Heller College of Business Alumnus Dr. Fred Kwong Featured in Cybersecurity Career Profile by Authority Magazine
Press enter or click to view image in full size
Have a passion for cybersecurity. It can be a tough job. You need to be continuously learning, you may have to work long hours, and you can often be under constant pressure by threats. In addition, your wins are not always celebrated, and your misses can make front-page news. Without a passion and purpose, the burnout is real. When you have the two, cybersecurity can be a very rewarding career. I am constantly learning and it’s important to keep that passion alive. For me, the passion is around protecting student’s futures and helping achieve generational wealth by protecting the systems they rely on to learn and graduate. This keeps me grounded when work or stress builds up.
The era of malicious AI presents a unique set of challenges to organizations, including the escalating need to identify vulnerabilities and minimize security threats to their products. How do product security officers prioritize risk management and mitigation to safeguard their organizations in this new frontier? As a part of this series, I had the pleasure of interviewing Fred Kwong.
Dr. Fred Kwong has been in the information security and technology field for the past 20 years working in the education, financial, telecommunication, healthcare, and insurance sectors. He is an award-winning thought leader in security and currently works at DeVry University where he serves as the VP and Chief Information Security Officer. Before leading the security program at DeVry, he was the CISO at Delta Dental Plans Association. He is a member of several advisory boards and is a frequent speaker at national security forums on cyber security and information technology and is often asked to consult on matters of security and leadership.
Fred also serves as an adjunct faculty member at Roosevelt and Benedictine Universities. He received both his Bachelor of Arts, in psychology and professional communications, and Master of Business Administration, in management information systems, from Roosevelt University, and he holds his Doctorate, in organization development, from Benedictine University. Fred has earned several certifications including the CISSP, CISA, CISM, CDPE, PCIP, PMP and ITILv3f.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a small rural town outside of Chicago, Illinois. As a child, I was drawn into computers — constantly experimenting with programs that loaded into memory from a disk. I didn’t have gaming consoles. So, my computer was the only way I got to interact with technology and play video games. I made it my mission to squeeze as much processing power out of my computer so I could optimize my gaming time.
What started as this passion for tinkering and modifying things, led me to embark on my journey in the information technology world where I eventually transitioned into cybersecurity.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
There isn’t just one thing that brought me to cybersecurity; it was a mixture — right place, right time. I think that’s a common theme for many of us in cybersecurity. When I talk to other leaders in the field, I often hear a wide range of origin stories. A lot of us didn’t take the traditional university route — cybersecurity wasn’t even a major when I was to school.
My first role as a dedicated cyber personnel member happened when I transitioned from network engineering to cybersecurity. I initially worked on firewalls, which was easy to understand coming from a network background. From there, I moved into working on Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) and grew my skillset.
Can you share the most interesting story that happened to you since you began this fascinating career?
Early in my career our team had to deal with a cyber threat called Nimda which was a malicious worm that infected machines at a very rapid rate. At the time, I was in my twenties working for a very large organization and we had to quickly get ahead of this before the worm could spread to other computers. In order to keep it from spreading, I made the call to start shutting off network access to infected floors of our building. Once network access was severed, I led a team to go PC to PC and install the updated anti-virus definitions that could remediate the threat. As a kid in my twenties this experience was exciting — not just because I was leading the effort, but I was also responsible for taking down entire floors of the company. It felt like one of those containment scenes right out of a movie, good versus evil right at my own company. Since then, the world of cyber has always fascinated me and today I continue to lead my team in this ever-evolving game of cat and mouse.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
Empathy — In order for an organization to get behind the security team, it needs to know that you are behind the organization. Security is a team sport. As part of the team, you need to understand what each of your team members are doing, what is important to them and how you can help support their goals. By understanding this, you’ll be seen as a partner, rather than an enforcer. For example, my team and I were looking into stale accounts. We worked with the business leaders to first understand why so many accounts were left active, even when not in use. By acknowledging their needs, we were able to create a new path forward, reducing the overall risk without putting in large roadblocks to the business.
