A Conversation with Adrian Ludwig
Q&A with Adrian Ludwig, CISO of Tools for Humanity
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
I’m trying something a little different this week. Instead of my usual deep dive into a single topic, I’m launching a new format where I sit down with a notable security professional to pick their brain on the future of our industry. To kick things off, I recently had the chance to sit down with Adrian Ludwig, the CISO at Tools for Humanity.
If you’ve followed his career, from the early days of the DoD to leading Android security at Google and serving as the Chief Trust Officer at Atlassian, you know he doesn’t exactly follow the traditional “compliance-first” CISO playbook.
A Note on our Conversation: The following insights are based on a recent Q&A session I held with Adrian. While they capture the core of his philosophy and our shared (and differing) opinions, these are my own paraphrased notes from our discussion rather than direct verbatim quotes.
The security chameleon: adapting across eras
One of the most impressive aspects of Adrian’s career is his ability to adapt to vastly different security contexts. He’s seen the industry through every major transition over the last 30 years. At Adobe, he was at the front lines when the primary goal was just keeping the internet from crashing due to web vulnerabilities. At Google, he led the security for Android at a time when mobile devices were just beginning to touch billions of lives. Then at Atlassian, he steered the ship as massive organizations finally embraced the cloud, a move many thought would be a security nightmare, but that Adrian correctly saw as an opportunity to build on more secure foundations.
His current role at Tools for Humanity (TFH) is perhaps his most unique challenge yet. TFH is the core contributor to World Network (formerly Worldcoin), which uses Orbs (advanced cameras) to provide a privacy-preserving proof of human. Adrian’s move from established giants to a high-velocity, identity-focused startup shows his deep understanding that security is not a one-size-fits-all function. Whether he’s securing the operating system on billions of phones or building a global, decentralized identity layer, his core philosophy remains: security must be an engineered primitive that enables, rather than restricts, the world.
Insights from our conversation about AI, Identity, and the evolution of the CISO
On career lessons and the shift in scale
Adrian reflected on how each of his major roles prepared him for the next by shifting the definition of scale. At Adobe, scale meant preventing a single buffer overflow from crashing the web. At Google, it shifted to securing an ecosystem for billions of Android users. At Atlassian, it became about proving that the cloud was actually a more secure primitive than on-prem. Now, at TFH, he’s tackling identity as a security problem, arguing that privacy and security are intrinsically linked because if you can’t verify a human without leaking their data, the system eventually becomes untrustworthy.
The win for platform-driven security
He sees a clear win in the industry’s move toward platform-driven security. He believes that the cloud is fundamentally more secure than legacy data centers and that AI will further accelerate this by making rule implementation easier. However, he remains concerned about the human gap. As fundamental protocols like FIDO passkeys begin to fix phishing, he believes attackers will simply pivot to refactoring how decisions are presented so that humans are manipulated into making bad choices regardless of the protocol.
The AI structural change: accelerant or transformation?
While we align on the move toward more engineering-forward security, I believe Adrian’s optimism regarding AI and platforms might be missing the structural magnitude of the coming shift. While he sees AI as an accelerant for rules and repeatability, I view it as a fundamental change to the threat landscape. We aren’t just solving old problems faster; we are dealing with systems that are non-deterministic, hallucinatory, and prone to behavioral drift. In my view, this is more than just more of the same — it is a second major test that the industry is already showing signs of failing.
The "Chief Electrician" and the future of the CISO
Adrian’s hottest take is that the role of the CISO is destined to go away. He compares the future of the role to that of a Chief Electrician. We will always rely on electricity, but it will eventually be provided so reliably by the platforms we use that we won’t need a dedicated executive just to keep the lights on.
I am less certain that platforms will actually become more secure over time. In the SaaS era, platform security has often made security more decentralized, pushing critical risk decisions onto the providers themselves. We are effectively trusting these vendors to take the right risks on our behalf, and it’s a gamble. While current AI platforms are taking security seriously today, the pressure to move fast may eventually cause secure coding practices to be deprioritized in favor of features.
Where Adrian and I do find common ground is on the organizational future of the CISO. We agree that the role will likely become a division of engineering or AI engineering. In this model, the CISO is no longer a separate gatekeeper but an integrated function where risk is concentrated and managed similarly to how Infrastructure or DevOps is handled today. This is the only way to move at the speed of the business while actually reducing risk rather than just auditing it.
Finally, Adrian believes the industry is far too hard on users. While many security pros see users as dumb, he argues that a compromise is usually a failure of design. If a user makes a mistake that leads to a breach, it’s a designer’s fault the first time and the security team’s fault the second time they allow that design flaw to exist.
Quick Hit Questions
Preferred coding language: Rust
Favorite security tool: Netcat
Least favorite security tool: Hash algorithms
AI stack: ChatGPT for chatbot, Cursor for coding
Coke or Pepsi: Coke
Tea or Coffee: Coffee
Closing Thoughts
Adrian Ludwig’s career is a testament to the fact that security is an engineering discipline first. His ability to adapt from the DoD to Google, Atlassian, and now the decentralized identity world shows that a successful leader must be as agile as the technology they protect.
Adrian is right that security should be invisible. But until we move away from the “tool babysitter” culture, most CISOs will stay stuck as “chief firefighters” rather than electricians. Tools for Humanity is showing what’s possible when you build with privacy and security as primitives, but for the rest of the industry, the “Efficiency Reckoning” is still just beginning.