Secret CSO: Roger Hale, BigID

What is the best current trend in cybersecurity? “It’s hard for me to bet the best, but immutable infrastructure is a great trend. Immutable infrastructure sets up DevOps and InfoSec for success.”

IDGConnect_secretcso_suppliedart_rogerhalebigid_1200x800
BigID

Name: Roger Hale

Organisation: BigID

Job title: CSO

Date started current role: February 2021

Location: Texas

Roger Hale is the CSO of BigID, a company reimagining data management, and is responsible for leading initiatives related to security and risk management, compliance and product innovation. Hale’s 35 years of extensive infosec experience spans VC, cloud services, data management and regulatory compliance with former positions including CISO in Residence at YL Ventures, VP and CISO at big data company Informatica, as well as senior leadership positions at Symantec and Lending Club.

What was your first job? My first ‘career’ job was as a mainframe developer. But growing up in rural Idaho, my actual first job was as a farmhand on a dairy farm. Still today I can diagram the correct process for milking a cow by hand.

How did you get involved in cybersecurity? There was no information security career path when I started 35 years ago, but one of my strengths was building operational and repeatable processes. When HIPAA and Sarbanes Oxley both started to have an impact on technology, companies were looking for how to “attest” and provide security compliance. That’s really about implementing operational processes that fail closed (or protected) rather than fail open (or unprotected). So I got into security because of a legal and internal audit asking us to meet regulatory compliance. Meeting compliance regulations became an expanded scope of responsibility in my roles, whether appdev or IT infrastructure, and it continued to grow in priority and criticality, until the industry carved out the security responsibilities as a separate role.

What was your education? Do you hold any certifications? What are they? I attended both Utah State University and DeVry Institute focused on Computer Information Systems. My part-time college job became my full-time developer career when my employer had a new initiative building an electronic catalog and just-in-time fulfillment system in the retail automotive industry. Today I hold the ISC2 CISSP and CISSP-ISSMP as well as the ITSM certifications.

Explain your career path. Did you take any detours? If so, discuss. There was no career path in information security back in the late 80s. My career evolved  from being a mainframe developer, into client server technologies even back in the 10baseT days before fast ethernet (I remember when Windows for Workgroups was announced). As technology became more portable, my career pivoted with technology to support IT infrastructure and corporate systems technology. And as perimeters, or rather barriers, to technology were overcome, my career continued to pivot to the greater challenges and leading-edge technology. Today, those challenges are in data protection, whether it is information security, data privacy, or data governance.

Was there anyone who has inspired or mentored you in your career? I don’t like this question because it asks me to select one yet my career has been influenced by so many people both inside the tech industry and beyond. I strive to find and learn from every interaction I have, whether personal or professional; however, my goal is to balance my quality of life and not focus solely on any specific aspect of my career or my personal life.

What do you feel is the most important aspect of your job? Relationships are most important. A CSO’s role isn’t solely to protect the company. A CSO in any organisation is a business enabler and to facilitate this, the CSO needs a voice at the table when business decisions are being made. To do that, he or she  must be a trusted partner to the rest of the executive team.

What metrics or KPIs do you use to measure security effectiveness? The answer is not straightforward because it depends on the industry as well as an organisation’s operations. The metrics of the efficacy of a security program has foundational components across all industries, but the devil is in the context of specific industry and operational practices.

I measure my program by its maturity across the domains of data protection that are relevant to my organisation’s business model. In the case of BigID, we provide an on-prem and cloud service. Our customers' data protection requirements, and the ability to provide that assurance to customers, is paramount to BigID’s service offerings. Our security program and the effectiveness of our controls provide that assurance to our customers.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? There has always been a skills shortage in information security. That’s why I believe we need to think outside the box. We need to stop putting artificial barriers in place that limit who is considered “qualified” for an information security role... For example, quite often I see requirements like “must have a college degree,” or  “must have seven years of information security experience”.  In our hiring practices, we can learn from the amazing story of the past 30 years of technology advancement:  thinking outside the box and taking chances.  One of the best security operations directors I know is someone I transitioned from IT operations. I’ve watched a technical customer success manager grow her career into the senior director of security engineering. I would encourage others to stop looking for that “perfect” candidate and instead evaluate a candidate’s qualifications the same way we evaluate new tech.  Let’s find the candidate who meets at least 70% of our needs but who demonstrates  the ability to grow into the other 30% - look for the critical soft skills and then invest in the training to bring those people up to speed on the more technical job skills. 

