Careers & People

11/15/2017
05:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Fred Kwong: The Psychology of Being a CISO

Security Pro File: Fred Kwong learned people skills in the classroom and technical skills on the job. The former psychology major, now CISO at Delta Dental, shares his path to cybersecurity and how he applies his liberal arts background to his current role.

When Fred Kwong's friends had Nintendo game systems, his home had a PC. The household computer sparked an early interest in technology, which persisted throughout the long, winding, sometimes blocked road that eventually led to his role as CISO of Delta Dental.

"My educational background and my IT background are completely separate," Kwong notes. While he wanted to explore technology, finding an educational path was difficult. At the University of Madison he encountered a choice between two majors: computer science and computer engineering. "Neither was what I actually wanted to do," he adds.

As a student, Kwong learned programming languages like C++ and Fortran before deciding he was on the wrong track. "It drove me nuts," he says. "I did not want to spend the next 30 years of my life programming." He decided to take his tech education outside the classroom.

"All my IT leaning has pretty much been the 'school of hard knocks,' or learning in the workplace," he explains, and he continued to take part-time classes at a technical college while supplementing them with various tech-focused roles.

Kwong got his start in IT at Sitel, a help desk outsourcing company where he answered about 80 calls per day for the AOL help desk. There, he learned about modems and discovered he enjoyed helping people get online. But after a couple of years, he once again felt he was in the wrong place. His self-guided education continued at Zurich Insurance, where he worked as a "cable monkey," learning networking and routing as part of the network team.

Zurich continued to be Kwong's main source of IT education as he resumed full-time classes at Roosevelt University, where his studies fell far outside the technology field.

An Unconventional Path
"I went back to school for things that interested me," says Kwong of his decision to double major in psychology and professional communications, partly inspired by his time in congressional debate as a high school student. "I wanted to learn about people — and what better way to learn about people than to study psychology?"

Kwong's first foray into technical education was an MBA with a concentration in MIS. It didn't take long for him to switch gears back into the psychology field. As he was finishing his MBA, a class in executive leadership inspired him to pursue his PhD in organizational development, where he found himself surrounded by a non-technical crowd.

"I was, quite honestly, a little bit intimidated at the time because I was in a room full of COOs and VPs of human resources, people who have pretty established careers," he recalls. "And there's me, this network engineer, in the PhD program, in a field that's completely unrelated to my work."

Kwong, sticking with the belief that effective communication would prove handy in any role, went on to complete his doctorate. A role as the network manager at Benedictine University introduced him to security. In addition to working on servers and telecommunications, he learned the ins and outs of firewalls and access control.

Source: Fred Kwong
Source: Fred Kwong

He worked his way up the security ladder first through Zurich, then CSC where he was a network and data center manager, then US Cellular, where he was the senior infrastructure manager, and Farmers Insurance, where he built a privileged access management program and insider threat program. It was his last role before he had the opportunity to build security at Delta Dental.

Team Player
Kwong's psychology background has, as expected, proven handy in his security roles.

"I would say that I have a heightened sense of awareness of folks I deal with," he says. "A lot of times in the CISO role, it really is about building relationships and ensuring how to shift the culture or the organizations from one that's not necessarily security-minded to one that becomes security-minded."

This is especially difficult at Delta, which has 39 member organizations and a large board of directors. Kwong says getting everyone on board with security can be a challenge; after all, security isn't necessarily viewed as a revenue generator but often as a cost. All members have their own agenda, and he has to ensure security is part of each person's mission and objective.

It's a mindset he emphasizes across the company. Most breaches initially involve the human factor, he points out, and he has to change the mindset of employees to be security conscious.

"We do that via phishing campaigns, lunch and learns, having direct messaging that appeals to employees to secure themselves not only in the business but also at home," Kwong explains. "It's an emotional tie. We tie [security] to something that's tangible to them, not just in the business but for personal use … that really shifts the change in the culture."

When there is space open on his team, Kwong looks within the business. He built an internal program at US Cellular to help aspiring security professionals starting in low-level tech roles.

"We built a program where — and this is near and dear to my heart — help desk and desktop folks can intern with security folks to learn about security and see if it's a good career path for them," explains, adding that many successful security pros come from different parts of IT.

For a month, interns learn about security tools and complete projects. If they are still interested in security at the end of the program, they can continue learning about it. When there is an opening in security, Kwong says, he can pull from an internal group of employees he knows has an interest in joining the team.

The internship program has since grown outside security to educate future employees for high-level IT roles in database management and networking, he adds.

Off the Clock

It's hard to believe Kwong has any free time outside his roles as CISO and adjunct professor at Roosevelt University, where he now teaches organizational behavior and organizational development. But when he does, he uses it for volunteer work — and occasional photo shoots.

"There are a couple of organizations I really like to work with," he says. Feed My Starving Children, which ships nutritional food to parts of the world without it, is one of them. Kwong says he puts together bundles of food, donates, and recruits people to help out.

Habitat for Humanity is another: Kwong enjoys volunteering with the organization and building homes in the Chicago area. "I like working with my hands," he continues. "Plumbing, dry walling, all that fun stuff."

Wedding photography is another favorite hobby and he enjoys snapping photos at occasional events for family and friends. Photography is fun, he says, but not always simple. It's easy to take pictures of stuff when you have time to set it up. It's harder at a wedding, when things are moving and you need to snap the right shot at the right time.

Kwong is modest about his work — "I don't consider myself that good, quite honestly, and I feel like it's a really hard craft," he says — but his subjects seem to be big fans.

"I guess the best compliment I've gotten is, there have been times when people said 'I wish we just hired you to be our photographer!'" he says. "It's nice to hear."

Personality Bytes

Worst day ever at work: 9/11/01 — my parents were both on separate planes that day, unsure of their fate.

First hack: Turned an old office chair into a swiveling TV stand

What your coworkers don't know about you that would surprise them: Used to be an avid poker player

Security must-haves: Security awareness training, access control governance, vulnerability management

Business hours: Don't apply in security

What keeps you up at night: Becoming the fall guy for a breach

Fun fact: Birds don't urinate

Favorite hangout: Home

Comfort food: Ground beef and rice bowl

What's in your music playlist right now: Billy Joel

What kind of car do you drive: Lexus RX 350

Favorite thing to do after a long day: Netflix binge watching

Actor who would play you in a film: Stephen Chow

Next career after security: Professor

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...