Secret CSO: Robb Reck, Ping Identity

Secret CSO: Robb Reck, Ping Identity

Name: Robb Reck

Organisation: Ping Identity

Job title: Chief information security officer

Date started current role: January 2016

Location: Denver CO

Robb Reck is Chief Information Security Officer at Ping Identity. A seasoned information security executive, Reck has a successful track record of managing and building information security programs across a range of industries. Most recently, he served as VP and CISO at a leading financial services company, Pulte Financial Services. In addition to his numerous security roles, Reck has held leadership positions with the Information Systems Security Association (ISSA) and currently serves as president of the Denver chapter, which he has grown into the largest ISSA chapter globally.

What was your first job? Depends how far back we want to go! I was lucky enough to have a job delivering newspapers on my bicycle in junior high, which provided baseball card money. That was immediately followed by busing tables for a restaurant near my house. My first job in technology was right after graduating from college. I worked for Electronic Arts doing technical support, answering calls from users who couldn't figure out how to get their video games to run on their PCs. I became a bona fide expert in installing sound and video card drivers.

How did you get involved in cybersecurity? Timing is everything in life. In about 2003 I worked as a network engineer for a natural gas company. They already had well-established folks supporting the most important systems, such as active directory and exchange. But they needed someone to take on the new systems the business was looking for. These were systems like Blackberry's Enterprise Server, the centralised enterprise wireless system and the new SSL VPN system. While I didn't know it when I signed up for this job, all of these new systems fit nicely into the category of security systems and set me up on a career as a security professional.

When I was ready to stop traveling quite so much, I left the gas company and moved to a SaaS organisation where I was able to focus much more on building a security program and getting the formal security training I would need for a career in the field.

What was your education? Do you hold any certifications? What are they? Believe it or not, I have a Bachelor's degree in History. I had realised even before graduating from college that my career was going to be in technology, so I made sure that I focused my skills and experience in that direction. As I made the move from traditional IT into security, I did study for and acquire several security certifications, including CISSP, CRISC and CCSK. Then when I was ready for another challenge, I decided to get my Master's degree. I spent a lot of time debating between a degree specific to security and a Master's in Business Administration. Based on the feedback I received from others in the field, I ended up pursuing and receiving an MBA. I am so thankful that I followed that path, as the MBA has made me so much more effective in my career—working with other leaders in the business, and in running my own department in a way that helps achieve success across the board.

Explain your career path. Did you take any detours? If so, discuss. Big picture, my career path is pretty standard. From tech support, to desktop support, to system admin, to security. But within that path, the key was always looking for ways to add new responsibilities within my job. I didn't jump to a new company when I wanted to make a change, I asked my boss to give me new, high value tasks within my current job, and then used that as a way to shape the next step in my career. Looking back it seems like a straight path, but going through the process, there was a ton of exploration and trial and error on the way.

Was there anyone who has inspired or mentored you in your career? I've had dozens of inspirations throughout my career, starting with my father, who taught me what hard work and commitment looked like. I don't recall ever seeing that man take a day off of work. Professionally, I've been blessed to have had a long string of great bosses. A favourite quote of mine, which I think back to often, was one shared with me by Mark Sanner, my boss for about four years at Triple Creek Associates. "You will have many chances to keep your mouth shut," he told me. "You should avail yourself of every one of them." No, Mark wasn't telling me to never talk, he was guiding me to use the opportunities I have to observe what's happening around me, gain situational awareness, let those around me share what's going on and use that information to provide the best possible solution to them. To this day, I leverage this advice to make sure I have fully listened to my stakeholders before I propose a security solution for them.

What do you feel is the most important aspect of your job? The most important thing I do is enable the people around me to do their jobs with less effort, less friction, and, critically, with less risk for our company. We do this by getting involved early in projects, making sure things are built right from the beginning (because re-work is not only expensive, it often doesn't actually work).

What metrics or KPIs do you use to measure security effectiveness? KPIs are going to be different for every business. But at Ping, my primary goals are to make sure that (1) we're delivering high quality software, (2) our SaaS environments are not only secured, but assured for our customers, and (3) we have removed as much security-related sales friction as possible.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Managing talent and people is difficult for everyone. However, I don't think of this as primarily a security skills shortage, as much as a technical skills-shortage. If we had enough engineers who were knowledgeable on AWS, devops and coding, we could easily train a portion of those to move over to securing AWS. However, the skills gap on those fundamental areas makes it much tougher to find security people for those areas. We address this by creating a ladder of talent in our organisation. Yes, we have people who have a nice depth of skills in those areas, but we also hire more junior people in those areas, and we work aggressively to train them up, to create a brand new wave of experienced engineers.

