Security Career Q&A with Richard Balducci, CISO at Global Medical Device Outsourcing Manufacturer Integer
In this Q&A, we speak with Richard Balducci, the chief information security officer at global medical device outsourcing manufacturer Integer Holdings Corporation. Based in Plano, TX, Integer has annual revenue of just over $1 billion and employs about 7,500 globally.
In his role, Balducci is responsible for the strategic leadership of the company’s information security program. Balducci provides guidance to the CIO and members of the company’s executive leadership team and works closely with senior business and technology leaders to define the vision, strategies, and information security goals. In this conversation, we discuss how he got his start in information security, his career journey, and his advice to those interested in getting into the field today.
Thanks for joining us, Richard. How did you get started in security?
I was always a geek, and when I was 13 in 1981, I’d bought my very first computer and taught myself how to program. I’ve always been inspired by computers, technology, sciences, and math. In high school, I continued to jump into technology classes, mainly programming.
When I was a senior, the school had a particular program called “Directed Projects.” Only 12 people out of the whole school were allowed into these Directed Projects. I was pretty psyched about being selected for that class. It was a self-performing class where the instructor would give you a project for the quarter, and you were graded. That was the entire class.
One of the first projects was to write a complete payroll system for a mainframe. At the end of that quarter, he explained that, essentially, what we had all worked to develop is what companies were using in production at the time. We had to consider all the employees, all the different tax codes and deductions, and then ultimately print out checks and keep a payroll register. It was pretty cool.
The second quarter he had me network an Apple IIe computer to talk to the mainframe. This is before networking existed to any large degree. I hooked up an Apple IIe to the mainframe and had them talk back and forth. During the other two quarters, we got to select whatever we wanted to program.
It was fascinating. I taught myself new programming languages and everything. Because the high school had a mainframe, college computer night school was held there. People in Directed Projects had the opportunity to work a part-time job being system administrators on that mainframe. We knew it well, after all.
Now, there was a darker side to the Directed Projects program, as a couple of us, being very geeky and very techy, decided to hack that mainframe.
That sounds like a lot of fun. How did you hack the mainframe?
We managed to hack the mainframe and get its god privileges. When we came to class, we showed the instructor all of our permissions throughout the mainframe. “Oh, very nice,” he said and walked into his office — and poof — they were all gone.
It took us a couple of months to find a new way of hacking the system. I found a way to hack it through the backup procedure. As system administrators, part of our job was mainframe backup. There was a way to break out of that backup procedure and retain the access rights, which allowed me to gain additional access rights and escalate privileges until I got to god privileges again. Then once I did that, I passed it off to a friend who created a backdoor.
We showed the instructor what we did the next day. “Oh, that’s very nice,” he says. Then he walked into his office and — poof — they were gone.
He eventually said to us: “Here’s the deal: You can keep the high-level permissions as long as you promise to be responsible with them and remove all the damn backdoors.” He knew at that point what we did.
We removed most of them.
It sounds like you were fortunate to have a good and understanding teacher. What did you do next?
After high school, I joined the military. The Air Force, specifically and worked within computers and communications. I learned how to work on a number of different mainframes and other computers and communications systems. And while I was stationed in Germany for two years, I worked at a communication facility there. Then, in 1988, I was stationed in San Antonio, Texas. There I was part of the Air Intelligence Agency, essentially the military’s subsidiary of the NSA. I worked various roles there, mainly at first running telecom facilities, the circuits, and all the communications.
Eventually, I worked my way up into the actual intelligence agency where I performed systems engineering. Before I got out, we built a technology demonstration area with cutting-edge technology used by the cryptographic divisions and the cyber warfare divisions to work on those types of things. While I worked my way up into the engineering side of security, it wasn’t called security at that time. However, security was always a portion of our job.
What came next, after the military?
