Secret CSO: J.R. Cunningham, Nuspire

What do you feel is the most important aspect of your job? "It’s really an interesting multi-faceted profession. It’s an engineering discipline that requires a focus on people—I love that combination."

IDGConnect_secretcso_suppliedart_j.r.cunninghamnuspire_1200x800
Nuspire

Name: J.R. Cunningham

Organisation: Nuspire

Job title: Chief Security Officer

Date started current role: February 2021

Location: Michigan

An accomplished leader, innovator and premier thinker in cyber security and risk management with a proven track record of success, J.R. Cunningham has performed executive consulting, architecture, and assessment work across the globe and in a wide variety of industries including manufacturing, insurance, healthcare, education, intelligence community, retail, and government. Prior to joining Nuspire, Cunningham built and led industry respected executive consulting practices for Optiv & Herjavec Group. Cunningham is known throughout the industry as an evangelist of practical and business aligned security techniques. Prior to his work in security and risk, Cunningham directed technology operations at MarketWatch.com, one of the world’s most visited web sites. 

What was your first job? In middle school between 6th and 7th grade I worked for a man who sanded and refinished hardwood floors in old houses.  My job was to wrap a toothbrush in sandpaper and sand the corners and edges of the floors where the sanding machines couldn’t reach.  It was hard work.

How did you get involved in cybersecurity? Somewhat by accident, there really wasn’t a cybersecurity industry or profession when I got started in Information Technology. One day a shipment of networking equipment came into the company I was working for and there was a device called a Firewall. I volunteered to learn about it and enjoyed it. About that time there was the emergence of viruses, and later what we called “worms”, and I just kept learning about these things and how to defend against them.  Later we started to see regulations standards like FISMA and PCI come about, and I think the combination of technology & these standards were really the true beginning of what we call the cybersecurity industry today.

What was your education? Do you hold any certifications? What are they? I do not have a college degree and over the years I have chosen to not pursue cyber certifications and deliberately so. When I started in IT/Cybersecurity, there really wasn’t a curriculum for the profession. The only degree program was Computer Science. As a result, most of the original cybersecurity practitioners had to learn the trade as it developed. Today our profession has a multitude of specialities, each of which has its own set of certifications and educational curriculum. One of my greatest frustrations in our profession is how many people hold certifications and yet don’t really know how to do the job. Many of our professional certifications are an exercise in memorisation, and unlike the legal or medical professions, we’ve never really developed a professional standards or accreditation body to determine if someone is credible in our industry.  It’s a big problem.

Explain your career path. Did you take any detours? If so, discuss. While I’ve been focused on cybersecurity my entire career, I’ve had a variety of roles within our profession. I once was asked to lead a sales team, which I had never done before. That was quite a challenge, but it gave me great respect for what salespeople have to do to succeed. I’ve had roles in security architecture, penetration testing, privacy, consulting, and a few others. I’ve had the good fortune of being one of the few security leaders who has broken into a bank, led a sales team, been awarded a patent for a technology, led a consulting team, and been a Chief Security Officer. Part of what makes our industry so fascinating is that new challenges emerge regularly and sometimes the first person to step forward gets the chance to become knowledgeable in that area. I guess I’ve always raised my hand when new challenges emerged and I believe it made me a better and more holistic practitioner. 

My first role as a CISO was a virtual CISO for a client that I had worked with for a while and needed a security leader. They asked if I would step into the role temporarily while they searched for a CISO. I had that role for three years, and it was really the first time I had interacted with boards, insurance companies, lawyers, and non-security business executives. I had to learn, quickly, how to talk about security with people who knew little or nothing about our profession. I learned to not use acronyms, explain why I was doing what I was doing, and also to report back on how successfully I delivered on what I promised I would deliver. Very few careers could present the opportunities to be a “Swiss Army Knife” like cybersecurity.

Was there anyone who has inspired or mentored you in your career? I think anybody that’s been in the profession for decades have a very long list of people who have helped or inspired us along our journey. I’ve been very fortunate to have been around many very wise, smart, kind, and generous people who have given something to me that’s helped me in my career. I sure hope I do the same for others during their journey.

What do you feel is the most important aspect of your job? It’s really an interesting multi-faceted profession. It’s an engineering discipline that requires a focus on people—I love that combination.

