Nestled in a log cabin high in the Rocky Mountains, Rick Bohm starts his day the same way he’s approached his career: intentionally, with a quiet commitment to learning and action. Boasting more than three decades of cybersecurity experience, Rick has watched tech evolve from dial-up ISPs to advanced AI-driven security architectures – and through it all, he’s focused on one enduring mission: protecting data, organizations, and people.
In this edition of CISO Spotlight, Rick reflects on the challenges and evolutions that have defined his career, shares lessons from decades of offensive and defensive cybersecurity efforts, and offers a candid perspective on the skills that will define the CISOs of tomorrow.
Career Path: From Network Tech to CISO
Rick’s journey started in the early 1990s, a time when he says security was more of an afterthought than a necessity. “I started as a network tech, then ran an ISP, built websites,” he says. “Security was always in the background. But when the company I worked for was acquired, cybersecurity moved front and center. That’s when I got hooked.”
What started as security quickly turned into a vocation. Offensive and defensive security became not just the tools of Rick’s trade but also the passions that would come to define his career. “It just became part of my DNA,” he says.
Bridging the Biz-Tech Divide
Much of Rick’s working life has been spent bridging the gap between technologists and business leaders – a challenge that most CISOs will be all too aware of.
“Translating between those two worlds is not easy,” he says. “You need to be able to explain to the board why something matters and then turn around and sell that vision to your technical team. It’s a two-way bridge.”
Rick argues that most CISOs fall into one of two camps: technology-based CISOs who have come up through the ranks and understand systems deeply, and executive-first CISOs who understand business but not necessarily the day-to-day of running a SOC. The most effective CISOs need to combine the best of both.
“It’s not enough to be technical or strategic,” Rick says. “You need to learn how people think, how they process information.” For Rick, sociology courses and structured management training proved invaluable in developing these skills.
“It’s about empathy and storytelling. You need to speak in a language that your audience understands, and that means stepping into their shoes.”
CISOs as Storytellers
However, the modern CISO needs more than just people skills; storytelling is also important. Rick believes that the best security leaders in the next five to ten years will be capable of telling a compelling story, humanizing risk, and making abstract threats tangible.
“People are resistant to change. They don’t want another hurdle,” he explains. “So, I make threats real for them, showing them the dark web sites and saying, ‘Look, this could be your data, your password. This is where it ends up when you click that phishing email.’ That gets their attention.”
That said, Rick is quick to note that storytelling isn’t about scaring people into submission. “You have to be a positive manipulator,” Rick adds. “You have people understand that you’re protecting them, not slowing them down.”
For more senior CISOs, Rick emphasizes that understanding generational shifts is crucial to reaching younger employees. “We’re now talking to a generation that never lived in a world without the internet. That changes how you educate, how you lead, and how you build trust.”
Incident Response: Practice Like You Play
When it comes to incident response, Rick has always employed a principle instilled in him during his time in the U.S Marine Corps: practice like you play.
“People panic during a breach. It’s like golf, under pressure, you revert to what’s comfortable. That’s why you need to build muscle memory. Incident response should be automatic, instinctual.”
His advice: capture everything. “If you skip documentation, if you don’t follow the process, you lose the artifacts you need to respond effectively. Postmortems are where you grow – but only if you’ve captured the full story.”
Ultimately, Rick advocated for a tight, collaborative, purple team approach and constant iteration. “Don’t chase more data,” he says. “Chase better data.”
Making Sense of AI: Think Rationally
AI is one of the most high-profile and controversial topics today. But Rick is clear-eyed about its promise and peril. “People hear ‘AI’ and think Skynet,” he jokes. “But we’re mostly dealing with large language models. They’re tools – powerful tools – but they’re not magic.”
On the defensive side, Risk uses AI for everything from generating reports to scripting commands. “I think of AI like an apprentice. It’s helpful, but it’s still learning. You can’t depend on it, but it can make you faster and more effective.”
On the offensive side, the stakes are higher. Rick has used AI to craft hyper-personalized phishing attacks, synthesizing social media data into realistic, high-conversion lures. “It’s scary how good it can be,” he admits. “We have to treat AI as both assistant and adversary.”
Ultimately, success with AI comes down to responsible usage, education, and awareness. “We can’t just say no to new tech. We have to guide the business through safe adoption – and that starts with showing the ‘why’.”
API Security: The Silent Weak Link
Finally, we got to API security. Rick brought up a point we at Wallarm understand deeply: as APIs proliferate, they’ve become one of the most overlooked areas of cybersecurity.
“Most companies I work for don’t even have a complete API inventory,” he says. ‘That’s the first problem.” With AI making it easier than ever to find and exploit APIs, the attack surface has expanded rapidly, and organizations have no excuse for not understanding their environment. “People often tell me they have three APIs. I find 300. But it’s not about negligence, it’s about visibility,” he said.
Rick outlines three key best practices:
- Build an accurate API inventory.
- Embed security in the SDLC, not as an afterthought.
- Treat APIs like any other customer-facing endpoint, because that’s what they are.
That said, Rick does foresee that executive awareness of API risk will grow in the coming years. “Unfortunately, it may take more incidents for the message to stick. But it’s coming. API security is about to have its moment.”
Looking Ahead
Rick’s vision for the future of cybersecurity is grounded in human connection, adaptability, and lifelong learning. Whether he’s practicing breach response like a drill sergeant, building clean AI models for clients, or showing a board member exactly how their credentials ended up for sale, Rick sees the CISO role as more than technical or managerial; it’s deeply human.
“You have to make people care,” he says. “You have to become the voice on their shoulder, helping them make better choices, not just enforcing rules.”
Want to find out how Wallarm’s platform aligns with Rick’s view of API security? Take a product tour today.
The post CISO Spotlight: Rick Bohm on Building Bridges, Taming AI, and the Future of API Security appeared first on Wallarm.