It’s most difficult to find people with the soft skills. For instance, people who understand that they don’t have to be right every time. These are collaborative thinkers who realise it is more important to listen and learn about why business requirements are important rather than focus on the technical “win”.  You can have the best technical solution, but if people don’t want to use it, or they don’t respect you enough to listen to you, it is of no value.  I’m looking for the people who don’t live in a black and white world, but who instead understand that context is everything. I can train for the technical skill set. What I am searching for are strong values, willingness to learn and adapt, and solid leadership skills.

Cybersecurity is constantly changing – how do you keep learning? In every conversation, in every news feed, I am active in the industry. This includes everything from our disparate conferences, to sharing information with my peers, and advising new tech startups either from introduction by their investors or directly. I believe that if you work in high tech, your job is to stay ahead of the technology and the industry pivots. If you don’t extend yourself to be open to interactions with your peers across the industry, you’re not only hurting yourself, you’re also hurting your organisation.  We are hired to be THAT subject matter expert. I don’t know everything, but through my network, I bet I can find someone who knows THAT.  

What conferences are on your must-attend list? I’m finding that the more localised regional conferences have really been providing value during the transition to virtual, and I sit on the advisory board for the SF Evanta CISO org. The larger conferences are always a must attend not just for the knowledge but for the peer network. My list always includes RSA, BlackHat / DefCon, IAPP, and because I am in the technology space, Gartner’s conferences. 

What is the best current trend in cybersecurity? It’s hard for me to bet the best, but immutable infrastructure is a great trend. Immutable infrastructure sets up DevOps and InfoSec for success. The other I love is orchestration and SOAR beyond the scope of the SOC.  With all of the privacy regulations and the added questions about data usage, the automated validation of business process orchestration is very helpful. The worst? Calling it CyberSecurity. Especially in the information security field, “cybersecurity” is buzzword bingo. Our services have been transitioning from the historical datacenter to distributed cloud services (I’m not fond of the word “cloud” either by the way). By calling it cyber, you now have a redundancy of controls because the controls for the “cyber” go beyond just the internet access component. Today, data protection is cybersecurity, but cybersecurity may not include all of data protection. A better phrase is “information security”. We protect the information where it resides, how it travels, and how it is acted upon.

What's the best career advice you ever received? You should be more afraid of inaction than of taking the wrong action. I’ve made many decisions, both personal and professional, that, in hindsight, were not the ‘best’ decision, but in retrospect, not making a decision would have been worse. 

What advice would you give to aspiring security leaders? Build your network and go out of your way to help others, including your peers. Be courageous and take the risk. Don’t be afraid to be vulnerable and to ask for help.

What has been your greatest career achievement? If you look at my profile, you can see that I am a “builder” CSO. The roles I have taken have a common theme of “transforming”, “greenfield”, or “pivoting” organisations. That means building and mentoring teams. I’m humbled by the fact that many of my teams have been willing to follow me across multiple organisations. My greatest career achievement is most certainly my ability to build teams and mentor them.

Looking back with 20:20 hindsight, what would you have done differently? I would have gotten my own ego out of my way earlier(Joking -but there is always some truth to the jokes we tell).  I have always been a private person, so I didn’t believe in the relationship building and vulnerability components of leadership early in my career. I felt that work was work and personal was everything outside of work. In hindsight, I wish I would have learned that’s not the case before social media conflated the two.

What is your favourite quote? Donald Rumsfeld stated: “Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know.” I have distilled this into: “We know what we know, we know what we don’t know, but we don’t know what we don’t know.”...in Cybersecurity.

What are you reading now? I’m reading Noise by Daniel Kahneman - a discussion of the impact of irregular bias on consistency of decision making and its impact on the risk-based process.

In my spare time, I like to… Oh so many hobbies. I can’t sit still and I’m a very outdoorsy type of person. Because I spend my work hours in front of a computer, my escape is to work with my hands, or to get out into the Texas countryside.

Most people don't know that I… … am a grandfather with two amazing granddaughters who are smarter than I am.

Ask me to do anything but… Don’t put me in a box. The fun comes from not doing something the “way it has always been done”. Give me the freedom to be creative and the opportunity to consider doing it better.