When people get out of the military, it’s typical for them to get into consulting, which is what I did. And I worked at a small consulting company in San Antonio. That job provided the opportunity to work in many different aspects of security. It was a lot of fun. Consulting was exciting because I was still young and still just a big techie at heart, and I loved working on so many different things. One week I’d be working at a hospital running their network for the cardiology department, and the next week I’d be out at a school district installing new systems for them. Yet, another week I’d find myself at Fort Hood installing firewalls.
At that point in my career, the Internet was still very immature, yet people started to recognize that it needed to be secured. That’s when I began pivoting my career more toward Internet security: firewalls, mail systems, DNS (domain name systems), networking, and things like that. Of course, the company was pleased I did that because that was an up-and-coming market segment.
It sounds like an exciting time to get started in the industry.
It was, and after a time at IBM, I went to work at American General. In 2001, AIG ended up buying American General, and I became a part of AIG. At AIG at the time, I was running the department that managed our Internet, and I viewed my biggest job with those responsibilities to be securing it. As AIG started taking over, I assumed the role of maintaining security because I was very in-tune with what we had been doing at AIG. I began to align the security program I had underway with what AIG was doing. Then, officially in 2002, I was part of the security team at AIG and remained in the security organization in senior leadership for almost the entire time.
It was a great experience, and I managed all of the different aspects of IT security. It’s a vast field and involves incident response, forensics, vulnerability management, configuration management, and just so many other things. It was a pleasure to be able to manage all aspects of IT security through my tenure there.
Last year I decided that it was time to spread my wings, and I landed at Integer. The culture at Integer is the best I have ever seen. It’s a great group of people who have the mindset that they just want to excel, and they want to do what’s right, and we want to help each other get there.
It’s great when it all comes together like that. Earlier in your career, what was it about security that kept you interested? When your career hit that inflection point in the mid-1990s, you could have gone in any number of different ways.
What I’ve always loved about security is protecting against the bad guys doing bad things. I also appreciate how you have to profoundly understand the technology and think like an adversary to protect that technology. In IT, the entire purpose is uptime, uptime, and uptime. You’re concerned about uptime in security, but you’re also worried about vulnerabilities, securing sensitive data, malware, hacking, breaches and many other things. Number two is I wanted to be part of an area that would be the next up-and-coming thing. Where I saw technology becoming more commodity-based, security was not going to be commodity-based. So, I wanted to position myself in a career to continue to excel for many years, if not decades.
What do you see as the most significant challenges CISOs face today?
The biggest challenges are keeping your eye on the basics and maintaining your fundamental hygiene. So many people miss that. They gravitate toward the latest shiny object, and they forget to take a step back and ask themselves if they are doing the basics well.
This is important because most breaches are opportunistic. The thief runs around in a parking lot and clicks on all the door handles to see who left their door unlocked. You don’t want to be the person leaving your door unlocked. You want to do the basics and lock your door. And our adversaries are running their organizations with the discipline of a corporation. They have boardrooms. They have budgets. They have revenue. Of course, the revenue is through illegal means, but it’s still revenue, and they have to keep their costs down. As CISOs, we need to do the basics and make it too expensive for them to breach us.
What would you advise those who are interested in perhaps pursuing a security career today?
You want to look at the different IT security domains because it is a vast field. You can spend your entire career in just that one aspect of IT security. If you want to move into a pentester role, that’s a big, dedicated aspect of security. There’s incident response or security operation center management, threat hunting, and more.
And if you want to get into security, you have to have a curious mindset. If you are curious, in the sense of the way the word hacker was used in the ’70s and ’80s, and you always want to learn and dig deeper and understand why something works a certain way, then you’re probably all set for a security career.
Many people coming out of college today are tech-savvy in the sense of how to use technology, but they are not tech-savvy when it comes to knowing how that technology works. But to succeed at security, one has to be. You have to understand how the technology works. Adversaries understand how it works, and they’re devising ways to get around it and break into it every day. A security professional has to think that same way. We have to think like an adversary and also think about the company and how to protect it. Because if you don’t know how an attack works, then there’s no way you can prevent that attack.