Secret CSO: Chris Reffkin, Fortra

Name: Chris Reffkin

Organisation: Fortra, the new name for HelpSystems

Job title: CISO

Date started current role: August 2019

Location: Eden Prairie, MN, United States

Chris Reffkin is a Certified Information Systems Security Professional (CISSP) and has over 15 years of experience in cybersecurity risk management and governance. Reffkin has experience identifying and exploring digital risk exposure as well as implementing and overseeing security strategy for a myriad of top-tier organisations. Prior to Fortra, Reffkin managed cybersecurity risk consulting at Crowe. He also serves as Vice-Chair on the Industrial Advisory Council at Purdue University and is President of the Twin Cities Alumni Region for the Evans Scholars Foundation. Reffkin graduated from Purdue University with a Master’s of Science in Technology.

What was your first job? Technically, I was told that ‘school’ was my first job, but my actual first jobs were a golf caddy and a dishwasher at a diner, both of which were started around the same time. I managed to secure them thanks to some family friends who owned the diner and were members at a country club.

The most important skill I learned from my diner experience was how to deal with irate customers, while the country club taught me how not to be afraid to speak up. At the age of 15 you are expected to have the courage to tell a lawyer or a doctor they are holding their club wrong, however it doesn’t come naturally to most. I left the diner when I joined college, and caddied through high school and about once a year in college in pro-am.

How did you get involved in cybersecurity? My life has always revolved around security. When I was at Purdue University, security was simply part of how to set up technical environments correctly. From there, I stumbled into an internship as a security consultant / penetration tester, and it went from there. That internship was almost 20 years ago, and all I remember is how competitive the interview process was. I wound up working for the same organisation after graduation.

What was your education? Do you hold any certifications? What are they? I have a Bachelor's of Science with Distinction in Network Engineering Technology and  Master’s of Science in Technology, both from Purdue University (Boiler Up!). I also hold a CISSP certification (Certified Information Systems Security Professional) which I obtained about 13 years ago. I believe university added to my capabilities in order to become a CISO, whilst CISSP helped with a baseline of knowledge.

Explain your career path. Did you take any detours? If so, discuss. I didn’t take any real detours, however  I did get involved in entrepreneurial activities at Purdue. I was part of a project team that did software development. Together, we entered business case competitions and incorporated a company to commercialise the product. We ended up winning a competition, but I was never sure where I wanted to go with it after my studies.

Was there anyone who has inspired or mentored you in your career? My wife Cathleen - she’s always kept me honest, asked real questions, and always wanted to know if I was happy with what I was doing.

What do you feel is the most important aspect of your job? I think it’s about ‘bringing the calm’. There’s too much unchecked gloom and doom in security when in reality it should be fun, so I believe it’s much easier to  remove emotions and speak to the facts. The security industry should be a guiding light rather than a harbinger of continued doom with no sign of relief. This is not intended to be a call to gloss over risks but rather be pragmatic with them, as well as recommendations and reporting.

What metrics or KPIs do you use to measure security effectiveness? I always talk about processes and capabilities versus traditional metrics. Security is not a fixed state, so to establish meaningful metrics is a challenge for the industry. No one can predict when the next Zero Day drops, so patch management isn’t a good indicator of how well your organisation will weather the next Zero Day. However, knowing there are well-established, tested, and continuously improved processes to respond to the next Zero Day is likely a better indicator of how well an organisation will fare.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I’ve been asking that question in different ways for some time. All roles are a challenge to fill, however, what I’m seeing within my team is a flood of candidates that would like to join the industry but do not have the requisite education, experience, skills or even a genuine interest. We also find it very difficult to get the right mix of experience; we tend to find folks that are too junior or too senior in their experience where we have a need for a mix of somewhere in between.

Cybersecurity is constantly changing – how do you keep learning? I continuously ask questions. There are a lot of podcasts and publications available, however I prefer to listen or read from current/former security professionals. My ideal preference is to talk with peers in the industry to find out what they are seeing or hearing from their networks, clients, or even in their organisations.

What conferences are on your must-attend list? None. Conferences serve a specific purpose but, in my opinion, they’re generally more for social and entertainment benefit. DEFCON though is always beneficial, and I can honestly say I learned a lot. It has opened my eyes and has been a fun experience (Spot the Fed!).

What is the best current trend in cybersecurity? The worst? The increased involvement, or, at least, increased advocacy for Board involvement in the oversight of cybersecurity is the best. By bringing security to the Board, management can affirm course and direction of the security programme, while the board can assess their risk appetite and expectations for investments and progress.

The worst trend has to be overlooking security 101, or the ‘basics’. There will always be new challenges and solutions that lie ahead, but you can never forget about your foundation. Organisations need to evaluate their business operations, workforce arrangements, and technology services, and develop an iterative roadmap to follow for their cybersecurity programme.

Every organisation also needs to have basics such as good identity and account management practices, privilege accounts, strong authentication, and good vulnerability management (e.g. continuous vulnerability monitoring and patch management). This also includes establishing partnerships with other functional areas such as IT and HR that inherently are involved with the same areas the security programme will be but in different ways.

What's the best career advice you ever received? That’s a tough one, but the best advice that stuck with me was ‘if you like 70% to 80% of your job, you have it pretty good’. All jobs have aspects you may not like to do, but no job will ever be perfect. It helped remind me that the grass is not always greener in another role/company when I encounter something I don’t particularly want to do in my current role.

What advice would you give to aspiring security leaders? Trust yourself, but do not hesitate to seek advice or acknowledge you don’t have an answer. Bring the calm, and stay aligned to the business needs.

What has been your greatest career achievement? My biggest achievement is figuring out how to spend more time with my family while being successful at work. In order to stay successful with this, I’m constantly reminding and encouraging everyone around me to do the same. In the end, we’re all reminding each other about it.

Looking back with 20:20 hindsight, what would you have done differently? I’ll be quite bold to say that I wouldn’t change a thing. I’m very content with where I am today.