Secret CSO: Ryan Gurney, Looker

Secret CSO: Ryan Gurney, Looker

Name: Ryan Gurney

Company: Looker

Job title: Chief Security Officer

Time in current role: Since May 2017

Location: Santa Cruz, California

Ryan Gurney is Looker's Chief Security Officer (CSO), having joined in May 2017. He is charged with maturing Looker's security and compliance programmes. Prior to Looker, Gurney was the VP of Security at Zendesk, where he grew its programme from two people to eighteen, globally, and assisted with the company's IPO. Beyond building security and compliance, Gurney has also managed IT and led large security audit consulting engagements while at PwC.

What was your first job? I landed my first job at fourteen pumping customer's gas at my local gas station. It wasn't glamorous, but I got to meet a lot of people, and was just happy to have a job. Oh, and I got to have this cool looking gas attendant shirt with my name etched on it.

How did you get involved in cybersecurity? In college, we had a former student who came to talk to our Information Systems class about his career. He worked for one of the Big Four accounting firms doing security work. He talked about all this neat stuff he did like dumpster diving, social engineering, penetration testing, and I was hooked. In High School, I applied for every security internship I could find. I eventually landed one at PwC in San Francisco, but ended up turning it down, mainly because I had a great paying part-time dot com job. I told them if they gave me a full-time offer for when I graduated, I would accept. Shockingly they did.

What was your education? Do you hold any certifications? What are they? I received my Bachelors of Science, with an emphasis in Information Systems. I hold a couple certifications including the CISA and the CISSP.

Explain your career path. Did you take any detours? If so, discuss. I took many detours before college (construction worker and delivery driver, to name a few) but after college it was plain sailing. Despite this, my security career has really changed over the years. For example, for the last eight years I have been in security leadership roles at Engine Yard, Zendesk, and now Looker.

Was there anyone who has inspired or mentored you in your career? There have been so many. Starting my career at a large, professional services company allowed me to take advantage of established programmes, and I benefited from having an official coach and buddy to shepherd me along. I owe a lot to those great role models I had while at PwC. Additionally, I take a little bit away from everyone that I work with. In security, it is critical to be highly collaborative to get things done. I have enjoyed many of those interactions over my career, and owe a lot of my success to my team and other business leaders who allowed change to happen.

What do you feel is the most important aspect of your job? Finding risk, educating on risk, and driving change to reduce risk. It is important that I communicate to our leadership team on security risk so that management teams are not implicitly accepting risk. At Looker, this is done via a living risk register which my team maintains and a quarterly security steering committee which I chair.

What metrics or KPIs do you use to measure security effectiveness? The usual stuff, however, in security, you are never out of the woods, even if your numbers are great. At Looker, we track things like vulnerabilities, risks, audit findings and incidents.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? Yes, I feel the security skills shortage is affecting all of us. I find that it is critical to spend a lot of time mining LinkedIn and tapping into personal networks to find key hires. By far, I find the hardest skills to recruit are those security engineers that have strong application security and threat modelling skills.

Cybersecurity is constantly changing - how do you keep learning? One of the best ways I have found to keep learning is to advise young security start-ups on their product and disruption angle in the market. This allows me to think deeper on a specific topic, and how I can bring additional innovation to the way we do security at Looker.

What conferences are on your must-attend list? I don't go to too many. For me it is primarily RSA since it is close to where I live and tends to be the best one to network at.

What is the best current trend in cybersecurity? The worst? The best current trend is all the different solutions attempting to use techniques such as machine learning and artificial intelligence to potentially deduce security issues faster, while also helping to try to mitigate the massive security talent shortage we have in the industry. The worst trend may be the general increase in heavy weight, inconsistent, and non-standard security questionnaires that vendors receive from their customers. I am hoping that a company will find a way to solve this time-consuming problem that exists.

What's the best career advice you ever received? I've received two great pieces of advice over the years and they are: believe that you work for the customer, and you will make the right security decisions. Also, just because it is hard does not mean it is not the right thing to do.

What advice would you give to aspiring security leaders? Be approachable. Seek feedback. Know how to articulate risk. Maintain integrity. It's an approach that's served me well.

What has been your greatest career achievement? For me, it has to be seeing former team members grow their career and become great leaders.

Looking back with 20:20 hindsight, what would you have done differently? I would have learned how to code.

What is your favorite quote?"I disapprove of what you say, but I will defend to the death your right to say it."

What are you reading now? Currently, Killing Reagan by Bill O'Reilly.

In my spare time, I like to… Play golf.

Most people don't know that I… Am an NFL owner. That's right. I own one whole share of the Green Bay Packers.

Ask me to do anything but… Put on a big social event.


« A chief data officer writes data primers for the rest of us


The CMO Files: Eva Tsai, Algolia »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?