Secret CSO: Heather Hinton, RingCentral

What advice would you give to aspiring security leaders? “Make your experience as broad as you possibly can and work really hard not to silo yourself.”


Name: Heather Hinton

Organisation: RingCentral

Job title: Chief Information Security Officer (CISO)

Date started current role: January 2021

Location: Texas

As Chief Information Security Officer (CISO), Heather Hinton is responsible for RingCentral’s security posture and innovation across RingCentral including RingCentral’s UCaaS and CCaaS portfolio. Dr. Hinton brings more than 30 years of experience in IT and cyber security expertise to RingCentral. Prior to RingCentral, Hinton was Vice President and IBM distinguished engineer, and CISO for the company’s Cloud and Cognitive Software business unit. Hinton was instrumental in bringing Privacy by Design thinking into IBM’s Security and Privacy by Design discipline in response to emerging privacy requirements. As an IBM Master Inventor, Hinton holds over 100 patents covering federated identity management, cloud security, and policy management. She was inducted into the Women in Technology Hall of Fame in 2019.

What was your first job? I had my first job when I was about 12 years old - it involved teaching young children how to ride ponies in Canada. My first job in cybersecurity though was as a Professor at the University of Toronto.

How did you get involved in cybersecurity? Two things led to my initial interest in cybersecurity when I started university; Canadian winters and the Morris Worm. When I started university, the majority of cybersecurity issues were telecomms fraud. I was studying in Canada, where it’s notoriously cold and dark in the winter - making physically travelling into the computer labs unappealing. That cued my interest in navigating the system to get online from home, overcoming various cybersecurity issues along the way and avoiding the snow! Shortly after that I experienced the Morris Worm (the first computer worm to be distributed via the internet). I found it fascinating, and yet also terrifying to watch the consequences play out both online and to those people impacted. That’s how my journey truly began.

What was your education? Do you hold any certifications? What are they? I studied at the University of Toronto where I completed my PhD in Computer Security. I also hold the title of IBM Master Inventor and was inducted into the Women in Tech Hall of Fame in 2019 for my technical accomplishments. Last but not least, I am a member of the IEEE.

Explain your career path. Did you take any detours? If so, discuss. A random walk is what I call my career path. I am predominantly driven by my love of solving problems, meaning my career has gone in different directions as I’ve searched for the next interesting problem to solve. Over the years, I’ve led product design and architecture, development and sales and support for several organisations. I’ve also overseen security operations and data centre security, risk management, and incident response activities for Fortune 500 customers. My roles haven’t always been security focussed, but there has always been an element of security to the problems that I have been trying to solve.

Was there anyone who has inspired or mentored you in your career? There are so many people who have inspired and mentored me over my career. I’ve been incredibly lucky to always work in stimulating and nurturing environments. I’ll admit that at some points in my career, I wasn’t always aware of the inspiration and advice that I was getting. I was absorbing it unconsciously and it is only with hindsight that I can see it. I would definitely call out my PhD supervisor E. Stewart Lee because he always encouraged me to explore and do. He never hesitated to say “Yes. Great idea” and I wouldn’t have had the experiences I have without him instilling that in me. All my IBM managers were equally as supportive, always pushing me to do more than I thought I could do.

What do you feel is the most important aspect of your job? Communication. And, I’m not saying that because I now work for a communications company! What I actually mean is that as a CISO I have to be able to speak to the tech team and the business team and they are two very different teams to communicate with. For example, with the technology team I have to be able to show my technical chops and go “toe to toe” with them in the language they understand or they won’t be on board with the security programme. Meanwhile, with the business team it is all about communicating the business risk – this has become easier as business leaders become ever more attuned to security risks.

What metrics or KPIs do you use to measure security effectiveness? There is one that is always top of mind for everyone which is the number of incidents. Naturally, zero is desirable! Aside from that, I use improvement metrics such as reduction in issues, speed of response time, increase in automations. All of these help us to ensure that we’re continuously improving.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? There is no denying the skills shortage - every company knows they need to hire. I am lucky that at RingCentral I never have a shortage of applicants. However, what’s missing from the pack and talent pool for me is the renaissance expert. As a way to boost numbers, currently students of cybersecurity are pushed to specialise in one thing e.g. forensics or incident response. What’s missing are the people who know the whole cybersecurity stack from end-to-end. The real shortage is the people that have (or want) a broad but sufficiently deep knowledge across the industry.

Cybersecurity is constantly changing – how do you keep learning? Conferences and reading are good ways to keep learning. But, what I find most valuable to keep me evolving with the industry are the challenges from my technical team and leaning on the relationships I have built over the years. Talking to my network and learning from them is the best way I stay on top of the industry.

What conferences are on your must-attend list? Black Hat and DefCon are a must for me. However, if you can’t make it to those, I love what I’ve heard about B-Side events. They are local, run all over and can be easier to get to.

What is the best current trend in cybersecurity? The worst? The best trend at the moment is ‘Zero Trust’. It is focussed on the user, and the user is always the weakest link. The worst trend is the belief that automation and AI tools will solve all the problems. That is simply not the case. For me, smart people fixing the problems before they occur is what will make it better. Automation and AI tools have their uses, but they paper over the problems where they are observed. I want to solve them where they occur, and you need smart people to do that.

What’s the best career advice you ever received? It’s not specific to the industry, but I think it’s great career advice; always keep an up to date copy of your CV in your top drawer. It serves two purposes; firstly you can look at it when you need to become a fan of yourself again. Secondly, always having it there, ready, keeps you in a position of strength with your job. You’re there because you want to be, not because leaving is too difficult or you don’t think you can go out and get anything else. I think knowing that is really important.

What advice would you give to aspiring security leaders? Make your experience as broad as you possibly can and work really hard not to silo yourself.

What has been your greatest career achievement? I am incredibly proud of the early work that I did on SAML and SSO. It was such a unique experience to be with a group of people coming together to collectively brainstorm, think and argue to solve a problem, which we did! The work set the stage for how people use the internet today. Making a real impact like that doesn’t happen often.

Looking back with 20:20 hindsight, what would you have done differently? I wouldn’t have changed how I got here. I’m here because of both the great and not so great decisions. I’ve made peace with them all and absolutely love where I am today. Looking back I would want to express my gratitude more and be more appreciative of people at the time, but that’s hindsight.

What is your favourite quote? I’m not sure it is a quote, but my favourite saying is “suck it up buttercup.” I find it works well for children and adults alike.

What are you reading now? A book I highly recommend called The Poppy War, written by Rebecca F. Kuang.

In my spare time, I like to… Go trail running with my dogs. I don’t like it, I love it.

Most people don't know that I… When I was a professor, there was a group of us that would build cedar and canvas canoes and raffle them off. I’ve built over 30 of them and still have one in Canada and one in Texas. Sadly, there is nowhere to really paddle in Texas though.

Ask me to do anything but… Jump out of a working aeroplane. The appeal just isn’t there.