Secret CSO: Travis Ruff, Amperity

"The most important aspect of any job, not just mine, is to understand business context."

Name: Travis Ruff

Company: Amperity

Job title: CISO

Time in current role: 1 yr

Location: Seattle, WA

Education: I hold a degree in Management Information Systems from Minnesota State University, Mankato, and completed the Program for Leadership Development at Harvard Business School.  I have held a CISSP for about 10 years.

Travis Ruff is the CISO at Amperity and leads all security, risk management, and compliance efforts. He brings more than ten years of experience building and developing security programs in a variety of industries, ranging from multi-national industrial manufacturing to startup SaaS providers. Ruff previously served as the Sr. Director of Information Security at Avalara, a Principal Security Architect at Microsoft, and the Global Application Security Manager at Cargill.

What was your first job? My first job was working for my father.  He is an architect and was making the switch from hand drafting to CAD.  When I was 13 he sent me to a class to learn AutoCAD, and I came back and taught him; he's been using what I taught him for the last 27 years.  Besides learning that I didn't want to be an architect, I also learned a lot about the importance of clear communication and knowing your audience. 

My first job out of college was working for a small manufacturing company that was implementing new ERP software.  I was the DBA and ultimately responsible for keeping the service running, as well as performance, reporting, and customization.  It was a great opportunity to learn and explore a lot of different aspects of the tech field while also learning about the importance of process and the real-life impact large-scale technology changes have on a company.

How did you get involved in cybersecurity? I got involved in cybersecurity a bit by accident.  In college, I interned with IBM doing software and hardware testing and always enjoyed finding new and creative ways to break things. While I could have pursued a QA path, that didn't interest me, so I never really knew where I could apply the skills I had developed. Over the years that grew into a casual and then very serious interest in security where I learned a lot on my own before getting to know other people in the industry.  At the same time, I was working for Cargill, a large multinational food, agricultural, industrial, and financial company, that was making a significant investment in security and risk management.  The timing was perfect for me to make the switch to cybersecurity and I had the opportunity to build the application security team and practice from scratch for a $100B+ company.

Explain your career path. Did you take any detours? If so, discuss. When you don't have a destination in mind, it's easy to consider everything a detour.  While I enjoy cybersecurity and the challenges it brings, I had no idea 5 years ago I'd be in the role I am in today.  That's not to say that having a career plan is a bad thing. I simply find that reality diverges from plans quickly and having too strict of a plan might prevent you from seizing a good opportunity. Will I be involved in cybersecurity five years from now?  I honestly don't know.

Was there anyone who has inspired or mentored you in your career? I've been lucky enough to have a number of people who inspired and mentored me throughout my career. 

While working at Avalara, a SaaS company providing sales and other tax calculation services, I had the opportunity to regularly work with their General Counsel. She taught me about navigating complex political landscapes, negotiation, when to be strong and when to be deferential, and so many other invaluable lessons that no one teaches you in business school.  She has continued to mentor me and provided career and personal guidance even after I left Avalara to join Amperity. I cannot emphasize how important a trusted mentor can be.

As part of my work with a local non-profit, I was introduced to a principal at Voya Financial who quickly became not only my financial advisor, but a trusted friend.  I am certainly not his largest investment portfolio or most important client but his mastery of relationships and ability to assess the big picture has always made me feel like I am worth 10x my actual value.  I have learned a lot about how to build trust and challenge people's beliefs from him, skills which are incredibly important to anyone in cybersecurity.

What do you feel is the most important aspect of your job? The most important aspect of any job, not just mine, is to understand business context.  Security and risk management are always and should be considered business enablers; there is no such thing as security for the sake of security and standing in the way of business decision makers is a surefire way to make yourself, your team, and your work irrelevant.  Every activity, investment, and decision must be made in the context of what impact it will have on the business' ability to deliver value to customers or differentiate from competitors.  That's not to say that security professionals should roll over in the face of a difficult decision where there is disagreement with the business. However,  you have to be able to back up your position with measurable results. Take the time to establish relationships with the business early on and ensure they get the appropriate care and feeding to be maintained. The investments of time and effort will pay significant dividends later.

What metrics or KPIs do you use to measure security effectiveness? In the broadest terms, it is important to understand how effective your cybersecurity program should be versus how effective it is.  I find it very beneficial to adopt a maturity model (BSIMM, for example) for this so that you can identify the largest deltas, put programs and projects in place to close them, then measure the actual maturity improvement versus expected. Using something less quantifiable and more qualifiable may feel a bit of a cheat. However, I would argue this approach helps drive the right activities.  At the more operational level, patching, configuration and change management, code coverage and QA processes are all much more quantifiable and should have established targets, but if done purely in isolation without the bigger picture, they will give you a very false sense of security.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? Yes, it is absolutely affecting Amperity.  There are simply not enough people to fill the open positions with the right skill sets.  This drives us to take an approach of finding individuals with the right interest, attitude, and aptitude, and invest in getting them the skills they need.  Investing in and developing people is a leader's most important obligation, so I fully support this. However, it does draw out the time to fill important positions.  It also affects us when we hire for non-security positions as getting engineers, operations, and other positions the security skills necessary to do their day job also requires training and investment.

