{“lastseen”:”2026-02-11T12:05:09″,”description”:”It\u2019s an unusually cold winter morning in Houston, and Craig Riddell is settling into his new role as Wallarm\u2019s Global Field CISO. It\u2019s a position that suits him down to the ground, blending technical depth, empathy, business acumen, and, what Craig believes, the most underrated skill in cybersecurity: curiosity. \\n\\nLike so many of us, Craig got into cybersecurity by accident. He first learned Unix under the guidance of a mentor while transitioning out of the military. This soon evolved into a career defined by exploration, problem-solving, and an insistence on understanding how systems really work. \\n\\nIn this edition of CISO Spotlight, Craig reflects on the moments that shaped his career, the challenge of translating security risk into business reality, and why API security has become the most critical \u2013 and least understood \u2013 layer of the modern security stack. \\n\\n## From Engineer to Interpreter\\n\\nCraig\u2019s early career was rooted firmly in engineering.\\n\\nHe came up through deeply technical roles, learning systems from the inside out and developing an instinct for how things break \u2013 and why. That foundation still matters to him. But one of the most difficult transitions in his career was learning how to step back from the engineer\u2019s mindset and put on his business shoes. \\n\\n\u201cIt\u2019s not that business and security are rowing in different directions,\u201d Craig explains. \u201cMost of the time, they\u2019re trying to get to the same place. They\u2019re just speaking completely different languages.\u201d \\n\\nThat realization has shaped how he approaches leadership. His technical credibility meant he could communicate with security teams \u2013 but the real challenge was turning abstract cyber risk into something business leaders could understand, prioritize, and act on. \\n\\nCraig’s experiences have shown him that good security leadership isn\u2019t about having the best tool or the loudest voice. It\u2019s about context. Understanding how the business operates, what it values, and where friction is tolerated \u2013 or not \u2013 makes security more effective and far more sustainable. \\n\\n## What a Field CISO Really Does\\n\\nThe Global Field CISO position is unique compared to others we\u2019ve covered in this series. \\n\\nUnlike a traditional CISO, Craig isn\u2019t responsible for day-to-day operations, headcount planning, or owning every security control. Instead, he\u2019s more of a strategic partner, working across teams, customers, and internal functions to help frame problems, identify patterns, and drive focused initiatives forward. \\n\\n\u201cReally, I\u2019m a consultant. I come in and talk to CISOs and business partners about their pain points,\u201d he said. \u201cI get to work across multiple business units internally without having to deal with all the noise.\u201d \\n\\nThis role suits Craig because it aligns with his broader philosophy: security works best when it\u2019s decentralized and shared. The rise of concepts like Business Information Security Officers (BISOs) is proof that organizations are waking up to the fact that security can\u2019t sit in a silo and expect to keep up with modern business. \\n\\n\u201cWe hear it all the time, but that doesn\u2019t make it any less true,\u201d said Craig, \u201csecurity really is everyone\u2019s job. Now more than ever.\u201d\\n\\nUltimately, the Field CISO role allows him to focus on what he does best: breaking down siloes, aligning incentives, and helping organizations finish strategic initiatives. \\n\\n## Cybersecurity is a Game You Can\u2019t Win \u2013 Only Avoid Losing\\n\\nOn his very first day as a CISO, one of Craig\u2019s friends offered advice that has stuck with him: \u201cThis is a game you can never win \u2013 you simply hope not to lose.\u201d \\n\\nThat mindset shapes how Craig thinks about incident readiness. Despite the industry\u2019s obsession with tools, dashboards, and automation, he believes response still comes down to people. \\n\\n\u201cOne of the most effective things you can do is run tabletop exercises,\u201d he said. \u201cGet the right people in the room. Walk through realistic scenarios. Make it familiar.\u201d\\n\\nFor Craig, technical perfection is a pipe dream. Composure is what\u2019s really important. Teams that have practices together respond more calmly, communicate more clearly, and make better decisions under pressure. Strong leadership during incidents matters. But that doesn\u2019t mean micromanagement \u2013 it means ownership and clarity. \\n\\n\u201cWhen something goes wrong, people need to know who\u2019s accountable and what happens next,\u201d Craig explains. \u201cIf you\u2019ve rehearsed it, execution becomes much easier.