Rick Orloff
VP, CISO
Pure Storage
August 2025
Chief Information Security Officer (CISO) Rick Orloff of Pure Storage says that his journey to becoming a C-suite security leader is “very different,” which may be an understatement. He began his career as a licensed private investigator, operating his own firm and working with high-tech companies in Silicon Valley, including Oracle. How did he progress from private investigator to CISO?
“I came to the opinion that the future was going to be about data,” he shares. “At that time, the future was all about disparate system verticals. You had verticals and fiefdoms built around who owns the email system, who owns the active directory system – and all of these verticals didn't talk to each other very much.”
As an investigator, he viewed each system “as a data repository” from which he could pull nuggets of information to solve an investigation or identify risks. He continues, “It turns out as the years ticked by that the future really did become about data and all of those systems now are commoditized.”
With his belief in the future revolving around data, he landed his first high-tech job in the semiconductor business. From there, he was recruited to Apple as a “team of one” to build a security function and help prevent leaks as the company was releasing new products. Orloff was involved in solving the famous Apple case when an engineer left the iPhone 4 prototype at a bar, tracking the prototype down and returning it to the company.
He went on from Apple to his first CISO role and has served as the CISO of several technology companies in the Bay Area. Orloff also worked with “our three-lettered agencies,” as he explains, on classified issues involving national security. Currently, he is CISO of Pure Storage, a leading provider of innovative and cloud-ready data storage.
Staying Focused on Security Strategy
Despite a volatile and uncertain environment, in which threats are rapidly evolving, Orloff thinks CISOs should remain focused on their core strategy. If security leaders have assessed their organization’s risks and created a holistic cybersecurity strategy, he says that “in theory, new threats should map to your existing strategy.”
If emerging threats are not addressed, Orloff says, “You have the wrong strategy – which is okay. You need to adjust it.” He shares that CISOs need to evaluate new factors and whether or not they are covered by the security roadmap at least quarterly.
In 2025, Orloff believes that he and most CISOs are likely focused on these top priorities:
- Identity Access Management: Orloff says, “If you can control identity – including anything that gets you access to anything else, such as a username, password, token, certificate, API key, all of those things – then you're seizing the high ground.”
- Data Access and Governance: He thinks after managing identity, security leaders are trying to manage access to data. He notes, “If you can have a complete inventory of your data – understanding where it is and how it's protected – and access is based on roles, and not over-permissioned, then you're in a really good position.”
- Cyber Resilience: Orloff explains that CISOs should be focused on resilience this year, evaluating how resilient their business is, what functions are necessary to recover, and in what sequence. “Resiliency is really important,” he says.
If a Fortune 500 company hired a new CISO tomorrow, two of the top areas they’re going to focus on are identity and data.
Generating Confidence with Leadership
Orloff shares that two keys to his success in cybersecurity are “delivering results and not being bureaucratic.” He goes on to say that security some leaders often focus on creating processes and policies that sometimes “don’t necessarily make you more secure.”
He explains that “if we focus on processes, frameworks, and controls that provide real world security, when something happens, you're in a much better position to be able to figure it out.” Orloff considers delivering results and strategic focus to the board and senior leadership an essential part of the security function. “If something bad happens in your organization and you can't explain what happened, and it remains unsolved, that does not instill confidence in a security program,” he continues.
In addition, Orloff believes CISOs have to focus on identifying risks or threats that are about to happen. Security leaders “need to identify it, contain it, and control it, so that you don’t end up with a-major incident… Those are meaningful results that generate confidence with the leadership.”
Advice for New-to-Role CISOs
Orloff says that for new CISOs, it’s critical to “document your as-is condition.” CISOs who are new to the role should conduct an assessment, clearly document the known risks, and communicate the results to the executive team. “The honeymoon period is not long,” he shares. “In your first 90 days, you should present to the business what the risk posture is, the strengths, and the weaknesses.”
He cautions that new CISOs do not want to be in a situation where something happens that they inherited, but did not document. “You need all those risks mapped out. Then, you can mitigate them or prioritize them based on the blast radius. But if you don't know what your risks are, then you're looking for a landmine,” he says.
A good security program should contribute to top-line revenue.
In addition, Orloff believes that a strong security program can support the business and contribute to revenue growth. He thinks security teams can streamline operations and processes and reduce cycle time.
One example of how his team has done that is with customers performing due diligence. They created an assurance packet that provides 90% of what a customer needs in one document, reducing the back-and-forth questions with the due diligence team. He says, “It makes the process smooth for our resellers and for our internal teams, and it speeds it up sometimes by two weeks.”
“Security can engage in a meaningful way so that you’re enabling the business and not slowing it down,” he shares.
Rick Orloff is the Vice President and CISO at Pure Storage and a Governing Body Member of the San Francisco CISO Community. To connect with your CISO peers and participate in discussions on mission critical priorities, join your local Gartner CISO Community. If you are already a member, sign in to register for your community’s upcoming gatherings.
Special thanks to Rick Orloff and Pure Storage.
By CISOs, For CISOs™
Join the conversation with peers in your local CISO community.
