Careers & People

05:25 PM
Connect Directly

Fred Kwong: The Psychology of Being a CISO

Security Pro File: Fred Kwong learned people skills in the classroom and technical skills on the job. The former psychology major, now CISO at Delta Dental, shares his path to cybersecurity and how he applies his liberal arts background to his current role.

When Fred Kwong's friends had Nintendo game systems, his home had a PC. The household computer sparked an early interest in technology, which persisted throughout the long, winding, sometimes blocked road that eventually led to his role as CISO of Delta Dental.

"My educational background and my IT background are completely separate," Kwong notes. While he wanted to explore technology, finding an educational path was difficult. At the University of Madison he encountered a choice between two majors: computer science and computer engineering. "Neither was what I actually wanted to do," he adds.

As a student, Kwong learned programming languages like C++ and Fortran before deciding he was on the wrong track. "It drove me nuts," he says. "I did not want to spend the next 30 years of my life programming." He decided to take his tech education outside the classroom.

"All my IT leaning has pretty much been the 'school of hard knocks,' or learning in the workplace," he explains, and he continued to take part-time classes at a technical college while supplementing them with various tech-focused roles.

Kwong got his start in IT at Sitel, a help desk outsourcing company where he answered about 80 calls per day for the AOL help desk. There, he learned about modems and discovered he enjoyed helping people get online. But after a couple of years, he once again felt he was in the wrong place. His self-guided education continued at Zurich Insurance, where he worked as a "cable monkey," learning networking and routing as part of the network team.

Zurich continued to be Kwong's main source of IT education as he resumed full-time classes at Roosevelt University, where his studies fell far outside the technology field.

An Unconventional Path
"I went back to school for things that interested me," says Kwong of his decision to double major in psychology and professional communications, partly inspired by his time in congressional debate as a high school student. "I wanted to learn about people — and what better way to learn about people than to study psychology?"

Kwong's first foray into technical education was an MBA with a concentration in MIS. It didn't take long for him to switch gears back into the psychology field. As he was finishing his MBA, a class in executive leadership inspired him to pursue his PhD in organizational development, where he found himself surrounded by a non-technical crowd.

"I was, quite honestly, a little bit intimidated at the time because I was in a room full of COOs and VPs of human resources, people who have pretty established careers," he recalls. "And there's me, this network engineer, in the PhD program, in a field that's completely unrelated to my work."

Kwong, sticking with the belief that effective communication would prove handy in any role, went on to complete his doctorate. A role as the network manager at Benedictine University introduced him to security. In addition to working on servers and telecommunications, he learned the ins and outs of firewalls and access control.

Source: Fred Kwong
Source: Fred Kwong

He worked his way up the security ladder first through Zurich, then CSC where he was a network and data center manager, then US Cellular, where he was the senior infrastructure manager, and Farmers Insurance, where he built a privileged access management program and insider threat program. It was his last role before he had the opportunity to build security at Delta Dental.

Team Player
Kwong's psychology background has, as expected, proven handy in his security roles.

"I would say that I have a heightened sense of awareness of folks I deal with," he says. "A lot of times in the CISO role, it really is about building relationships and ensuring how to shift the culture or the organizations from one that's not necessarily security-minded to one that becomes security-minded."

This is especially difficult at Delta, which has 39 member organizations and a large board of directors. Kwong says getting everyone on board with security can be a challenge; after all, security isn't necessarily viewed as a revenue generator but often as a cost. All members have their own agenda, and he has to ensure security is part of each person's mission and objective.

It's a mindset he emphasizes across the company. Most breaches initially involve the human factor, he points out, and he has to change the mindset of employees to be security conscious.

"We do that via phishing campaigns, lunch and learns, having direct messaging that appeals to employees to secure themselves not only in the business but also at home," Kwong explains. "It's an emotional tie. We tie [security] to something that's tangible to them, not just in the business but for personal use … that really shifts the change in the culture."

When there is space open on his team, Kwong looks within the business. He built an internal program at US Cellular to help aspiring security professionals starting in low-level tech roles.

"We built a program where — and this is near and dear to my heart — help desk and desktop folks can intern with security folks to learn about security and see if it's a good career path for them," explains, adding that many successful security pros come from different parts of IT.

For a month, interns learn about security tools and complete projects. If they are still interested in security at the end of the program, they can continue learning about it. When there is an opening in security, Kwong says, he can pull from an internal group of employees he knows has an interest in joining the team.

The internship program has since grown outside security to educate future employees for high-level IT roles in database management and networking, he adds.

Off the Clock

It's hard to believe Kwong has any free time outside his roles as CISO and adjunct professor at Roosevelt University, where he now teaches organizational behavior and organizational development. But when he does, he uses it for volunteer work — and occasional photo shoots.

"There are a couple of organizations I really like to work with," he says. Feed My Starving Children, which ships nutritional food to parts of the world without it, is one of them. Kwong says he puts together bundles of food, donates, and recruits people to help out.

Habitat for Humanity is another: Kwong enjoys volunteering with the organization and building homes in the Chicago area. "I like working with my hands," he continues. "Plumbing, dry walling, all that fun stuff."

Wedding photography is another favorite hobby and he enjoys snapping photos at occasional events for family and friends. Photography is fun, he says, but not always simple. It's easy to take pictures of stuff when you have time to set it up. It's harder at a wedding, when things are moving and you need to snap the right shot at the right time.

Kwong is modest about his work — "I don't consider myself that good, quite honestly, and I feel like it's a really hard craft," he says — but his subjects seem to be big fans.

"I guess the best compliment I've gotten is, there have been times when people said 'I wish we just hired you to be our photographer!'" he says. "It's nice to hear."

Personality Bytes

Worst day ever at work: 9/11/01 — my parents were both on separate planes that day, unsure of their fate.

First hack: Turned an old office chair into a swiveling TV stand

What your coworkers don't know about you that would surprise them: Used to be an avid poker player

Security must-haves: Security awareness training, access control governance, vulnerability management

Business hours: Don't apply in security

What keeps you up at night: Becoming the fall guy for a breach

Fun fact: Birds don't urinate

Favorite hangout: Home

Comfort food: Ground beef and rice bowl

What's in your music playlist right now: Billy Joel

What kind of car do you drive: Lexus RX 350

Favorite thing to do after a long day: Netflix binge watching

Actor who would play you in a film: Stephen Chow

Next career after security: Professor


Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/15/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.