Cybersecurity is constantly changing - how do you keep learning? Being involved in the community is critical. I meet with my peers a couple of times a month, and I even run a Colorado focused security podcast, Colorado = Security, which keeps me plugged in with everything happening in town.

What conferences are on your must-attend list? Identiverse has quickly become my favourite security conference. While I also enjoy RSA, Rocky Mountain Information Security Conference and Black Hat, Identiverse is a favourite of mine because it's so closely focused on just one part of security (Identity), which allows us to get much more technical and "in the weeds." This results in learnings that we can bring back to the office and implement in our own programs.

What is the best current trend in cybersecurity? The worst? Best: I am so excited to see the Zero Trust buzzword gaining traction. As long as we've had modern computer systems we have depended far too much on our network perimeters to protect them, and we've learned time and time again that it's not sufficient. Finally, the focus toward Zero Trust is giving us a new paradigm. I believe it's better and I'm glad to be a part of it.

Worst: Too many security leaders are overly influenced by vendor sales pitches and their promises that this new tool will <insert unsubstantiated claim here>. Effective security programs start with a strong mapping to a business need and repeatable and manageable processes—only then do they loop in a technology. 

What's the best career advice you ever received? Another from the very quotable Mark Sanner. "Don't be an asshole." Simple and easy to remember. I try incredibly hard to be kind to everyone I interact with. It's not always easy, especially as the security guy, but it's a very worthwhile goal.

What advice would you give to aspiring security leaders? Take the time today (seriously, do it as soon as possible) to figure out what it is you really want out of your career. Is it money? Respect from peers? Playing with new technology? A great work/life balance? Once you've figured out what you want, you can really start to create your own custom path to get there. Even companies that offer multiple paths to their employees are still only offering their interpretations of success, which will not be the same as your own. Really determining what you want from your career is critical to your own happiness and success. Otherwise you just get stuck on a ladder of someone else's creation, climbing to a place you probably don't want to be.

What has been your greatest career achievement? In 2018 I was named the CISO of the Year in Colorado, by the Colorado Technology Association. That was a tremendous honour and something I'm proud of. However, while that is objectively the nicest acknowledgement I have received, it's not the achievement of which I am most proud.

I'm most proud of the world-class security program we have built at Ping Identity. From a team of three in 2016 to our current team of 30, we have developed security practices that I would put against any company.

Looking back with 20:20 hindsight, what would you have done differently? Regret is an anchor that I try not to drop. However, I do believe firmly in lessons learned. Some of my best lessons learned:

Never present a fully baked solution to the IT folks. Bring them a problem and create the solution together. They will be much better partners if they are part of the solution creation.

Admit my mistakes early and publicly. Nobody respects blame shifting or ignoring. 

What is your favourite quote?There are so many great quotes I try to keep in mind. In addition to the one I shared above: "The best way to succeed in life is to act on the advice we give to others."

What are you reading now? I recently finished Seven Eves, by Neal Stephenson, which I loved. I am in the middle of Originals: How Non-Conformists Move the World, by Adam Grant, The Real Internet of Things, by Daniel Miessler and Bleak House by Charles Dickens. I try to keep a variety of books going at any time.

In my spare time, I like to… I play competitive beach volleyball as much as I can. This is not especially easy to schedule, considering that I have two young boys to teach how to hack into things. My favourite activity right now is watching my boys develop entrepreneurial skills with their own (very small) businesses.

Most people don't know that I… Followed a girl to Colorado. I grew up right in the middle of all the tech giants in Silicon Valley. I never expected I would leave. However, when the right girl moved to Denver for school, I decided that a couple years in Colorado wouldn't be so bad. 18 years later, she and I have no intention to leave.

Ask me to do anything but… I once had a summer job doing inventory in a warehouse, where the job was weighing very small parts to count them. Once I had figured out how to enjoy that job, I think I can do any job.


« Tibco plans for a new life in the fast lane


Kaspersky: Use of end-of-life operating systems "incredibly problematic" for business »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?