All articles
Cresta's Head of IT on Engineering-First Security and Compliance: 'Button Clickers Are Not Getting You There'
Robert Kugler, Cresta's Head of Security, explains how an engineering-first approach turns security into a competitive advantage, building trust and accelerating business.
Key Points
Often too slow for modern AI development, traditional security models tend to act as roadblocks to innovation.
Robert Kugler, Cresta's Head of IT, Security, and Compliance, explains why security is an engineering problem that requires technical leaders who can build security directly into the product.
By giving customers the assurance to innovate safely, an engineering-first approach can turn regulation into a competitive advantage.
I really believe security leaders should get a lot more technical. A security leader that can't code is not in the right position. Business first mindset is absolutely important, but it needs to be combined with technical knowledge. Otherwise, you don't survive in a tech company.
Robert Kugler
In the race to implement AI, some enterprises are colliding with a dangerous reality: traditional security models are failing. Built for a slower, more predictable era, legacy frameworks are often roadblocks to innovation, creating friction between security teams and developers. For many leaders, the tension is forcing a difficult choice: move fast and risk exposure, or stay secure and fall behind. But what if that choice was a false one?
For Robert Kugler, Head of Security, IT, and Compliance at Cresta, the answer isn't more process. It's using better engineering and regulation as a competitive advantage. With a 15-year career spent building, breaking, and investing in technology, Kugler has a unique vantage point on what works and what doesn't. For a business to move faster and build trust, he believes security must first operate as a technical, product-embedded function.
"Security is, at the core, an engineering problem. So, to fix security, you need to hire engineers. Button clickers are not getting you there," Kugler says. Instead, he champions an engineering-first approach to security. "I really believe security leaders should get a lot more technical. A security leader who can't code is not in the right position. A business-first mindset is fundamental. But it needs to be combined with technical knowledge. Otherwise, you don't survive in a tech company." A team of security generalists simply cannot keep pace with the speed of modern innovation, he says.
For Kugler, the key to success is a culture that sees security and engineering as two sides of the same coin. Here, the ideal security professional is a hybrid of design, product, and engineering.
The "Unicorn" skill set: Like mythical creatures, employees with the skill sets to build and break technology are rare. "You need to define security requirements for your feature, decide how to design it, what the user experience should look like, and then test it. Does it work for the customer? How would agents interact with that?" Then the security engineer must context-switch from builder to breaker. "Now we've built this whole thing. How can I actually break it? Is there a way? If so, we probably need to go back to the drawing board."
In a technical-first model, the goal is fewer hires for far greater impact, Kugler explains. Today, the need for engineering-ready talent often stems from the limitations of legacy risk management systems.
Beyond the questionnaire: Usually built on static questionnaires, old-school third-party risk management (TPRM) is just too slow and shallow for today’s tangled AI supply chains. "Basically, as an industry, we did third-party risk management by asking people to complete some questionnaires. Hopefully, the answer is truthful. But the process itself is so slow. Nobody can really keep up with that due diligence."
According to Kugler, this model lacks the technical depth to validate vendor claims. "You actually need to look at hard technical evidence," he advises. Drawing a clear line with vendors is essential, he continues, even if it means being the bad guy sometimes. Without rigor, more supply chain security breaches could unfold in the future. This is especially true as agentic AI emerges and low-code trends create reckless shortcuts.
The peril of "vibe coding": The key is to rigorously evaluate how much power an agent has and limit it to the absolute minimum access permissions, Kugler says. Here, he cautions against the allure of quick fixes: "Everybody believes now they can build agentic stuff completely on their own. Just sign up for Lovable, and it will be there in ten minutes. But it's not something that you can sell to an enterprise without getting into trouble." From a security standpoint, he says, the trend is reckless.
Instead of resisting regulation and compliance, Kugler’s team welcomes them as market differentiators. "The industry needs to grow up and embrace regulation instead of fighting against it. Regulation is really what's going to make AI mainstream-ready," he adds. To measure the proactive stance, Kugler recommends tracking execution speed. "We became ISO 42001 compliant one day after Anthropic. That's the first international standard for AI. For a company that's not yet operating at the scale of Anthropic, it's a pretty cool statement," Kugler explains.
Now, being one of fewer than 100 companies to achieve this standard globally positions audit-readiness as a powerful sales and trust advantage for Fortune 500 customers. For Kugler, all these elements—from the engineering-focused team to the "build and break" talent to the rigorous risk-testing model—serve one ultimate purpose for the customer: "The ultimate benefit is giving the customer peace of mind that you won't make headlines due to a simple, stupid mistake, or from something your own security team couldn't spot."