Curiosity — Cybersecurity is constantly evolving, especially in the age of AI. A workforce proficient in using AI tools can unlock immense potential, driving innovation and competitive advantage. Someone that is willing to understand new technologies and how they work will go far in security. It is also important to ask thoughtful questions and work to understand them like, “What would happen if X occurred?”
DeVry University’s research speaks to this — 75% of workers and employers think that everyone needs upskilling or reskilling to keep up with technology, including in AI, and those who do so, will get ahead in their careers. Yet 42% of employers say they are not confident that their organization understands how to effectively train workers on AI. This gap creates risk — not just for the organization, but for individuals whose skill sets are becoming outdated. By staying curious and asking the right questions, we not only help protect our organizations, but we also identify where our programs and people need to evolve.
Persuasiveness — As a CISO I need to be able to translate complex technical risks into a language the business understands. The ability to influence, persuade and build trust across the organization is critical in implementing a successful security program and creating a security conscious culture. To support this, I spend significant time engaging with executive leadership — explaining the risks in our environment, illustrating the potential impacts and working together to define what levels of risk are truly acceptable for the organization. These conversations help align business strategy with security priorities, ensuring we move forward together with clarity and purpose.
Are you working on any exciting new projects now? How do you think that will help people?
One project that has been exciting for me is the revamp of our cybersecurity awareness training at DeVry. It’s been proven time and again that people are the weakest link when it comes to an organization’s efforts to prevent cyberattacks that lead to costly data breaches. Cultivating and sustaining a strong cybersecurity culture is important to successfully foil attacks and achieve cyber resilience.
I’m especially excited to use some new AI technologies to help create custom, personalized cyber training for DeVry. Clear policies and training are essential to guide employees in using AI responsibly. But training goes beyond understanding algorithms and software. It’s about developing durable skills such as critical thinking, problem-solving and adaptability that empower employees to apply AI effectively within their day-to-day tasks.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyberattacks prevalent today?
While there are several attack types, the top three that are most concerning, in my opinion, are malware attacks, phishing and social engineering, and insider threats.
Malware is a broader term used to describe malicious software that is used to harm an organization. The most prevalent one you hear about is ransomware.
Phishing and social engineering refers to threat actors that trick employees into revealing sensitive information such as passwords or social security numbers by pretending to be a trusted individual. Attacks can be via e-mail, text or even voice based. A common type of attack might involve a threat actor posing as a CEO or other high-level executive, asking for sensitive work or information right away.
These scams work because attackers are highly skilled at creating a false sense of urgency and exploiting human trust.
Insider threats are from employees who intentionally or unintentionally compromise security within the organization. A recent example involved a Samsung employee who inputted sensitive information into a public AI model, exposing that information to the public. Remember, employees are the first and last line of defense when it comes to cybersecurity. It’s important to ensure, especially in the age of AI, that employees are trained on how to identify threats and protect data.
How do you ensure the ongoing monitoring and detection of potential security threats posed by AI systems? What tools, technologies, or processes do you use to stay vigilant and respond promptly to emerging threats?
The key to understanding security threats posed by AI systems, is to understand the underlying technology. The term “AI” covers a very large number of technologies. It’s important to understand how each one operates and how it can be used by the organization. Companies must then assess where skill gaps exist and proactively address them with structured upskilling programs. By understanding those business needs, we can then determine the risks behind the technology. Staying informed on the evolving threat landscape around AI is equally critical.
Currently, we are looking at data loss prevention technologies that are focused on AI prompt review. As we mature and implement our own AI models, we will shift focus to look at model tampering techniques. We are also keeping an eye out on privacy and new regulations focused around AI.
Furthermore, if an organization wants to ensure that security is embedded inside the organization’s processes and protocols, then everyone will need to practice good security hygiene. For instance, do employees at all levels know how to report phishing appropriately? How often do they do it? Using questions like these as metrics will help paint a picture of how top-of-mind security is for employees, let security leaders know how often training needs to be performed to mold best practices and bring clarity to the strengths and weaknesses of an organization’s security culture.
