Q&A with Ralph Spencer Poore
After more than 10 years working at PCI Security Standards Council (PCI SSC), Ralph Poore, Director, Emerging Standards, retires at the end of the year. In this blog, we interview Ralph about his career in cryptography, security and the payments industry, the most rewarding aspects of his career, and how he plans to stay involved with the PCI SSC as well as his retirement plans.
Tell us about your educational and professional background. What factors influenced your decision to get involved in cryptography and to join this industry?
Ralph Poore: As the song goes, I grew up the son of a preacher man. My dad was a Methodist minister. Our family was not rich so when I attended Texas Christian University (TCU) I did so as a member of the Air Force ROTC and participated in work-study programs in order to pay my way through school. One of those work study programs was at the computer center where I fell in love with computers. I started as a keypunch operator, then a computer operator and later got involved in systems programming and network administration. I recognized early on that there were serious security issues in the old APL system. It was the foundation for a lifetime of learning and a career in security technology.
After college, my eyesight had changed so my dream of becoming an Air Force pilot was no longer an option. I decided to pursue my interest in computers and became a computer scientist. That career move afforded me the chance to pick my own base assignment in the Air Force and I chose Omaha, Nebraska, the site of the U.S. Strategic Air Command. At Strategic Air Command I was assigned to missile programming where I had to quickly learn JOVIAL and COBOL. As a 2nd lieutenant (the most junior officer) I was assigned the additional duty of security officer where I learned a great deal about physical and logical security. I also learned about cryptography in the Air Force which would launch my career into that field.
After serving in the Air Force, I was hired by another government agency that provided me with more training and experience in cryptography. From there, a company called Data Processing Security offered me a position back in Texas. I worked in computer security consulting and would later work in consulting powerhouses Ernst & Whinney (now Ernst & Young) and Coopers & Lybrand (now Price Waterhouse Coopers) focusing on security in the financial services sector. I later started my own company and became a Qualified Security Assessor (QSA). I began work on standards development at the PCI SSC in Sept 2011.
You are considered one of the top experts in applied cryptography. How has that space advanced over the years?
Ralph Poore: Cryptography has over 4,000 years of history but modern cryptography is considered by most to be from World War II until today. Modern commercial cryptography really began in the 1980’s. In my long career I have been deeply involved with both government/national security and commercial cryptography.
The advancements in the field of cryptography have been significant during my time working in this space. The main advancement early on was the recognition by financial institutions that they even needed logical security in the first place. That was soon followed with the recognition of the need to protect the transmission of financial data.
IBM’s Lucifer was proposed to become the first data encryption standard for commercial use in the financial services industry. Lucifer was the precursor to what would become the Data Encryption Standard. NIST would later create the Advanced Encryption Standard that we use today.
I recently did a joint presentation on advancements in cryptography with my good friend, Jeff Stapleton from the Accredited Standards Committee X9. This presentation talked about the history of cryptography and the many advancements that have led us to our present day. Anyone interested in this presentation can view it here.
Looking to the future, quantum computing will have a serious impact on cryptography. The lesson here is that we must be always evolving as we will always be under attack from more and more sophisticated criminal elements.
What has been the most rewarding aspect of your career at the PCI SSC?
Ralph Poore: The most rewarding thing about my time at the PCI SSC has been the wonderful people I have had the honor and privilege of working with. The professional women and men at the PCI SSC have been among the very best teams I have worked with in my long career. The caliber of people who have been assembled at the PCI SSC is truly outstanding.
Having spent a lot of time in the financial services sector over my career, I have relished the opportunity to influence improvements in that sector during my time at PCI SSC. I have also found the chance to mentor future generations of cybersecurity professionals to be very rewarding.
We must act collectively on security in order to counter organized crime and state sponsored actors. Being part of that mission has been enormously gratifying.
You hold several industry certifications including PCIP, CFE, CISA, CISSP and CHS-III certifications. Why has continuous professional development been so important to you?
Ralph Poore: Well, I am a continuous learner. My philosophy is that any day that you don’t learn something new is a wasted day. I’m somewhat of a renaissance man in that I’m interested in everything. I am someone who has always asked lots of questions and does independent research on my own. That is just my nature and my interests have always been very broad. On a professional level, the cybersecurity world is constantly changing and often at lightning speed. Continuous learning is the only way to stay a step ahead of the criminals.
Were you given any advice during your career that has stuck with you over the years? What advice would you give to other people about how to succeed in the payment industry or in a technology-based field in general?
Ralph Poore: One of the most useful pieces of advice I ever received was from an Air Force Colonel I greatly admired. He was a navigator on B-52 bombers. B-52’s often flew long missions with no restroom on board the plane. His advice: Never pass up a sandbox. He was a very wise man!
The other advice I received early in my career was to not take myself so seriously. That was a tough lesson for me to learn early in my life as I was a young man in a hurry who wanted to be a CEO as quickly as possible.
My advice to others would be to never pass up an opportunity to learn something new. You have to be a continuous learner throughout your life. That is true today more than ever.
You also need to understand your adversary. You need to understand how cyber-crimes are committed and what countermeasures work and don’t work.
While you are retiring, you are not entirely leaving us. What will your involvement with the PCI SSC be moving forward?
Ralph Poore: I will still be around. I will be a contract employee as a Principal Consultant. I will be working part time in a consulting role as a liaison for PCI SSC with external standards bodies. I will be working closely with the stakeholder engagement team to maintain strategic relationships with other standards bodies and will work on projects related to cryptography.
What are you looking forward to most in your retirement?
Ralph Poore: I am looking forward to spending time with my family. My wife and I have one grandchild and another on the way. I look forward to being in the grandfather business. I am also excited to have more time to pursue my many hobbies. I am a postal historian and chair an annual stamp expo that draws hundreds of attendees. I am involved with American Mensa and plan to become more active with them.
Finally, my wife and I are avid travelers. We especially love cruises, and we plan to explore parts of the world we have never visited before.
On behalf of everyone at PCI SSC, we want to thank Ralph for his incredibly significant contributions to the PCI SSC over the past 10 years; for his leadership, hard work and dedication to helping the PCI SSC grow into the globally recognized organization it is today; for his valued expertise and unwavering commitment; and for his friendship to so many PCI SSC staff and PCI colleagues. We wish you all the very best in your (semi-)retirement.