just programs, but culture across all levels of the organization?
Nick Ritter: Yeah, it’s a great question. It’s interesting because every organization that I’ve been at is a little bit different culturally or a lot different culturally. Right. And so, I wish I had a playbook on this, but what I find is I’m not a playbook CISO, right? There are CISOs that walk into an organization new, and they’re like, these are the five things that we’re going to focus on for the next year or two years or whatever. They almost have their strategic roadmap built out, and it’s the same strategic roadmap that they did in their previous three companies kind of thing. And they just go run their playbook regardless of what the organization is. I’m not like that. I don’t do that, which I think in some ways has helped me create longer-term sustainable programs but also has hurt me a little bit in the sense that I might be a slower ramp-up CISO than would be typical of the playbook CISO. Because, you know, I’m trying to discover what it is that I need to do and adapt what I think should be focus areas to the culture and to the strengths and weaknesses of the organization at the time.
Really, what I look for is, as I mentioned before, cyber hygiene. That is so super important. I really look for that. And then I really look for, culturally, where the organization is at. Is the executive team engaged? Is the board engaged in cybersecurity? Are they afraid of it versus being engaged in it? The same thing with the CEO and the CEO’s direct reports. Are they engaged? Are they afraid of it? What does that look like? What’s the culture of the organization? Do they lean into security? Is security a burden? Is it a kind of a speed bump or a brick wall that they keep banging into? And then how do we start breaking those down? How do we adjust the program to those kinds of cultural influences?
The other thing I’ll mention here is that in an organization, a CISO or any leader can only go as fast as the organization can follow. Right? Like, you can’t lap your organization. And that becomes, I think, a big problem. CISOs come in, and they want to get stuff done. They want to get stuff done very quickly, and they lap the organization. You can’t lap your organization.
There’s been a lot of talk recently about the concept of alpha males and stuff like that, as it relates to wolf packs. And it turns out that the concept of the alpha male that was studied in the seventies or eighties is completely wrong. The leader of the wolf pack in the wild is actually the last wolf in the line. Right? Not the first. The first is not the leader of the pack; it’s the one making sure that nobody falls behind. So, to a degree, that’s got to be kind of where the CISO is. The CISO and the security organization can’t go any faster than the pack can go. Right? So they have to pace themselves so that they don’t lap their organization in change, because you can really confuse the org by doing that.
Todd Foley: I think. Interesting. I think, you know, we’ve also seen an evolution of the CISO role, certainly over the years, and it’s very likely that people will fall off quite a bit going forward as well. How do you see that evolution? How do you think being a CISO is different today than it was some years back? And where do you think that role is going in the next three years, five years?
Nick Ritter: I think if I had one phrase to describe it, it would be: now you’ve got to earn your C title. We are called chief executives, and just like the CFO, the chief marketing officer, and the chief operating officer, we have ‘chief’ and ‘officer’ in our name. We have earned that now. We’re in a spot where I think the inflection point is CISO’s now you have personal liability in the game. You have a lot more board responsibility. And so, because of those things and the strategic nature—or maybe call it the cataclysmic results—of security done poorly, it could be devastating to organizations. Right? For some organizations, security is an existential risk. Something goes bad. Like, we’re a payments company, right? We transact in the neighborhood of $2.5 to $2.7 trillion a year. About a billion transactions a week. If ransomware locks up our authorization and settlement systems, it probably kills us as a company. It’s an existential risk, right?
So because of that, the CISO is now got a seat at the grown-up executive table, and you’re going to have to be a grown-up executive here. And that means that you’re going to—you can’t be the senior technical person in the room. You can’t be the senior security person in the room. You’re going to have to be the executive that is responsible for security.
And that means you’re going to have to talk about risk in a much more quantified way. You’re going to have to have metrics that measure what are the incremental reductions in risk. You’re going to have to spend a lot of time with your board talking about risk appetite and where you are compared to risk appetite. And what’s the next investment going to do from a quantifiable risk reduction standpoint? I mean, there’s just a lot of executives, a lot of executive skills. It’s not the senior gearhead in the room anymore. It’s an executive position with responsibility for a technical, or a potentially technical remit.
Todd Foley: Yeah. And with board liability, everything is a critical discussion, and everything has to have well-quantified dollar amounts on it these days.
Nick Ritter: For sure. And I, and I will say that the other part about, you know, being a grown-up executive is every audience is different. You’ve got to understand your audience. So your executive counsel may be different than your investors. You know, it’s your private equity versus public. You’ve got to understand that your board may be different. And this is my fourth CISO gig. Every board that I’ve been in front of has a different personality, a different skill set, a different set of questions. I’ve never been able to replay one board discussion or another or come at a board meeting, “Okay, this is what I talked about with my last board. This is what this board wants to know.”
So you’re going to have to spend some time figuring out what do those individual audiences and stakeholders for this particular company and this organization and this construct, what do they want, what do they need, what looking for, how can they be satisfied? And so just understanding the board and other executive dynamic is super important.
Todd Foley: Well said. So you’ve talked about the evolution and the skills required to be a CISO. What about the next generation of cybersecurity professionals? What skills should they look to develop early on? What’s the new path, if you will, for advancing in this space?
Nick Ritter: I think, I mean, what has served me well, and I think this is, I think it’s, what do we say, cross-generational? Though I guess time will tell. Early in your career, become an expert in something. Be the person in the organization who is known for it.
In my space, I was, in my organization, I was one of the better incident responders. Especially as it went to, you know, analyzing bigger long data. I could do that well. That becomes a springboard then for developing all of the other skill sets that you need to be a good leader and ultimately a good executive.
So, you know, if I would start earlier in your career, become an expert, then develop leadership skills so that you can lead a team of people. And those people enthusiastically follow you, right? And what that means, and then create kind of that strategic layer—strategy, vision, capability—to be able to execute on that, develop a vision, develop a strategy, make the incremental decisions you need to do to execute, and then show delivery, right?
And then, kind of that last piece is those, that executive awareness and executive development that needs to be done. I think that, you know, if you kind of follow that pattern, I think you’d be pretty successful. Does that guarantee that it will be a CISO? No, but you’d be incredibly well respected and pretty successful in the field.
Todd Foley: I think that’s the right path. I think that the challenge in that path that I see all too often is people stop at one thing, right? They get their identity wrapped up in being the expert in that one thing. And it kind of prevents them from learning other things or developing additional skills. And I think if you can look at what you do, especially as you’re turning out, as a path as opposed to, “Okay, I’m going to do this, and that’s going to be my identity,” you’re going to do well. Especially since being an expert is something that, by definition, doesn’t last that long these days, right?
Nick Ritter: 100%. If you’re irreplaceable, you’re unpromotable.
Todd Foley: Thank you, Nick, for joining us today. I’ve enjoyed this tremendously—it’s been a great conversation. And for those listening, for more interviews and insights, please visit cdomagazine.tech. And thank you.
