CISOs Need to Quantify Risk for the Board — Worldpay CISO

Nick Ritter, CISO at Worldpay, speaks with Todd Foley, Chief Digital Officer and CISO at Lydonia, in a video interview about a CISO’s approach to building cybersecurity culture, the evolution and future of the CISO role, and advice for next-gen CISOs.

Speaking about building a strong cybersecurity culture, Ritter states that every organization is culturally different. “I am not a playbook CISO,” he adds.

Elaborating on the stance, Ritter refers to CISOs who have a pre-built strategic roadmap that they apply to every organization they become a part of, without understanding the nerve of the organization. On the contrary, he considers himself to be a “slower ramp-up” as he discovers the organizational needs and adapts to the focus areas based on that culture.

Ritter reiterates the importance of cyber hygiene and the other critical factors, such as where the organization is culturally. He focuses on the leadership’s engagement with cybersecurity, how involved the executive team is, and whether the board is actively engaged.

Additionally, Ritter also assesses the organization’s overall attitude toward security. “Do they lean in security? Is security a burden? Is it a speed bump or a brick wall that they keep banging into?”

From there, the goal is to identify ways to break down those barriers and adjust the security program to align with the organization’s cultural dynamics.

Moving forward, Ritter states that in an organization, “a CEO or any leader can only go as fast as the organization can follow that.” The challenge arises when CISOs come in and want to outpace the organization to get something done.

Taking the alpha male analogy, Ritter notes that, contrary to what the studies say, in reality, the leader of the wolfpack in the wild is actually the last wolf in the line. Similarly, the leader of the organization is the one who ensures nobody falls behind.

Shedding light on the evolution of the CISO role and its future, Ritter states, “If I had one phrase to describe it, it would be, now you’ve got to earn your C title.” The role has now reached its inflection point and carries personal liability, he adds.

Delving deeper, Ritter states that due to the cataclysmic consequences of security done poorly, it is an existential risk for many organizations. For example, as a payments company handling $2.5 to $2.7 trillion annually and processing around a billion transactions per week, a ransomware attack could be devastating for Worldpay.

Because of this, a CISO can no longer be just the senior security person in the room — they must be the executive responsible for the risk, with a seat at the table. CISOs must communicate risk in a quantifiable way, track measurable risk reductions, and engage with the board on risk appetite.

Emphasizing further on being a grown-up executive, Ritter states, “You’ve got to understand your audience.” As a four-time CISO, he notes that every board he has been a part of has had a different personality, skillset, and questions. Ritter suggests spending time to comprehend the wants of the audiences and stakeholders and understand the executive dynamic.

Addressing the next generation of CISOs, Ritter advises being an expert in something. That then becomes a springboard for developing other skills needed to become a good leader and executive. “People follow such leaders enthusiastically,” he adds.

Then, Ritter suggests building the strategic layer, developing a vision and a strategy, making and executing incremental decisions, and showing delivery. The last piece, he says, is establishing executive awareness and development.

In conclusion, he says, while following the pattern does not guarantee one would become a CISO, they will be respected and successful in the domain. However, he cautions people against stopping at one thing and says, “If you are irreplaceable, you are unpromotable.”