With the increasing use of AI in various industries, how do leaders strike a balance between maintaining security and enabling innovation? What approaches or methodologies do you follow to ensure security without stifling technological advancements?
The key to striking the right balance is to not be a voice of no. Instead, your goal is to make the organization aware of how to use AI in a safe manner, which include ethical guardrails. At DeVry, we are committed to designing and deploying AI in responsible ways. We have published guidelines on how to safely use AI and developed a student guide for responsible use of AI. We also established an AI governance committee that will help us focus on AI priorities and demonstrate where our energy should be focused.
With almost every company and vendor implementing some form of AI, it is important to understand where resources need to be spent. Part of our goal on the security side is to make sure when colleagues are exploring AI technologies, that they think through how the information being inputted will be used, who has access to it and what the consequences to the organization will be if that data were compromised.
Collaboration and information sharing among organizations are crucial in combating security threats from malicious AI. How do leaders foster collaboration within the industry, both in terms of sharing threat intelligence and developing common best practices to protect against evolving threats?
The best thing to do is to network — get involved in security groups. Those could be locally where you meet with cybersecurity peers, or national organizations like the Information Sharing and Analysis Centers (ISACs). For example, DeVry is a part of the Research Education Networking Information Sharing & Analysis Center, or Ren-ISAC. I’d also be remiss if I didn’t talk about InfraGard, which is the public liaison to the FBI. With local chapters across the country, it’s an excellent way to learn about evolving threats both in physical and cyber.
As an institution of higher education, we take our responsibility to prepare students for real-world challenges very seriously. For instance, last year we partnered with Cloud Range to launch cyber range, which offers learners realistic, immersive simulations that mimic real-world cyber threats. They can practice and master a wide range of cybersecurity techniques, from analytics and investigation to repulsion and remediation.
Moreover, our robust cyber programs are strengthened by strategic partnerships and are shaped by insights from our National Advisory Committee (NAC) members, faculty and industry partners. Together, we create practitioner-based, experiential cyber learning opportunities that educate, engage and energize our students, faculty and the community-at-large.
Can you share a real-world example where an organization effectively prevented or minimized a security threat from malicious AI? What measures did they take, and what lessons can other organizations learn from their experience?
AI is often used to gather personal information. Today, much of our data — some of it highly sensitive — is accessible online. Pair that with public information about work titles and, when combined, this information can be used to social engineer support desk colleagues. Gone are the days of badly misspelled e-mails, AI is being used to craft sophisticated scripts that threat actors can use to target employees. For example, using information found on the internet, a threat actor impersonates an individual of a company, pretends to be them and resets their password to get access to their account. Identity verification is now being used to prevent this type of attack, ensuring the person on the other end of the phone is who they say they are. This is being carried out over video calls and verified against government issued IDs. With the proliferation of deepfakes and AI used for messaging, it is important to work with the business so they are aware of these types of attacks and can be more vigilant when dealing with individuals over the phone.
Press enter or click to view image in full size
What are the “5 Things You Need To Create A Successful Career In Cybersecurity” and why?
- Have a passion for cybersecurity. It can be a tough job. You need to be continuously learning, you may have to work long hours, and you can often be under constant pressure by threats. In addition, your wins are not always celebrated, and your misses can make front-page news. Without a passion and purpose, the burnout is real. When you have the two, cybersecurity can be a very rewarding career. I am constantly learning and it’s important to keep that passion alive. For me, the passion is around protecting student’s futures and helping achieve generational wealth by protecting the systems they rely on to learn and graduate. This keeps me grounded when work or stress builds up.
- Find mentorship and community. I wouldn’t be where I am today without the community I’m part of, especially the cyber community in Chicago. I’m grateful for the mentors I’ve gained along the way, and over time, I have had the privilege to be a mentor to others. Surviving and thriving in the field of cyber requires networking and continuous learning. It’s also a great reminder that you are not alone in the struggle.