\u201d\\n\\n## Speaking to the Board Without Fear \\n\\nOver the years, Craig has witnessed a change in how security leaders engage with executive teams. Years ago, security had veto power over tools or processes they deemed excessively risky. But today, security is often left chasing what the business has already deployed. \\n\\n\u201cYou can\u2019t lead with fear,\u201d Craig said. \u201cYou have to lead with outcomes.\u201d For him, that means articulating risk without dramatizing it, and showing executives why early security involvement isn\u2019t just safer, but smarter from both a financial and operational standpoint.\\n\\nCraig sees AI as the worst offender in business adoption, outpacing security understanding, much as in the early days of cloud and DevOps. \u201cThe value is just too high,\u201d he said. \u201cThe business isn\u2019t going to wait.\u201d\\n\\nFor security teams, that creates serious tension. AI ecosystems are built on dense webs of integrations, agents, and APIs. The attack surface is expanding, sure, but the bigger problem is that it\u2019s becoming harder to define. \\n\\n\u201cThe biggest challenge right now is visibility,\u201d Craig explained. \u201cYou can\u2019t protect what you don\u2019t understand.\u201d\\n\\nWhile organizations have learned some lessons from cloud migration – adding guardrails earlier, being more intentional – the pace of AI adoption means security still has to adapt in real time.\\n\\n## Why API Security Has Become the New Imperative \\n\\nAPIs sit and the center of cloud, AI, and all digital transformation. As Craig puts it, \u201cEverything runs through APIs now. Data, money, identity, automation – it all flows through that layer.\u201d\\n\\nAs organizations become more AI-driven, the traditional notion of a security perimeter breaks down. Authentication and authorization still matter, but they\u2019re no longer sufficient. Why? Because attackers now exploit legitimate API behavior, abusing business logic at runtime rather than relying on vulnerabilities. \\n\\nThat\u2019s why Craig believes API security remains both critical and misunderstood. \\n\\n\u201cMost organizations don\u2019t have a clear picture of how their APIs are actually being used,\u201d he explained. \u201cWithout that observability, you\u2019re guessing.\u201d\\n\\nHe sees the future of API security shifting away from constant manual tuning toward runtime, intent-aware protection; security that adapts as the business evolves instead of slowing it down. \u201cUnderstanding how something actually behaves matters more than a static configuration review now,\u201d he said. \u201cAnd understanding the business’s objectives and goals can allow security leaders to show where they can add the most value and reduce friction.\u201d\\n\\n## Cybersecurity, Mythology, and Exploration\\n\\nCraig\u2019s personal life is also defined by curiosity. He\u2019s a constant audiobook listener, typically running one fiction and one nonfiction title in parallel. \\n\\nOn the fiction side, he\u2019s been working through The Dresden Files \u2013 a modern fantasy series rooted in mythology and folklore, set against a contemporary backdrop. On the nonfiction side, his interests range widely, from leadership and cybersecurity to history and geopolitics.\\n\\nThat same curiosity shapes how he approaches security. He\u2019s less interested in static answers and more interested in how systems behave over time, how behavior is shifting, and where assumptions break down. In an industry that often chases certainty, Craig has learned to lean into exploration, just as his hero, Ernest Shackleton, did. \\n\\nThe post CISO Spotlight: Craig Riddell on Curiosity, Translation, and Why API Security is the New Business Imperative appeared first on Wallarm.”,”published”:”2026-02-11T12:00:00″,”modified”:”2026-02-11T12:00:00″,”type”:”wallarmlab”,”title”:”CISO Spotlight: Craig Riddell on Curiosity, Translation, and Why API Security is the New Business Imperative”,”source”:””,”references”:””,”id”:”WALLARMLAB:B4DECC77398C9047245995F8758C6B89″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/lab.wallarm.com\/ciso-spotlight-craig-riddell-curiosity-translation-api-security-business-imperative\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-11T12:05:09″,”description”:”It\u2019s an unusually cold winter morning in Houston, and Craig Riddell is settling into his new role as Wallarm\u2019s Global Field CISO. It\u2019s a position…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,5,105],"class_list":["post-40376","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability","tag-wallarmlab"],"yoast_head":"\n