Cybersecurity is constantly changing - how do you keep learning?  First and foremost, through my network of peers, pen testers, and researchers.  An established network is the best way to keep abreast of broader topics, but also those things specific to your industry and service.  I also read, a lot.  Pretty much anything I can get my hands on as it relates to research, attacks, etc.  You also shouldn't discount the government.  Have a discussion with your local FBI office, explain what you do and how, and ensure they have the appropriate contact information.  They have insight into a lot of goings on that no one else does and even though they might not be able to share details, they can often give you good intelligence on attacks, approaches, or indicators of compromise.

What conferences are on your must-attend list? Most conferences have become much too commercial for me to consider as something you must attend.  Instead of making a blanket recommendation, I would suggest you find something to connect you to your local cybersecurity and technical community.  In the Midwest, where I spent much of my career, I attended THAT Conference and was never disappointed — even though the focus was not purely security.

What is the best current trend in cybersecurity? The worst?  One of the best trends I have seen is the explosion of new approaches and solutions to issues and the integrated nature they take on.  A simple example is comparing endpoint protection and firewalls ten years ago — when everything operated in silos — to solutions today where an endpoint can signal a firewall to block connections once a threat is detected and vice-versa.  Tightly coupling point solutions is a force multiplier for security teams that are generally stretched thin.

The worst trend I see today is a lack of information sharing and communication between organizations.  Everyone is under attack.  Everyone has experienced cybersecurity incidents.  Establishing an environment where people can share information with their peers should be at the top of the list for every CISO and security team.

What's the best career advice you ever received? Many years ago, as I was taking on my first leadership position, my father told me to hire and surround myself with people who are smarter than me.  While that is a bit cliché, it has served me well.  It's important to accept there will always be people who are better than you at everything and not be threatened.  Take the opportunity to be challenged and learn from them.

What advice would you give to aspiring security leaders?  First, the solution to your problems is not another tool or piece of hardware or software, it is people.  Find the best ones, hire them, build a network, invest in them, grow them, even if that means building them up to where they ultimately leave your organization to pursue a new challenge elsewhere.  Their loyalty cannot be bought but can be earned, and there is no better referral than that which comes from someone you helped develop the career of.

Second, be honest and transparent.  If you have to implement a new control because of a regulatory requirement but it does nothing in the way of actual security, admit that. Don't try to justify it in any other way. 

Third, never compromise your morals or ethics.  There is no deal worth lying for.  There is no job worth compromising who you are.  Cybersecurity operates in an environment of trust and once it's broken, it's nearly impossible to recover.

What has been your greatest career achievement? While I was running security for Avalara, a former employee attempted to extort money from the company by graffitiing and vandalizing our employees' homes and vehicles.  I spent months working with our GC, legal team, and private security initially, then the Seattle Police Department and FBI to model, identify, and ultimately catch him. Putting the skills of incident response, threat models, behavioral analysis, and social engineering to work in something much more concrete was deeply satisfying, particularly when you see the positive impact it had on the people who were directly affected.

Looking back with 20:20 hindsight, what would you have done differently? Certainly there are a lot of individual decisions I have made that were wrong. However, I wouldn't have done anything differently.  I learned from my mistakes and I wouldn't be who or where I am today without a few stumbles along the way.

What is your favorite quote? "Be careful who you make memories with. Those things can last a lifetime," Ugo Eze. It's a powerful statement wrapped up in a few words.

What are you reading now? The last notable book I read was Zen and the Art of Motorcycle Maintenance: An Inquiry Into Values by Robert M. Pirsig, a recommendation from a friend that I am very grateful for and what I consider to be one of the best, most insightful, and challenging books I've ever read. I'm currently reading Cryptonomicon by Neal Stephenson, which is quite relevant to my day job but not in any way academic.

In my spare time, I like to… Escape the city and head into the mountains. I enjoy backpacking, scrambling, and mixed alpine climbing; next up is vertical ice. I also enjoy cooking and can generally be found feeding my friends on a regular basis.

Most people don't know that I… Am very introverted. While I enjoy spending time with people and am not intimidated by the prospect of meeting and making new friends, it takes a lot of energy out of me.

Ask me to do anything but… Don't tell me how to do it.