Justin Grudzien says that he sees burnout among his peers in the industry and a lot of it has to do with the pressure that security leaders place on themselves and receive from their organization. “As security people, we want to protect everything and, in general, there is no other industry that has a zero-loss expectancy. I don’t know any executive in the world that would be comfortable having the conversation of, ‘yes, we would expect to lose this amount of data or records this year,’” Grudzien says. “So, it’s a huge amount of pressure and we internalize that.”
But, he says, it comes down to emotional intelligence and the realization that in the information security profession and its continually evolving threat landscape, you cannot and will never be able to be perfect. “If that’s your mindset, you will fail. Instead, you should ask yourself, do I have the right controls in place to subvert medium and high-level sophisticated attacks? After that, this is where incident response becomes the number one thing. How do you respond to incidents?” he says. Of course, that’s easier said than done, Grudzien admits, but still a worthy goal for all security executives.
Grudzien takes this lesson and many others he has learned over the past couple of decades with him in his role as DoorDash’s Chief Information Security Officer (CISO). DoorDash Inc. is a global last-mile logistics company and on-demand food marketplace. As of January 2021, DoorDash had the largest food delivery market share in the United States.
Grudzien took over the CISO role at DoorDash in the fall of 2020, after having served four years at digital travel platform Journera as Chief Security Officer (CSO) and Data Protection Officer.
Justin Grudzien, CISO of DoorDash Inc. Photo courtesy of Grudzien
In the late ‘90s, Grudzien started his first foray into technology by working for Chicago’s largest Internet Service Provider (ISP) at the time. In 2000, he made his way into the security world working for a small travel startup, now called Orbitz Worldwide, working on data security standards and compliance such as Sarbanes Oxley and PCI data security. Ten years later, he took over the security program for the company as its CISO. After Orbitz, Grudzien spent time at ecommerce gift card platform Raise Marketplace as the Chief Security Officer (CSO) with responsibility over both cyber and physical security.
He has seen the overlap of physical security and cybersecurity, and he has experienced the evolving role of the security leader from a siloed position to an integrated, respected part of an enterprise’s leadership team with a seat in the C-suite. Indeed, within his career Grudzien has experienced the shift of security within the enterprise, firsthand. His advice for peers in the industry experiencing this shift? Speak up and share your vision.
Photos courtesy of Michael Allen / DoorDash
“Have a vision for how you want security integrated within a company and start selling it. Set up regular meetings with members of the C-suite,” he says. Grudzien says that while he has found many executives and CEOs very open and receptive to the idea of integrating security into senior leadership, he has had particular luck forging strong relationships with the chief product officer role, who, within an ecommerce organization, is highly influential.
Grudzien has also witnessed the threat landscape evolve, and never more so than with COVID-19. “The biggest thing COVID introduced is most workforces have now become remote and by having a remote workforce, some network security controls are no longer in effect because you are not on the network anymore. We’ve seen a massive increase in social engineering, phishing and malware attacks,” he says. “Attacking the end users has never been a higher priority because we are all at home sitting on our personal networks. That’s been the biggest change along with companies figuring out how to manage this completely distributed workforce.”
Photos courtesy of Michael Allen / DoorDash
Aside from making headway within his career in terms of security buy-in and expanded roles and responsibilities within the organizations he has worked with, Grudzien considers implementing and building consumer privacy protections while at Journera one of his greatest accomplishments. “We created and built this platform where privacy was our number one goal, and I’m very proud of the technology and the great people we worked with to make it happen,” he reflects.
At DoorDash, data privacy and protection are also main focuses for Grudzien, who says he inherited an already robust information security program from his predecessor. “Security and privacy to me is not just my job, it’s what I am really passionate about. I want to continue to put an emphasis on securing data and enhancing the already great security program I came in to. You never want a program to stagnate, so it’s important to always look at the next threats, continue to iterate, get a fresh set of eyes on things, and see what processes can be improved.”
While he is extremely passionate about security and data protection, another of Grudzien’s passions is reading books (science fiction and fantasy specifically) and writing in those genres as well…when he has the time, of course. Grudzien has always loved books, he says, spending many hours at the library when he was a child. As he grew older and began a career, the time to read and write has significantly decreased, but he has found ways to continue writing by joining online writing circles and finding inspiration from his peers. “With my career and four kids, there is not much time these days, but a friend told me to sit down and outline 20 minutes a day, and so that’s what I focus on. I write a little bit every day. It challenges me,” he says.