Jim Hillier is currently the director and principal advisor for security in the Office of the CTO at Rimini Street, but for years he served as Chief Information Security Officer (CISO) for a number of organizations. It’s a job that has changed over the years as the Internet of Things (IoT) developed, and today looks entirely different than it did just a couple decades ago.
“Today it’s tough to be a CISO because you have everything from your thermostats to your candy machines that all take credit cards and are tied to your network,” he says. “There are so many more potential ways to have your network unsecure than you had in the past.”
But it’s also a job that provides a lot of satisfaction—it’s defined by interesting problem-solving and working with a team of other professionals to meet the highest security standards. Plus, he says, there’s a lot of variety: “Every day is different.”
The three main jobs of a CISO
Hillier sees the CISO role as consisting of three major elements: protecting data, responding to incidents, and maintaining compliance.
Data protection
The CISO is responsible for writing security standards and policies to guide the employees and operations, ensuring that appropriate training is incorporated throughout the enterprise. The job also requires evaluating risk and assessing partners and products related to the protection of data.
For example, a CISO might conduct a “pin test” to assess if there are any holes in the system that need a patch. The key is to address the most vulnerable elements of the system and then work with the enterprise’s board to decide if the risk that remains is acceptable. CISOs must assess the level of risk in each vulnerability and what it would cost to remedy so that board can make informed decisions.
“You can’t fix everything all at once; it would be way too expensive,” Hillier says. “As CISO, you do a lot of analysis work that requires collaborating with vendors, third parties, and in-house experts. You work a little bit with everybody.”
Incident response
A CISO is responsible for creating and evaluating incident response plans. This requires engaging everybody in the organization, not just the IT team. The CFO and CIO will play key roles, as there will be financial and data impacts of such breaches. A risk officer who deals with insurance will also likely be included in planning. Other employees will deal with attorneys, state-level responses, and the humanitarian impact of a breach.
“You have to have a whole strategy for everybody, and you have to keep the board apprised and assess what their risk appetite is,” he says. “If you get hit with ransomware, it’s too late at that moment to figure out if you’re going to pay a ransom or not.”
Compliance
The CISO is also responsible for ensuring compliance with governmental and other regulations and contractual terms related to IT security. For example, the CISO is in charge of ensuring that the company is meeting standards from the PCI Security Standards Council that apply to data protection in digital transactions. Noncompliance to this and other requirements can result in fines and legal ramifications, not to mention reputational harm. The CISO role is vital for ensuring that the company is protected from the risks that come with noncompliance.
The importance of teamwork
Hillier got most of his technical computer training in the military. Serving in the Marine Corps as a general-purpose computer technician, he learned how to fix everything from mainframes to microchips. With that practical experience under his belt, he became a teacher, and after a while moved into the IT field, becoming a CTO, then a CIO, and finally a CISO. Along the way, he earned an associate degree in aeronautics, a bachelor’s degree in electronics, and a master’s degree in information systems with a concentration in electronics.
But just as vital as all these degrees and practical training have been, he’s gained a huge appreciation for the importance of teamwork in effective IT security response.
“Probably the biggest thing that I learned is you have to develop a team, and they really have to work as a team, and you have to keep your team educated,” says Hillier. “They have to communicate very effectively because time is essential” when a security incident occurs.
He remembers a good example of this principle: He was working at an educational institution several years ago when its system got hit with ransomware. Hillier’s team stopped its spread when only 26 of the institution’s 7,000 computers had been infected. By contrast, the same ransomware hit the local government’s system two months later and spread without resistance in the absence of a similar incident response team to stop it. “They lost everything and it made national news,” Hillier remembers.
For his team, the success was all about working together on approaches they had practiced to perfection: “It was mostly due to them being a team, being able to communicate, and practicing. We honed those skills, and it paid off. They excelled.”
Looking for thought-provoking, educational content? Check out Street Wise, your one-stop shop for authoritative articles, interviews, blogs, and more from industry leaders on today’s hottest topics.