Todd Foley: Hello, and welcome to the CDO Magazine interview series. I’m Todd Foley with Lydonia. Today, I have the pleasure of speaking with Nick Ritter, CISO at Worldpay. You know, one of the things that is coined a lot is AI transformation. And I think transformation efforts overall have accelerated, whether they’re called digital transformation, AI transformation, technology transformation, or any other flavor. Are there some techniques that you’ve found that are effective at helping kind of manage the challenges of transformation and de-risk them?
Nick Ritter: Yeah, I think, you know, it’s interesting whether it’s a transformation that digital transformation, and a lot of us saw that in COVID, right? Just the rapid transformation of what the workforce looked like, was obviously a disruptor, in some ways great, in other ways more interesting or nuanced. And I think that, you know, all of these transformations go back to a lot of the risk is cultural, right? There’s this concept of, you know, within transformation or within change management in general, you have a percentage of the people who are active participants, like they’re enthusiastic, they’re advocates, they’re evangelists, and they’re gun-ho, and they’re ready to go. And you kind of have this middle group. It’s the lion’s share of the people that are kind of in the wait and see, and don’t have a strong opinion one way or another. They’re just going to wait and see. You know, kind of reminds me of the Dilbert cartoon. Let me go get my reorder boots again and we’ll see what happens.
And then you’ve got a percentage of people, hopefully it’s a small percentage of people, that are actively working against you. Those are the active detractors. And, you know, within change management and organizational theory, you try to activate the evangelist as much as possible. You try to move a small percentage of people who are the wait and seize into the active evangelists. You try to prevent the slide back of those “we’ll wait and see” people into the active detractors, and then you try to isolate the active detractors to where they can’t cause you harm. And that’s the cultural response to transformation or to change management, and it’s generally held true.
It similarly applies in the information security space, right? You’ve got a group of people who are, I think, actively embracing the information security controls and they’re in for that, right. And you can use them as evangelists, and you can use them to help you put the message out and to train their teams and that kind of stuff. And then isolate and track and figure out what the active detractors are doing and make sure that they’re not harming you in any way. And, I think so, kind of that organizational change management applies to the way that you construct a security program around transformation.
Todd Foley: There’s an aspect of transformation to where security can really be a driver of transformation, be an evangelist. By kind of defining the art of the possible in security and creating a framework for rapid change, I think a lot of times, that organizational change, especially the detractors, sometimes evidences itself, like people saying, “Oh, we can’t do that for security reasons,” and they say, without talking to the security team. I think if you get ahead of that, it didn’t hold up. “Hey, we can go fast. We can do big things. Here’s how we’re going to do it.” It can really accelerate transformation when security takes that leadership role, I think. I don’t know if that’s been your experience.
Nick Ritter: Oh, absolutely. Right. Like I think that’s a hundred percent true. At the end of the day, I am much more enthusiastic about automated controls than I am about manual controls. I’m much more enthusiastic about preventative controls than I am about detective controls. And so any kind of innovation that we can move ourselves to where human beings are interacting with data or making decisions, and that’s been programmatically defined in our operational sense, I don’t want to take all humans out of all decisions, by any stretch, but, you know, in the operations of things, we can accelerate the capability to programmatically put in controls. Absolutely. Like that is a much better state for information security to be in. And I think that that’s, and I absolutely want to push the organization in that way. And you’re right. It’s a great way to showcase that information security is not the department of no. We’re not the department of toll gates, we’re not the department of, you know, speed bumps even, but rather, I think of information security as the pit crew of the F1 car. Right. And we want that car to go as fast as possible. You are going to have to make pit stops because you are going to need to be refueled. You are going to need new tires. What’s our job? Our job is to do that stuff as fast as possible and to make any other tuning adjustments that we can to the car so that your next lap is faster than your last lap.
Todd Foley: I like it. I think as things continue to change and as new threats continue to arise, the question is, how do you address that? How do you pivot to newer things? And what types of attacks or risks do you think are the most underestimated out there, or do you think that everything we see is kind of incremental?
Nick Ritter: Yeah, it’s a really great question because I don’t know that there’s a solid, like, one-way answer to that because a lot of things are incremental, but there are a lot of things that are kind of new focus areas. I think, you know, you mentioned it before we were talking about AI, the focus on data security is, data security and identity management. It used to be identity management was this thing that occurred inside the help desk—accounts got provisioned and deprovisioned, and some of it was willy-nilly. Organizations started to understand they need a little bit more governance around it. But now, identity management is really a key strategic element of your information security program because it ties to everything. And especially as we’ve gone into the SaaS world and cloud and stuff like that, there isn’t this terrestrial data center that we’re trying to protect with our crown jewels in it; the crown jewels are everywhere. And by the way, there isn’t one copy of customer data—I don’t have one copy of customer data. I’ve got 20 copies of customer data because of all the third parties that we use. So all of that’s protected through identity management and data security. So you have this identity management program and this data security program, and they’re almost merged—not quite merged because the toolsets are so different, but they are so intricately linked together that they become one of the big focus areas going forward: identity and data security.
