Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

05:25 PM
Connect Directly

Fred Kwong: The Psychology of Being a CISO

Security Pro File: Fred Kwong learned people skills in the classroom and technical skills on the job. The former psychology major, now CISO at Delta Dental, shares his path to cybersecurity and how he applies his liberal arts background to his current role.

When Fred Kwong's friends had Nintendo game systems, his home had a PC. The household computer sparked an early interest in technology, which persisted throughout the long, winding, sometimes blocked road that eventually led to his role as CISO of Delta Dental.

"My educational background and my IT background are completely separate," Kwong notes. While he wanted to explore technology, finding an educational path was difficult. At the University of Madison he encountered a choice between two majors: computer science and computer engineering. "Neither was what I actually wanted to do," he adds.

As a student, Kwong learned programming languages like C++ and Fortran before deciding he was on the wrong track. "It drove me nuts," he says. "I did not want to spend the next 30 years of my life programming." He decided to take his tech education outside the classroom.

"All my IT leaning has pretty much been the 'school of hard knocks,' or learning in the workplace," he explains, and he continued to take part-time classes at a technical college while supplementing them with various tech-focused roles.

Kwong got his start in IT at Sitel, a help desk outsourcing company where he answered about 80 calls per day for the AOL help desk. There, he learned about modems and discovered he enjoyed helping people get online. But after a couple of years, he once again felt he was in the wrong place. His self-guided education continued at Zurich Insurance, where he worked as a "cable monkey," learning networking and routing as part of the network team.

Zurich continued to be Kwong's main source of IT education as he resumed full-time classes at Roosevelt University, where his studies fell far outside the technology field.

An Unconventional Path
"I went back to school for things that interested me," says Kwong of his decision to double major in psychology and professional communications, partly inspired by his time in congressional debate as a high school student. "I wanted to learn about people — and what better way to learn about people than to study psychology?"

Kwong's first foray into technical education was an MBA with a concentration in MIS. It didn't take long for him to switch gears back into the psychology field. As he was finishing his MBA, a class in executive leadership inspired him to pursue his PhD in organizational development, where he found himself surrounded by a non-technical crowd.

"I was, quite honestly, a little bit intimidated at the time because I was in a room full of COOs and VPs of human resources, people who have pretty established careers," he recalls. "And there's me, this network engineer, in the PhD program, in a field that's completely unrelated to my work."

Kwong, sticking with the belief that effective communication would prove handy in any role, went on to complete his doctorate. A role as the network manager at Benedictine University introduced him to security. In addition to working on servers and telecommunications, he learned the ins and outs of firewalls and access control.

Source: Fred Kwong
Source: Fred Kwong

He worked his way up the security ladder first through Zurich, then CSC where he was a network and data center manager, then US Cellular, where he was the senior infrastructure manager, and Farmers Insurance, where he built a privileged access management program and insider threat program. It was his last role before he had the opportunity to build security at Delta Dental.

Team Player
Kwong's psychology background has, as expected, proven handy in his security roles.

"I would say that I have a heightened sense of awareness of folks I deal with," he says. "A lot of times in the CISO role, it really is about building relationships and ensuring how to shift the culture or the organizations from one that's not necessarily security-minded to one that becomes security-minded."

This is especially difficult at Delta, which has 39 member organizations and a large board of directors. Kwong says getting everyone on board with security can be a challenge; after all, security isn't necessarily viewed as a revenue generator but often as a cost. All members have their own agenda, and he has to ensure security is part of each person's mission and objective.

It's a mindset he emphasizes across the company. Most breaches initially involve the human factor, he points out, and he has to change the mindset of employees to be security conscious.

"We do that via phishing campaigns, lunch and learns, having direct messaging that appeals to employees to secure themselves not only in the business but also at home," Kwong explains. "It's an emotional tie. We tie [security] to something that's tangible to them, not just in the business but for personal use … that really shifts the change in the culture."

When there is space open on his team, Kwong looks within the business. He built an internal program at US Cellular to help aspiring security professionals starting in low-level tech roles.

"We built a program where — and this is near and dear to my heart — help desk and desktop folks can intern with security folks to learn about security and see if it's a good career path for them," explains, adding that many successful security pros come from different parts of IT.

For a month, interns learn about security tools and complete projects. If they are still interested in security at the end of the program, they can continue learning about it. When there is an opening in security, Kwong says, he can pull from an internal group of employees he knows has an interest in joining the team.

The internship program has since grown outside security to educate future employees for high-level IT roles in database management and networking, he adds.

Off the Clock

It's hard to believe Kwong has any free time outside his roles as CISO and adjunct professor at Roosevelt University, where he now teaches organizational behavior and organizational development. But when he does, he uses it for volunteer work — and occasional photo shoots.

"There are a couple of organizations I really like to work with," he says. Feed My Starving Children, which ships nutritional food to parts of the world without it, is one of them. Kwong says he puts together bundles of food, donates, and recruits people to help out.

Habitat for Humanity is another: Kwong enjoys volunteering with the organization and building homes in the Chicago area. "I like working with my hands," he continues. "Plumbing, dry walling, all that fun stuff."

Wedding photography is another favorite hobby and he enjoys snapping photos at occasional events for family and friends. Photography is fun, he says, but not always simple. It's easy to take pictures of stuff when you have time to set it up. It's harder at a wedding, when things are moving and you need to snap the right shot at the right time.

Kwong is modest about his work — "I don't consider myself that good, quite honestly, and I feel like it's a really hard craft," he says — but his subjects seem to be big fans.

"I guess the best compliment I've gotten is, there have been times when people said 'I wish we just hired you to be our photographer!'" he says. "It's nice to hear."

Personality Bytes

Worst day ever at work: 9/11/01 — my parents were both on separate planes that day, unsure of their fate.

First hack: Turned an old office chair into a swiveling TV stand

What your coworkers don't know about you that would surprise them: Used to be an avid poker player

Security must-haves: Security awareness training, access control governance, vulnerability management

Business hours: Don't apply in security

What keeps you up at night: Becoming the fall guy for a breach

Fun fact: Birds don't urinate

Favorite hangout: Home

Comfort food: Ground beef and rice bowl

What's in your music playlist right now: Billy Joel

What kind of car do you drive: Lexus RX 350

Favorite thing to do after a long day: Netflix binge watching

Actor who would play you in a film: Stephen Chow

Next career after security: Professor


Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-22
Stored Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.
PUBLISHED: 2021-10-22
Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via a specific parameter where the administrator's entries were not correctly sanitized.
PUBLISHED: 2021-10-22
A command injection vulnerability has been reported to affect QNAP device running Media Streaming add-on. If exploited, this vulnerability allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of Media Streaming add-on: QTS 5.0.0: Media ...
PUBLISHED: 2021-10-21
Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot...
PUBLISHED: 2021-10-21
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.