What metrics or KPIs do you use to measure security effectiveness? This a complex topic that our entire industry struggles with. At the end of the day, the most important thing to me if I’m measuring something is that I can impact with a decision. I avoid measuring things I cannot control or that are not actionable. We have a lot of noise in our industry and measuring things that are uncontrollable contribute to the noise. For example, many companies measure how many critical vulnerabilities they have at a given point in time. But if on Monday I have zero and on Tuesday I have a thousand, does that mean I’m doing a bad job or does that mean the bad guys were busy on Monday night?  Instead, I’d rather measure how many critical vulnerabilities I have that are over 7 days old, because now I can affect the outcome. If I’m not patching within my window, is it because I don’t have enough resources? Is my policy too restrictive? I can make decisions to impact that situation. I measure what I can control.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? The talent shortage is very real and it impacts everything we do. Consulting engagements have longer lead times, deployments of technology take longer, and talent is far more expensive than ever before. The entire calculus of what a CSO should do internally versus source to a partner has changed as a result. I think we’re all learning how to be honest with ourselves regarding what we can do internally and where we need outside help.

Cybersecurity is constantly changing – how do you keep learning? This is the core of our profession—it’s not a job, it’s a vocation. Anybody who wants a static, monotonous, non-changing work environment should avoid cybersecurity. This profession requires a lifelong commitment to learning and adaptation. There’s no room for curmudgeons in our profession, the moment you fold your arms and stop learning, your effectiveness in our profession comes to an end. For me engaging directly with our clients in the field is my number one way of keeping the edge. Understanding what their problems are, what their struggles are, what’s top of mind for them becomes what I try to learn the most about. I avoid, to the extent that I can, the product company narratives on problem statements, and prefer independent writers, security trade publications, and direct client feedback. My peers are also a great resource, and many great learnings come from asking my industry peers what their perspective is on a particular topic. I’m always humbled by how much institutional knowledge our industry has and how willing we are to share.

What conferences are on your must-attend list? I enjoy the Gartner Security & Risk Management conference, RSA, BlackHat, and DefCon. Each have their own value, but my favorite part of them is being with my industry peers  I really miss the in-person conferences and found them to be much more valuable than the virtual ones.

What is the best current trend in cybersecurity? The worst? I think the best trend is that we are better at collaborating and sharing information amongst ourselves than we ever have been. We’ve learned that the competition is really not the other company down the street, but advanced criminal enterprises and we need to help each other out. That’s been a fantastic evolution of our profession. The worst is that we have a lot of people in our industry that are attracted to the paycheck but really don’t have a passion for cybersecurity. We have a poser problem in our industry and companies suffer when they hire cybersecurity people who really aren’t passionate or knowledgeable. I wrote an article on LinkedIn regarding this issue.

What's the best career advice you ever received? It came from my grandmother, who would say, “Don’t just stand there, do something!” She had no tolerance for standing around or being lazy. Whenever I find myself being simply an observer, I can hear her in the back of my mind saying, “do something”. I always err on the side of action, and if I act and make a mistake, I’ll take another action to correct it. The same is true for decision making; I don’t suffer from analysis paralysis or indecisiveness. If I make a decision and it’s wrong, I’ll just make another decision to correct for that mistake. Progress requires action.

What advice would you give to aspiring security leaders? It is an extremely rewarding career if you give it your best. Don’t get overwhelmed by the complexity of it—it’s ok to not have all the answers. Assume the best in your peers and treat it like a journey rather than something to conquer, because it truly is a dynamic profession and the day-to-day is the reward versus trying to score a “win”.

What has been your greatest career achievement? To quote a scouting analogy, I’ve left every campsite better than I found it. I’ve consulted with hundreds of companies over the decades, mentored dozens of cybersecurity professionals, and made some fantastic lifelong friends. I think my legacy is that I gave my best to all of those relationships and left something of myself with every interaction. I’ve not always had perfect results and have certainly made my share of mistakes, but I’m proud of the fact that I have always given it my everything in whatever I did.

Looking back with 20:20 hindsight, what would you have done differently? Early in my career I was very arrogant and had this belief that I had to be the smartest person in the room. In hindsight if I would have started my career with a good dose of humility, kindness, and compassion I would have been much more effective much earlier in my career. I stomped on some people earlier in my career that didn’t deserve it and I certainly would undo that if I could.

What is your favourite quote? I have two: “All the darkness in the world cannot extinguish the light of a single candle.” -Francis of Assisi. And “We cannot do everything at once, but we can do something at once.” -Calvin Coolidge

What are you reading now? My goal, which I don’t always succeed at, is to read four books a week. I generally rotate between history books, biographies, technical books, theology, and business. I’m not big into fiction books, as I find the real world far more interesting than anything that’s made up.

In my spare time, I like to… I make maple syrup in the spring and I love to cook.

Most people don't know that I… Hold the highest amateur radio operator license (Amateur Extra) and have bounced a radio signal off the moon and back to earth.

Ask me to do anything but… Play the piano (or any other musical instrument). I love music but have failed at every attempt at learning to play an instrument.