It’s an unusually cold winter morning in Houston, and Craig Riddell is settling into his new role as Wallarm’s Global Field CISO. It’s a position that suits him down to the ground, blending technical depth, empathy, business acumen, and, what Craig believes, the most underrated skill in cybersecurity: curiosity.
Like so many of us, Craig got into cybersecurity by accident. He first learned Unix under the guidance of a mentor while transitioning out of the military. This soon evolved into a career defined by exploration, problem-solving, and an insistence on understanding how systems really work.
In this edition of CISO Spotlight, Craig reflects on the moments that shaped his career, the challenge of translating security risk into business reality, and why API security has become the most critical – and least understood – layer of the modern security stack.
From Engineer to Interpreter
Craig’s early career was rooted firmly in engineering.
He came up through deeply technical roles, learning systems from the inside out and developing an instinct for how things break – and why. That foundation still matters to him. But one of the most difficult transitions in his career was learning how to step back from the engineer’s mindset and put on his business shoes.
“It’s not that business and security are rowing in different directions,” Craig explains. “Most of the time, they’re trying to get to the same place. They’re just speaking completely different languages.”
That realization has shaped how he approaches leadership. His technical credibility meant he could communicate with security teams – but the real challenge was turning abstract cyber risk into something business leaders could understand, prioritize, and act on.
Craig’s experiences have shown him that good security leadership isn’t about having the best tool or the loudest voice. It’s about context. Understanding how the business operates, what it values, and where friction is tolerated – or not – makes security more effective and far more sustainable.
What a Field CISO Really Does
The Global Field CISO position is unique compared to others we’ve covered in this series.
Unlike a traditional CISO, Craig isn’t responsible for day-to-day operations, headcount planning, or owning every security control. Instead, he’s more of a strategic partner, working across teams, customers, and internal functions to help frame problems, identify patterns, and drive focused initiatives forward.
“Really, I’m a consultant. I come in and talk to CISOs and business partners about their pain points,” he said. “I get to work across multiple business units internally without having to deal with all the noise.”
This role suits Craig because it aligns with his broader philosophy: security works best when it’s decentralized and shared. The rise of concepts like Business Information Security Officers (BISOs) is proof that organizations are waking up to the fact that security can’t sit in a silo and expect to keep up with modern business.
“We hear it all the time, but that doesn’t make it any less true,” said Craig, “security really is everyone’s job. Now more than ever.”
Ultimately, the Field CISO role allows him to focus on what he does best: breaking down siloes, aligning incentives, and helping organizations finish strategic initiatives.
Cybersecurity is a Game You Can’t Win – Only Avoid Losing
On his very first day as a CISO, one of Craig’s friends offered advice that has stuck with him: “This is a game you can never win – you simply hope not to lose.”
That mindset shapes how Craig thinks about incident readiness. Despite the industry’s obsession with tools, dashboards, and automation, he believes response still comes down to people.
“One of the most effective things you can do is run tabletop exercises,” he said. “Get the right people in the room. Walk through realistic scenarios. Make it familiar.”
For Craig, technical perfection is a pipe dream. Composure is what’s really important. Teams that have practices together respond more calmly, communicate more clearly, and make better decisions under pressure. Strong leadership during incidents matters. But that doesn’t mean micromanagement – it means ownership and clarity.
“When something goes wrong, people need to know who’s accountable and what happens next,” Craig explains. “If you’ve rehearsed it, execution becomes much easier.”
Speaking to the Board Without Fear
Over the years, Craig has witnessed a change in how security leaders engage with executive teams. Years ago, security had veto power over tools or processes they deemed excessively risky. But today, security is often left chasing what the business has already deployed.
“You can’t lead with fear,” Craig said. “You have to lead with outcomes.” For him, that means articulating risk without dramatizing it, and showing executives why early security involvement isn’t just safer, but smarter from both a financial and operational standpoint.
Craig sees AI as the worst offender in business adoption, outpacing security understanding, much as in the early days of cloud and DevOps. “The value is just too high,” he said. “The business isn’t going to wait.”
For security teams, that creates serious tension. AI ecosystems are built on dense webs of integrations, agents, and APIs. The attack surface is expanding, sure, but the bigger problem is that it’s becoming harder to define.
“The biggest challenge right now is visibility,” Craig explained. “You can’t protect what you don’t understand.”
While organizations have learned some lessons from cloud migration – adding guardrails earlier, being more intentional – the pace of AI adoption means security still has to adapt in real time.
Why API Security Has Become the New Imperative
APIs sit and the center of cloud, AI, and all digital transformation. As Craig puts it, “Everything runs through APIs now. Data, money, identity, automation – it all flows through that layer.”
As organizations become more AI-driven, the traditional notion of a security perimeter breaks down. Authentication and authorization still matter, but they’re no longer sufficient. Why? Because attackers now exploit legitimate API behavior, abusing business logic at runtime rather than relying on vulnerabilities.
That’s why Craig believes API security remains both critical and misunderstood.
“Most organizations don’t have a clear picture of how their APIs are actually being used,” he explained. “Without that observability, you’re guessing.”
He sees the future of API security shifting away from constant manual tuning toward runtime, intent-aware protection; security that adapts as the business evolves instead of slowing it down. “Understanding how something actually behaves matters more than a static configuration review now,” he said. “And understanding the business’s objectives and goals can allow security leaders to show where they can add the most value and reduce friction.”
Cybersecurity, Mythology, and Exploration
Craig’s personal life is also defined by curiosity. He’s a constant audiobook listener, typically running one fiction and one nonfiction title in parallel.
On the fiction side, he’s been working through The Dresden Files – a modern fantasy series rooted in mythology and folklore, set against a contemporary backdrop. On the nonfiction side, his interests range widely, from leadership and cybersecurity to history and geopolitics.
That same curiosity shapes how he approaches security. He’s less interested in static answers and more interested in how systems behave over time, how behavior is shifting, and where assumptions break down. In an industry that often chases certainty, Craig has learned to lean into exploration, just as his hero, Ernest Shackleton, did.
The post CISO Spotlight: Craig Riddell on Curiosity, Translation, and Why API Security is the New Business Imperative appeared first on Wallarm.