Jim Rutt is the CISO/CIO of The Dana Foundation, a private philanthropy group that explores the connections between neuroscience, society’s challenges, and society’s opportunities.

In this edited interview excerpt from the CISO’s Secrets podcast, CISO Jim Rutt shares secrets about how he got his start in cyber security. A distinguished professional with a storied 27-year career, he has acquired 15 cyber security certifications, been quoted in the Wall Street Journal, is the former president and chairman of the Technology Affinity Group (TAG) and is on the board of the New York Chapter of the Cloud Security Alliance.

Jim’s narrative is particularly relevant to individuals with non-traditional career paths, those seeking to understand where the field of cyber security is headed, and to those who wish to inspire the next generation of cyber security leaders.

Tell us a little bit about the course of your career and how you’ve found yourself where you are?

The ironic thing is…I actually started in marketing in the early 1990’s, when I got out of college. So, how do you transition from marketing to technology? It’s a very interesting jump!

I think a lot of it was very fortuitous, when you think about what happened in the mid-‘90s. Think about the rise of the internet, think about all of the then-emerging technologies. I saw that and said ‘you know what, this is a direction that I really think is going to be exciting.’

And boy, has it ever been so. I could never have anticipated the opportunities that have come my way in the last 25-26 years. It’s been very exciting.

That’s really interesting. So what kind of marketing did you start out in? Corporate marketing, product marketing, field marketing – Was there a particular area of marketing that you were focused on?

So, I worked for an import/export company in New Jersey. I was the guy who did all of the internal marketing and the trade shows.

Every time that I attend an RSA or a Black Hat, I remember when I was working the trade show booths, and things were a little bit different then.

Right. Well, so it was about ’98 when I happened to get into security, although it was ’83 when I got into computing. But I can certainly appreciate the massive transformation that took place when we went from everybody being in their own fishbowl – you were using Token Ring and I was using IPX.

And then, all of a sudden, those fishbowls went away and we were in the ocean, and that was the internet…it was really the birth of the ‘bubble’ and the firewall and VPN market went crazy…right?

Oh yes. To even consider some of the downstream impacts of network security, when we were trying to grapple with network standards…I mean, you elucidated it perfectly. It’s amazing to look back at all of the different architectures that we had to handle in the late ‘90s and to see it converge – very satisfying.

So, I have to ask, Jim. How exactly did you manage to navigate the transition from marketing to cyber security? How did you obtain the foundation, the knowledge, the technical aptitude that you need to have in order to be in your role?

It’s a great story. I was about 4-5 years into my marketing career, and I realized that it wasn’t really going to be a long-term career option for me.

I enjoyed some of the accomplishments, but it wasn’t my cup of tea, necessarily. I started looking around at the early internet, some of these other smaller networks, like AOL, Prodigy and CompuServe, and I thought to myself, ‘I wonder if I can make a career out of this.’

One day, I happened to open a Sunday paper, where one of the ads was for MCSE training, or Microsoft Certified Systems Engineer training. I said, ‘I wonder what that would be like.’ So, I contacted a small training facility in New Jersey, and inquired about prerequisites and costs…etc. At the time, for three months of training, it was about $5,000.

And $5,000 back in 1996 was a lot more than it is today, given all of the macroeconomic conditions that we have. So, I said, ‘okay, I’ll write the check’. And it was a big commitment for me – I had my regular job on weekdays, and then attended this training on the weekends.

After about six months of that, and after a series of about six certification exams, I got my MCSE. And I said ‘okay, let me see if I can go out and get a job.’

At the facility, where I’d taken my exams, I literally went up to the desk after taking my last exam and said ‘do you have any jobs that I might fit? You know, I don’t have any experience, but I have this certification.’

And I remember the receptionist saying, ‘Hold on a second.’ She went to the back, brought a recruiter out, and the recruiter said ‘We’ll find something for you, don’t worry.’

And that’s how I got started. I got my first job as a help desk analyst…

That’s fascinating!

About four years later, I got into other engineering jobs. Then, in 2001, heading towards the focus in cyber, I got my first management job, which was at Emblem Health, here in New York.

Around the same time, the HIPAA regulations started to come into effect. There was a lot of discussion around regulation, and a lot of discussion around cyber in general, and we really didn’t have a security department there. We didn’t have a CISO as we know it today.

We just happened to have someone who was focused on physical security, and they were kind of thrown into the cyber security role. At that point, I had a few years of technical experience (obviously), and so he asked me, ‘what do you know about cyber security?’

While he was learning how to take care of cyber security from the regulatory/government side, I helped him with the technical side. So, the cyber portion of my career really took off about 22 years ago at this point…

In every role since then, I’ve had some measure of cyber responsibilities. I became a little more focused on it around 10-11 years ago, at Dana. I started taking some certifications training, and began getting involved in the greater ecosystem. And the timing couldn’t have been more fortuitous…

Can you talk a little bit about the journey from CIO to CISO?

Sure. To do that, I’d probably have to…

Did you find Jim’s story interesting? Listen to the whole conversation – Right here.

  For more CISO strategy insights: