Secret CSO: David Levine, Ricoh USA, Inc.

Name: David Levine

Organisation: Ricoh USA, Inc.

Job title: Vice President of Corporate and Information Security & CSO, CISM

Date started current role: November 2018

Location: Lawrenceville, Georgia

David Levine is Vice President of Corporate and Information Security & CSO for digital services and information management provider, Ricoh USA, Inc. In this role, he has responsibility for operational security, security strategy, security policy, corporate and physical security, trade compliance, access management, eDiscovery and litigation support and some compliance functions. Levine chairs Ricoh’s Security Advisory Council and leads Ricoh’s Global Virtual Security team and is routinely engaged in customer opportunities to discuss risk and security. Levine is a member of Forrester Research’s Security & Risk Leadership Board, the FBI’s InfraGard Program and is an Atlanta Governing Body Co-Chair with EVANTA.

What was your first job? I started my career as a professional photographer before heading back to school to get a degree in Management Information Systems with minors in Computer Science and Business Management. My first job post-graduation was for a systems integrator in Tampa Fla. On my first day, I was given a dot matrix printer and told to “fix it” and I clearly recall wondering what I got myself into. 

How did you get involved in cybersecurity? I found my interest gravitating toward all things security when I headed up the infrastructure team at Ricoh. I enjoyed working with our sales team on helping them educate customers – and close deals – based on helping customers with their individual security needs and challenges. Given the uptick in the need for all companies to place a higher prioritisation on cybersecurity, I soon realised we needed information security to be its own department at Ricoh, and fortunately, leadership supported my vision for the team, which is how I came into the role of CISO/CSO.

What was your education? Do you hold any certifications? What are they? Bachelor’s degree in information systems with minors in computer science and business from Eckerd College; Harvard Business Publishing leadership development program. My certifications are: Certified Information Security Manager (CISM), ISACA; Six Sigma Black Belt.

Explain your career path. Did you take any detours? If so, discuss. Aside from my initial career as a photographer, the one detour I took later on in my career was to move out of the IT department and participate in our company’s Six Sigma program. I became a Green Belt, then a Black Belt and Green Belt instructor. I really enjoyed the program and projects, which gave me a broader sense of different parts of the business and made key contacts within the business that still pays dividends. However, eventually, I found my way back to technology taking the role of vice president of infrastructure and end user services at Ricoh. As mentioned above, it was in this role I first became engrained in security, which was a blended function within infrastructure at the time.

Was there anyone who has inspired or mentored you in your career?  I have had some great mentors along the way ranging from those I reported to in addition to co-workers and associates.

What do you feel is the most important aspect of your job? My primary mission is to protect our company, employees and customers. I work to achieve this mission daily by having good clear communication, alignment with the business, and always looking for ways to help each of these audiences achieve their goals, while not compromising security.

What metrics or KPIs do you use to measure security effectiveness? This is always an interesting topic. Some of the things we track range from our maturity compared to our goals and peers, number and severity of incidents, key projects supported, phishing testing effectiveness, vulnerability and patching volume and timelines. Metrics and KPIs can vary widely depending on several factors including the maturity of the program and audience. If I am communicating with senior leadership, the information will be at a higher level and presented in a way that is meaningful to them. If I am communicating with operational teams, the metrics will be more detailed and technical. I also do not think there is a single set of universal metrics that works for all companies. The company’s goals, mission and maturity also play a factor in what you track and report.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? At Ricoh, we’ve been fortunate to have both internal recruitment and intern programs. Both of these initiatives have helped us keep a dedicated security team where employees grow into their careers at Ricoh. Perhaps because I took a non-traditional career path, but to me, I’m more interested in finding people who are dedicated and have a passion for learning versus finding those with a list of existing achievements we need to fill a role. It’s been very rewarding to see our team grow into roles, which today would be difficult to fill as there is no doubt a shortage. Referrals and good networking also go a long way in helping identify good candidates.

Cybersecurity is constantly changing – how do you keep learning? I’m a strong proponent for peer learning. Finding opportunities to talk and discuss challenges with fellow CSOs is invaluable. I’m very active in my local CISO community and also enjoy meeting up with peers around the country in virtual events or – when we can return to them – in-person gatherings. There’s always more to learn and learning by example and best practices from others who have tackled a particular challenge is one of the best ways to continue to grow and stay abreast of the latest cybersecurity challenges. In addition, I’m always keeping an eye on daily news feeds, the latest threat intelligence reports and attending webinars.

What conferences are on your must-attend list? This year clearly changed dramatically the way in which we attend conferences. The upside, with everything being virtual, I was able to attend many more than I would have normally. The obvious downside is you miss all the in-person interaction and impromptu conversations, which honestly are sometimes the best! Being part of Forrester’s Risk and Leadership council, I always try and attend at least one conference. There is always great access to analysts and a strong peer group. I was also fortunate to attend a European conference last year in Switzerland and that provided great insight into their views and priorities.

What is the best current trend in cybersecurity? The worst? The best trend? Better tools and continued collaboration and information sharing come to mind. I’m not sure if this qualifies as worst per se, but tool overlap from the standpoint of major partners continuing to make acquisitions to broaden their portfolios can be a challenge. For example, I can purchase cloud access security broker (CASB) functionality from a wide array of sources that we already leverage. In some cases, we would be better served with good interoperability as opposed to another solution. Also, ongoing ransomware attacks and breaches have to make the worst list.

What's the best career advice you ever received? “Your career is your responsibility.”

What advice would you give to aspiring security leaders? Do not just focus on the technical aspects of the role. Today, the soft skills are just, if not more important, in some cases. Being able to communicate effectively, write and present well, will be of tremendous help. To move forward in any business function, it has never been more important to be agile. This is particularly true in security as in most cases we can’t predict when the next security threat will hit, just that it will. Being flexible and willing to collaborate with and work effectively with the business will help ensure your success.  

What has been your greatest career achievement? Building our security program and team from the ground up would have to take the top spot!

Looking back with 20:20 hindsight, what would you have done differently? Great question! There are always things I would do differently given the opportunity. Perhaps, even more relationship building and helping ensure a more structured communication cadence with leadership throughout the company. Strong working relationships will never serve you wrong, and can make a significant difference in helping achieve both individual and company goals.