And I think the other part to that, you know, if I was looking at kind of a triangle around that word, data security, identity management, the other piece to that triangle is insider, right? I don’t think organizations spend enough time addressing their insider risk and dealing with it. And, you know, you saw, like, the emergence in late summer and fall, and it’s become pervasive now that there’s been some more attention paid to it, the nation-state-sponsored operatives who are getting employed in the organizations, right. And what that looks like. So the insider risk isn’t about moving data around anymore. It goes all the way into employment, the pre-employment background screening, and onboarding and things like that. That is a—I think that’s just an area where it’s probably incremental, but it’s incremental in a way that it felt all of a sudden new, right. And, and I think that’s, you know, that’s kind of the three legged, stool that we’re trying to pay attention to really is, is that identity, data protection, and insider.
Todd Foley: Yeah. Well said. I think a lot of the things that we see as challenges today, significant challenges at least, it’s not like we haven’t been talking about them or organizationally moving towards them, at least in an aspirational way.
What’s happened is somebody flipped a switch and now they’re table stakes. You have to do this perfectly or else you’re going to be compromised. The insider threat, the whole, has driven the whole zero trust initiative. And I think what’s different is it’s not so much about even identity anymore, you know, in terms of locking particular data access, application access, or resource access down to a particular identity.
Now it has to be transactional; it has to be contextual. Is this the right person who can access this data? Are they doing the right thing with it? Are they acting in a logical way? And that goes beyond kind of where we had our focus at least, or where we were spending most of our time. And I think a lot of times when we talk about newer risks, that’s really what we’re saying. We’re saying this has become a more pronounced risk than it was before. And we’ve got to pay more attention to it and invest more in solving for this in a way that we didn’t necessarily have to before.
Nick Ritter: Yeah, really well said.
Todd Foley: Can you share your approach for developing and adopting new technologies? You talked about some innovation that you did, patents you had around machine learning models for threat detection. But now there’s a million flavors of that kind of stuff, and all of it is the best thing since sliced bread when you talk to somebody who’s putting it in front of you. How do you look at, in general, the technology marketplace, and more specifically, that constant sort of build versus buy discussion?
Nick Ritter: Yeah. It’s a really an interesting, it’s a great question because it’s such an interesting problem for CISOs. I mean, probably more than any other part of the technology industry, our industry is so tool-driven, right? Like, and if I wouldn’t, right. Oh yeah. I went to RSA, the last time I went to RSA, ironically, was in 2020. And, like, you know, I got back from RSA and the world shut down. So, it’s when I was walking around on the exhibit floor, I noticed there were probably 1,100 vendors, 1,200 vendors on the floor. And as I’m walking around, I’m like, you know, there are like 950 features and maybe 150 companies. And so that’s kind of, I can’t go back to that phrase, value drops. When I’m looking at different things, I’m trying to figure out where the value drops would occur and what gaps I am trying to fill in my space. And what’s faster, right? Is it faster to build something or buy something? I’ve walked up on this a little bit. So, I’ve been in organizations that are massively scaled, and I’ve been in organizations that are smaller. My opinion of this change is of course, based on scale. Well, one of the things that I’ve noticed is I can go out and buy, you know, a SIM solution or UDR solution, a data lake, you know, a couple of different solutions.
You mentioned tech debt before, like you put in a kind of a, what is a state-of-the-art system at the time. And then five years later, it’s not a state-of-the-art system anymore. And I think about this from, like, you know, whether these are tips or SIM solutions or things like that. I can go buy something, but then I got to go hire somebody that specifically has experience in that.
So, let’s say I install Splunk, then I got to go hire Splunk engineers. It’s specifically understands Splunk. The other approach is to build something. And then I just have to go buy a developer and buying developers. And at this, the market ebbs and flows a little bit, but buying developers right now is so much easier than going out and buying Splunk engineers or something like that.
So, I ebb and flow on this. For me, it’s all about value drop and it’s about, you know, long-term supportability. It’s about total cost of ownership. You know, all of that plays into it. But, at the end of the day, it’s kind of, it’s an ad hoc decision that gets made, you know, case by case.
Todd Foley: But it’s constant triage, right? Because it’s changing all the time. I know I look for what I call the inflection point when something moves from being a commercial offering to something that’s truly commodity, something that, where the actual cost of ownership change is significant, right? Where it goes from being, this is something useful.
I have to make the decision, build versus buy. And then that evaluation occurs. What’s my actual cost of ownership on this? Can I hire a skilled team to maintain it? Or is that a greater burden than maintaining my own code? But, there’s a point eventually where things become simple. Where I don’t need a team of highly skilled resources to maintain it. Where the capability is built into my other tools or my other platform. And it’s just commodity and I try and focus on capturing when that flick occurs, when that inflection point is realized, because I want to take advantage of it and move there and not worry about that stuff anymore.
Nick Ritter: No, I think that’s, that’s yeah, exactly that’s well said. I should be interviewing you.
Todd Foley: Thank you, Nick, for joining us today. I’ve enjoyed this tremendously—it’s been a great conversation. And for those listening, for more interviews and insights, please visit cdomagazine.tech. And thank you.
