Secret CSO: Terence Runge, Reltio

Name: Terence Runge

Organisation: Reltio

Job title: CISO

Date started current role: May 2019

Location: Lakeway, TX

Terence Runge, the new CISO at Reltio, brings more than 20 years’ security best practices experience in high tech, cloud services, and software development. In his new role, Runge is responsible for leading the security and compliance teams at Reltio, and ensures best-in-class security processes and technologies are used in Development Security Operations and Application Security. He previously held senior security roles at Salesforce, Symantec, Illumio, Blackbaud, and Guidewire.

What was your first job? My first information security job was as a Security Analyst with a startup during the dot com era. I spent my early years focused on building and operating intrusion detection and prevention systems as a layer of security to detect and fend off denial of service attacks, botnets, worms, viruses, spammers, and zombies.

How did you get involved in cybersecurity? Similar to most of the experienced CISOs I know, cybersecurity found me. I started in a physical security role, where I learned how to manage diverse teams and was intrigued by the complexity of security systems. Over time my responsibilities kept expanding from basic networking to account administration, access controls to business information systems, and usage auditing. As network computing became more pervasive, I became more interested in security controls such as network firewalls and antivirus software. As a result, I’m always looking for new ways to secure the network and enable business users to safely do what they need to do.

And that brings me to why I joined Reltio. First was the vision and innovative technology. In the experience economy, companies need to understand their customers better than anyone else and that's what Reltio is in the business of delivering securely. Reltio Cloud is an agile, scalable and smart master data management solution that builds rich, compliant, and actionable customer relationship profiles for innovative companies that are undergoing digital transformations and focused on delivering exceptional customer experiences while meeting compliance requirements. Second was the impressive Global 2000 customer list who trust Reltio Cloud, including 8 of the top 10 pharmaceutical companies and 3 top luxury brands. Third was the CEO's personal passion for security and his view that security is strategic, and a critical component of Reltio Cloud. Even though I’ve only been here a short time, I believe Reltio has a bright future and I know I can make a significant impact on the company and my career by joining.

What was your education? Do you hold any certifications? What are they? I hold CISSP-ISSMP certification from ISC2. I also completed advanced coursework at the SANS Institute and Stanford University.

Explain your career path. Did you take any detours? If so, discuss. To be honest, there haven’t been any detours--I love working in this field. It’s challenging and dynamic. I’m constantly learning and developing my skills and expertise. Reltio offers the perfect environment for me: I lead the highly skilled and dedicated security and compliance teams, and drive the integration of best-in-class security technologies and processes to help more companies manage the data that matters most to their businesses. And the customer experience landscape is evolving quickly. Our customers are dealing with a deluge of information. Having the data they need to deliver hyper-personalised experiences in real time across all channels is a powerful advantage in the experience economy. It’s exciting to play a role in helping our customers excel in customer experience so they build more loyalty and separate themselves from their competition.

Was there anyone who has inspired or mentored you in your career? I’ve been fortunate to have many inspiring leaders who have helped me grow and who played an influential role in shaping my career. Most notably, the late Omar Ahmad, the talented co-founder and CEO of LogicTier and Napster. Omar helped me understand the business innovation in Silicon Valley and the value of measured risk.

Bruce Schneier also significantly influenced me - albeit entirely by accident. I enjoyed the challenge cryptograms posed and decided to search the circa 1999 internet for ones I could complete online. I came across Bruce Schneier’s Crypto-Gram monthly newsletter, read it, then angrily sent him a nasty message since there was no actual cryptogram in the newsletter. Bruce responded to explain the purpose of his newsletter and encouraged me to subscribe. I did and became consumed by the information contained in his newsletters. Indirectly, his writings influenced my own newly forming opinions of security and certainly made me paranoid and curious, both great traits for a security professional. A few years later while I was working as a security engineer at a dotcom startup, I was invited to an event where I had the opportunity to meet Bruce. He gave me a signed copy of his first book with a hand-written a simple puzzle, which had a big impact on me. I still read his newsletters today. His work is timeless.  

What do you feel is the most important aspect of your job? For a CIOS, the #1 goal is to build trust. I feel proud to have built trusted relationships with colleagues, partners and customers.

What metrics or KPIs do you use to measure security effectiveness? Coverage and efficacy are two critical measures I apply to people, process, and technology. Four questions I often ask are:

• Do we have the right people?
• Are they qualified?
• Are our controls applied appropriately?
• Do our technical controls actually work?

It is not unusual for me to challenge whether we really know what is going on at any particular moment. I especially like to ask this during a highly covert red team exercise.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Everyone feels the pain of the security skills shortage. Some security requisitions are open for several years. In fact, some of our competitors don’t even have a CISO in place right now. At Reltio, we’re fortunate to have a fully staffed security team working hard to make sure Reltio Cloud and all customer data is secure.

Cybersecurity is constantly changing – how do you keep learning? It’s a combination of information sharing, side projects, and public speaking. I am also getting more involved with the Cyber Security program at Merritt College in Oakland, CA, and hope to continue to learn while educating others. Most of all, it’s vital to have colleagues learning with you, and that’s what we have at Reltio. 

What conferences are on your must-attend list? The RSA Conference has been on my “must attend” list for two decades. Other events I recommend are OWASP’s Hacker Thursday and ISC2 Chapter Meetings. Lastly, SXSW in Austin, TX, has a growing number of outstanding speakers and events focused on Cyber Security.

What is the best current trend in cybersecurity? The worst? Working to solve problems collectively across companies is a fantastic trend. The mission of the security organisation now is to build and ship secure products with velocity while protecting the critical customer-facing production and corporate infrastructure. The CISO drives the technical vision and execution while building a strong security DNA throughout the organisation. The worst trend I’ve seen recently is vendor bashing or public shaming of CISOs after a breach.

What's the best career advice you ever received? Don’t set the bar to “perfect”. There is no perfect security. All you can do is your best work.

What advice would you give to aspiring security leaders? I have three pieces of advice to share:

• Never lose sight of your technical skills.
• Never compromise your integrity.
• Always give back to the community.

What has been your greatest career achievement? My greatest career achievement has been the development of long lasting and meaningful relationships with many of the people I have worked with. My network is my greatest source of news and information.

Looking back with 20:20 hindsight, what would you have done differently? I would have created strict timeframes for myself to determine whether to stay with a company or resign if my approach to the job didn’t fit well within the expectations of management. As an example, my last job at a security startup was disappointing as I quickly realised that the job was very tactical. This was concerning since I knew that going tactical without establishing a strategic position first would be a death blow. I communicated this to my manager who agreed yet offered no solution. During my third month, I stated that if I continued to remain tactical for much longer, I would never be able to recover.

Twelve months later, I found myself working tactically for 12-16 hours a day, 6-7 days a week. When I later took 3 days off for medical reasons, I was on customer calls just hours after surgery. Looking back, I would have drawn a line in the sand and made a time-bound decision to remain with the company or resign. In my opinion, going tactical as a security leader is sometimes necessary but should never stand in the way of developing a strategy and road map. Employers who don't understand or support that are likely led by an inexperienced C-suite who remain tactical themselves.