Interview with Dr. Cris Ewell

Faculty Recognition – Interview with Dr. Cris Ewell

Morgan:  Cris, congratulation on being recognized last week as one of the Top 100 CISOs by CISOs Connect. This is quite an honor and follows your move earlier this year to take the position as NRC Health’s Chief Security and Privacy Officer. You worked at UW for thirteen years and were working as Chief Information Security Officer of UW Medicine  when you joined CityU as Associate Faculty for STC. Thank you for agreeing to be interviewed for the STC Thursday Byte. Let’s start off by telling us about your career path that brought you to where you are today. 

Cris: Like most CISOs, it was not a straight path. I started out owning a restaurant (learned about customer service), joined a volunteer fire department and then went on to become a paramedic (learned how to make critical decisions with limited information), took over running the paramedic service (learned about managing highly trained professionals), switched over to technology full time and worked for several companies learning about networks, security, risks and threats (learned about controls and how to implement without negatively impacting the business), went back to school and did not stop until I had by PhD (learned about the research, theories and practical application of controls), and then kept honing my information security, management and leadership skills until I was eventually landed a CISO position. 

Morgan: What’s one thing you wish you had known when you began your career? 

Cris: That implemented security controls often have unintended consequences which can be worse than the original threat or vulnerability. 

Morgan:  How do you continue to learn in order to stay on top of things within your current role/area of expertise? 

Cris: I stay active in the information security community, participate in panel discussions, speak at conferences, attend seminars in and outside of my field, and constantly read about risks, threats, vulnerabilities, and our adversaries. 

 Morgan: What are some of the things you’re researching and/or learning right now? 

Cris: Risk management and how to better communicate the risk to board members and executive leaders continues to be a focus of my research. This includes internal, external and third-party risks.  

Morgan: We hear about success, but I think it is more powerful for our readers to hear you talk about your biggest failure (which I prefer to call biggest lesson); can you tell us about your ‘biggest lesson’, and what you learned from it? 

Cris: One or the biggest lessons I have learned is that you cannot be afraid of stopping a project or removing vendors or team members if they are not right for the project. I have let projects continue when it was clear that there should have been drastic changes made. In the short term, you will be slowed down if you make a change, but overall, you will be much better off and have a chance of success. 

Morgan: What advice would you give someone wanting to pursue a career similar to yours? 

Cris: Don’t be afraid to ask questions, seek out every opportunity for growth and find a good mentor. You need to constantly expand your knowledge if you want to stay relevant in the field of information security.  

Morgan:  Great advice! What are the best resources that have helped you along the way? 

Cris: This is a combination of academic sources, fellow information security professionals, researching incident and breach details (shows the common patterns of attacks), and ISACs or similar organizations. 

Morgan: What is the one common myth about your profession or field that you want to debunk? 

Cris: Don’t be tempted by the shiniest object being sold by the vendors. Technology alone will not solve our problems.  

Morgan: What have you read or listened to recently that inspired you?  

Cris: A Promised Land by Barak Obama. 

Morgan: Where can our students connect with you online? 

Cris: My Linked In profile ( or my CityU email address ( 

Morgan: Thank you for taking the time to be interviewed and thank you for your dedication to teaching at City University Seattle. Your desire to share your knowledge and train the next generation of future CISOs is commendable.