Andrew Storms, VP of Security at Replicated, has spent three decades on the frontlines of cybersecurity. From building Unix systems in the early ‘90s to leading incident response and AI security strategies today, he has seen the CISO role evolve from back-office function to boardroom mainstay. In this spotlight, he shares the lessons that shaped his thinking, why storytelling is a critical CISO skill, and how API security is no longer optional.
From Reactive Defense to Strategic Inspiration
Andrew’s career began in quality assurance at Broderbund Software, testing classic video games like Carmen Sandiego. But then, a spontaneous invitation to join a fledgling Unix team sent his career hurtling in another direction.
“We were tasked with getting the company online and building out security,” Andrew recalls. “We’d roleplay packet inspection like a game of chess. That changed how I thought about security – it was baked into everything IT touched.”
That early experience inspired Andrew to shift his focus from reactive defense to strategic inspiration – and inspired a lifelong passion for cybersecurity.
Transform Cybersecurity from Blocker to Enabler
Like many early security professionals, Andrew once saw his role as the “sheriff,” the enforcer of controls. But that mindset, he admits, was flawed.
“The turning point came when someone asked, ‘Who are your customers?’ I said, ‘The people who buy our products. ‘They said,” No. It’s the business. The employees. You’re here to support them.’ That changed everything.”
This revelation reframed his role, prompting him to work as an enabler, not as a blocker. “Now, I see security as a sales tool. If I can help sales move faster, or engineering ship quicker, I’m doing my job right.”
CISOs Should Be Optimists and Storytellers
As the CISO role matures, Andrew argues that soft skills are just as critical as technical chops. He believes that optimism is one of the most important.
“If you walk in saying the world is on fire, no one listens. But if you understand business goals, you can turn security challenges into opportunities.”
He also believes in the power of storytelling. “I once gave a talk where it was 10 minutes of storytelling and 5 minutes of demo. People loved it. Stories help people understand where you’re coming from, they help build camaraderie.”
Practice Over Perfection
When it comes to incident response, Andrew favors realism over tabletop drills. “We hate tabletop exercises. Instead, we fake alerts, drop them into Slack, and see what happens. Did someone respond? What did they do?”
That said, for Andrew, technical drills are only part of the equation. Culture matters too.
“You must make it okay to say, ‘I don’t know.’ That’s a sign of maturity, not weakness. It turns uncertainty into an opportunity to learn.”
The API Security Imperative
For Andrew, API functionality isn’t a feature; it’s a dealbreaker.
“If your product doesn’t have an API, I won’t buy it,” he says.
That may sound blunt, but it reflects a broader shift in expectations. Security teams today rely on automation, orchestration, and AI-driven workflows – and APIs are what makes them possible.
“Modern environments are built to move fast. If I can’t automate tasks, connect systems, or have an AI agent interact with your tools, then it’s dead weight,” Andrew explains.
But with that flexibility comes risk. APIs offer machine-speed access to sensitive data and, if left unsecured, present a massive attack surface. That’s why API security, he argues, must be continuous and embedded into core operations.
“You can’t rely on one-time scans anymore,” he says. “API threat scanning needs to be 24/7.”
Andrew advocates for a layered approach: strong authentication, proper secrets management, web app firewalls, rate limiting, logging, and input/output validation.
“It’s not about reinventing the wheel. It’s applying the same security fundamentals we’ve always used, just on a different surface.”
AI: Embrace the Opportunity, Respect the Risk
In his current role at Replicated, Andrew sees AI as a game-changer, especially for compliance. But it also raises urgent questions about data governance.
“Someone might ask, ‘Can I put support logs into an AI tool?’ And I’ll say, ‘Thanks for asking, let’s assess the risk together.’ These are teachable moments. We want people thinking like security folks.”
His advice? Don’t be a “no-AI-ever” company. But don’t let AI become shadow IT either. “Work with teams, help them understand risks, data flows, and how to think critically. That’s how you build trust.”
The CISO’s Future: Trust, Resilience, and AI Stewardship
In the next five years, Andrew expects the CISO to become a company’s “trust asset,” a visible leader who helps customers and partners feel secure.
That means evolving beyond defense. “It’s not just about stopping attacks. It’s about building resilient products and systems that keep the business running, no matter what.”
He also highlights the growing need for data ethics in an AI-driven corporate world. “AI relies on data. So, we need to treat data stewardship as a core security function.”
The Final Word
Andrew closes with a simple personal wish: a week-long fly-fishing holiday in Montana. But until then, he’s laser-focused on helping security teams – and businesses – thrive through empathy, opportunity, and trust.
“The most powerful thing a CISO can say? ‘I’m here to help you move faster; and safer. That’s how we win.”
Want to find out how Wallarm’s platform aligns with Andrew’s view of API security? Take a product tour today.
The post CISO Spotlight: Andrew Storms on Trust, AI, and Why CISOs Need to Be Optimists appeared first on Wallarm.