Secret CSO: Tim Callahan, Aflac

Cybersecurity is constantly changing – how do you keep learning? “The most valuable learning opportunities are the exchanges with peers…”


Name: Tim Callahan

Organisation: Aflac

Job title: SVP; Global CSO

Date started current role: January 2016

Location: Columbus GA

Tim Callahan joined Aflac as the Chief Information Security Officer in April 2014. He oversees Aflac’s Global Security Program, as well as leading various security and risk committees and structures to help business partners accelerate in a safe and sound manner, while protecting Aflac clients. Prior to Aflac, Callahan was Senior Vice President, Business Continuity and Information Assurance at SunTrust Bank.

What was your first job? My first paying job was as a paperboy at age 14, but I began working for my father’s small business at an earlier age.

How did you get involved in cybersecurity? While in the Air Force, my core profession was explosive ordnance disposal (EOD). EOD units were self-contained, so EOD techs served in all the various roles it took to run a unit such as equipment maintenance, procurement, administration, training, etc. In most of my assignments, I served in additional duty roles such as unit information security officer, operations security officer, communication security officer and computer security officer. EOD was a function that held a vast amount of classified information, so these roles were significant. In 1986, the Air Force named me the Information Security Officer of the Year, which helped me land my first role in information security upon my military retirement and successfully transition to the civilian workforce.

What was your education? Do you hold any certifications? What are they? I earned my bachelor’s degree while in the military because there were no cybersecurity or information security degrees at the time. Early in my transition out of the military, I took multiple courses in information security at Georgia Tech and through training companies such as MISTI. I hold several certifications, including the CISSP, CISM and CRISC. 

Explain your career path. Did you take any detours? If so, discuss. Looking back, I experienced more of a series of disconnected trails than a clear path in my career. I left the military and found my way working for a bank in Atlanta where I led a construction and facilities management function. The bank decided to consolidate their many smaller banks into one large bank, which necessitated creating corporate functions. That led me to help form an early version of a centralised information security administration department. From there I moved into a CISO role at a smaller bank that was remaking itself as an acquiring bank. I built out the security function there. Eventually, I went back to the larger bank and was later recruited to my current role as SVP and global CSO at Aflac.  

Was there anyone who has inspired or mentored you in your career? Many people helped in my transition from the military to the civilian workplace, and I would not want to name specific individuals for fear of missing some. I have drawn tremendously from CISOs in the various associations and committees that I have been involved in. The person who I admire the most in my life is my dad, who taught me the value of hard work, dedication, honesty and integrity above all. 

What do you feel is the most important aspect of your job? Protecting customer information without sacrificing Aflac’s ability to achieve business objectives is the most important part of my work. But right next to it is to make sure that I equip, develop and support the team. If I take care of the team, they take care of the mission.

What metrics or KPIs do you use to measure security effectiveness? We have a robust metrics program, and I tend to use metrics in specific disciplines to gauge overall effectiveness – too many to mention here. However, among what we capture and report are numbers from our data loss prevention tools, phishing test pass rates, risk assessments target/complete, exceptions/remediation on target, vulnerabilities/remediation on target and security incidents/follow-ups.  

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes, I think we are experiencing the same challenges with finding the right talent that most larger organisations are experiencing. COVID-19 has made it a bit more difficult. Risk assessment analysts, security engineers and security solutions architects tend to be the roles that are most challenging to recruit.

Cybersecurity is constantly changing – how do you keep learning? The most valuable learning opportunities are the exchanges with peers in forums such as the FS-ISAC CISO Congress, CSO 50 and Global CISO Executive Summit. After more than a decade in the industry, it would be easy to assume I know everything I need for the job. But there is always a wealth of new information and ideas to be found among my talented peers.

What conferences are on your must-attend list? The FS-ISAC, CSO 50, Global CISO Exec Summit and RSA ESAF are at the top of my list.

What is the best current trend in cybersecurity? The worst? There are many overrated security technologies, but some incredibly good ones, too. I have become impressed with deception technology. When done well, it leads the bad guys to assets that have no legitimate purpose so you are alerted and know there is something wrong.

What's the best career advice you ever received? Always tell the truth, even when it is uncomfortable. Aflac Inc. Chairman and CEO Dan Amos is very wise and communicates in ways that stick with you. One of his truths is that bad news does not improve with time. 

What advice would you give to aspiring security leaders? In most cases, the business is not about information security. To be successful, you need to know the critical factors for the business and constantly tune your program. We must implement a security program that supports the business and company culture, while also ensuring we protect all aspects of our customers, company and shareholders.  

What has been your greatest career achievement? While not exactly my achievement, I have to say that Aflac has the best security leadership team ever assembled. They amaze me. They get the right things done in the right way. In fact, our entire team is the best.

Looking back with 20:20 hindsight, what would you have done differently? I may have been a bit wiser about investments – Microsoft in the late ‘70s? Who knew? However, in all seriousness, my journey has made me who I am. I can’t really think of anything that I would do differently.

What is your favourite quote? “People don't care how much you know until they know how much you care.” - John Maxwell

What are you reading now? The Great Influenza: The Story of the Deadliest Pandemic in History by John. M Barry

In my spare time, I like to… enjoy being outside and trying my hand at creativity. You can find me working in the yard and building things in my free time.

Most people don't know that I… enjoy using tractors, backhoes and various heavy equipment to work around the house.

Ask me to do anything but… back up my camper without a spotter. I recently had an “incident’ that could have been much worse. I learned my lesson and will use a spotter from now on.