- Get hands-on experience. While there are some security leaders without IT experience, I’ve found that having hands-on experience gives you instant credibility when working with peers inside of IT. IT leaders seem to have their own language and technical jargon and expect you to know it. Not only does it allow you to establish yourself as an expert with the leader, but you might be able to share knowledge on the subject that helps find a solution.
- Develop emotional intelligence. Cybersecurity, while often technical in nature is really a people business. A good cyber program is about creating cultural change in your organization — ensuring the people are the first and last line of defense. Having empathy, patience and awareness of others is critical to understand how to change a culture within the organization.
- Have a love for life-long learning. Cybersecurity involves daily learning. Threat actors invent new attacks constantly, and what you knew yesterday, may not protect you tomorrow. If you aren’t willing to continue to learn and gain knowledge in this industry you will eventually be forced out.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
Businesses should serve as change agents for the world benefit. They are one of the most powerful forces in the world today, and with that influence comes responsibility. One way organizations can lead positive change is by partnering with higher education institutions that have deep expertise in identifying skills gaps and helping to navigate technological change through upskilling and reskilling programs.
How can our readers further follow your work online?
To learn more, please visit DeVry’s Cybersecurity Center of Excellence. And for those looking to engage directly, contact me through my personal LinkedIn or you can find me in Dark Reading, where I serve as a member of their CISO advisory board.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
Latest University News Releases
- Aviana Holst Selected as Prestigious Lincoln Laureate HonoreeThe Roosevelt University senior will receive a Medallion of Lincoln, a Certificate of Merit and a small stipend that can assist with tuition costs.
- Chicago College of Performing Arts Professor Dr. An Tran Featured in Career Profile for Vietnam.vn"'When listening to me play Vietnamese music, students are often very excited and curious. There are techniques and tones they have never been exposed to, so after the performance they often come to ask more questions to understand better. It is also an interesting way for me to share my culture and encourage them to find their own voice in music,' said the guitar doctor." Dr. An Tran is the Guitar Professor at Roosevelt University.
- Director of the Center for New Deal Studies Dr. Margaret Rung Cited in Article About Government Shutdown for The New York Times"Congress passed the Hatch Act in 1939 in response to fears at the time that an administration “would overstep boundaries and use government workers to support certain candidates during elections,” said Margaret Rung, a history professor at Roosevelt University in Chicago." Dr. Rung is a Professor of History and the Director of the Center for New Deal Studies at Roosevelt University.
- Professor of Political Science David Faris Discusses the Legacy of the Supreme Court in Op-Ed for Newsweek"Just over 20 years ago, John Roberts was sworn in as Chief Justice of the U.S. Supreme Court. In those two decades, Roberts has blithely overseen the near-total dismantling of American democracy and an unprecedented rollback of basic rights. At virtually every opportunity, the Roberts Court has aggrandized its own power and that of the Republican Party that it reliably serves while exacerbating our social, economic and political divisions." Faris is a Professor of Political Science at Roosevelt University.
- College of Humanities, Education and Social Sciences Student Jadale Mitchell Receives Youth Leader Award from the Ann & Robert H. Lurie Children’s Hospital of Chicago"Ann & Robert H. Lurie Children’s Hospital of Chicago is proud to announce the 2025 Hope & Courage Awards recipients, recognizing individuals who have gone above and beyond to improve the lives of children and families." Mitchell is receiving his Bachelor's degree in Secondary Education and Teaching from Roosevelt University. He also competes on the Division II Track and Field Team.
- Chicago College of Performing Arts Student Aviana Joy Holst Selected as 2025 Student Laureate by the Lincoln Academy of Illinois"The Lincoln Academy Student Laureate program, now in its 51st year, recognizes excellence by seniors in curricular and extracurricular activities from each of the four-year, degree-granting colleges and universities in Illinois. Each Student Laureate will receive the Abraham Lincoln Civic Engagement Award, a Lincoln medallion, a challenge coin and a $1,000 check from The Lincoln Academy." Holst is receiving their BMA in Cello Performance and their BA in English from Roosevelt University.