Secret CSO: Jim Tiller, Nash Squared

Name: Jim Tiller

Organisation: Nash Squared

Job title: Chief Information Security Officer

Date started current role: January 2022

Location: Raleigh, NC, USA

With nearly three decades of information security experience, Jim Tiller is an internationally recognised cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions. Prior to joining Nash Squared, Tiller has been the COO of Kivu Consulting, the VP of Security Services and Operations at Optiv, and the Director of Security Consulting Services for the Americas at Hewlett-Packard. Tiller also worked for several years at British Telecom (BT), where he was the VP of Global Security Consulting and VP of Security Services for the US & Canada.

What was your first job? Washing dishes in a seafood restaurant at 12 years old. I looked much older than I was, so I got the job. That was the beginning of working in restaurants in almost every role until I graduated high school. You learn a lot about hard work, teamwork, and leadership in that environment. 

How did you get involved in cybersecurity? I was working as a mechanical designer where I discovered someone obtained a copy of one of the designs. There was no negative impact to the organisation, but the question of how the data was acquired lingered. I started investigating how to get into computers and that was the beginning of my career as a penetration tester.

What was your education? Do you hold any certifications? What are they? I jumped right into technology after high school where the Apple IIe was the hottest thing, and before I knew it, I was “IT guy” at every job. That led me to focus on certifications in the early 90’s, where at one point I had every Microsoft certification they offered. I received my CISSP in 1999, quickly followed by CISA, CISM, NSA IEM/IAM, and multiple others. I attended university late in life and obtained a degree in Information Security Management.

Explain your career path. Did you take any detours? If so, discuss. I started my security career working as part of IT in a few companies, and it didn’t take long to realise I wanted to move into consulting. I made the transition to a security consultant in 1994 and then joined a premier consulting company, International Network Services (INS) in 1997 where I worked with and learned from some of the best in the business.  

The only slight detour from the security consulting industry was a period of a few years when I worked on security development at Bell Labs where the mission was to develop security solutions that directly tied to key transformative business applications for customers.

Other than the time at Bell Labs, I stayed in security consulting and services leadership in various roles across a number of global companies working with some of the largest organisations in the world.

Was there anyone who has inspired or mentored you in your career? In the broadest use of the term, inspiration came from my parents. Although I had very little time with him, my father encouraged critical thinking and that nothing is impossible. My mother instilled a strong work ethic and being a professional learner, which remains with me to this day. However, it is my wife of nearly three decades that keeps me inspired. Her support and encouragement carried me through every challenge. From a security perspective, the list of people who have inspired me and guided me is simply too long to list. I’ve been truly lucky in my career to have had the opportunity to work with amazing people.

What do you feel is the most important aspect of your job? Ultimately, the most important aspect is being an effective source of meaningful cyber information for decision makers across the business. It’s my job to translate a complex and diverse set of information into balanced business and cyber terms. It’s important to not solely see cybersecurity as the centre of the universe, but rather the business as the centre. From this perspective I can be far more effective and valuable to the executive community, investors, and customers because everything is orientated to managing risk within the context of enabling the business.

What metrics or KPIs do you use to measure security effectiveness? I believe there is real value in applying the basics of security. Ensuring good security hygiene, especially in today’s environment, can be enormous to maintaining a sound security posture. Therefore, straightforward tracking of vulnerabilities, patching, access controls, identity and authentication, phishing and malware control effectiveness, endpoint protection, security monitoring, and application security are at the top of the admittedly long list.

Additionally, how well an organisation performs security practices is critical. Capability maturity is the focal point and the defining factor for any security program. I’ve been deeply involved with the SSE-CMM since 1997 and use the fundamentals of that model to evaluate the level of how well security is being applied across the environment against established security frameworks. It’s essential for maintaining security as well as driving improvements.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Finding the right mixture of skills and experience in cybersecurity is a challenge. Contributing to the effort is the increase in cybersecurity specialisation. Perhaps a decade ago you could find someone with a wide range of skills, yet today each aspect of security has become a specialist area. We first saw it with penetration testing and forensics years ago, and now we have people with established careers in threat hunting, reverse malware engineering, threat intelligence, and the like. As organisations, we must start approaching the gap with greater understanding of these specialisations, so we’re focused on developing roles that at least offer positions across a defined spectrum of responsibilities that take advantage of overlapping areas within these specialties. Looking for a candidate with 10 years’ experience in identity and access management, cloud security, firewall management, threat analysis, SOC operations, data protection, and compliance is not realistic.

Cybersecurity is constantly changing – how do you keep learning? Reading is my primary method. I consume vast amounts of information from books and papers to presentations and articles. I also read laws and regulations, standards, and other guidance that is published by governments and NGOs around security. I believe that staying close to the source is essential. If I read an article about a new discovery made by a university, I read the research paper. I prefer to hear it from the horse’s mouth as opposed to a digest version. I’m also extremely lucky to have a large network of truly amazing friends and colleagues in the cybersecurity industry. Incredibly smart people who do amazing things every day, and I want to hear about it, learn from it, and be inspired. Not a day goes by where I’m not genuinely amazed by the fantastic things people are capable of.

What conferences are on your must-attend list? BlackHat and DefCon are at the top of my list. You can get so much from that short week, far more than some of the other mainstream events. Infosecurity and BSides are very good. Beyond that, I prefer attending regional events and various “cons” as they materialise around the world. It’s a great way to stay connected with what’s happening in the trenches.

What is the best current trend in cybersecurity? The worst? The best trend is the utilisation of ML and AI in security solutions and platforms that are showing signs of really solving big problems. These are especially materialising in the endpoint and cloud spaces. Moreover, this is driving better forms of behaviour analysis, automation, rapid intelligence, and information enrichment – all essential and valuable capabilities in a security program.

The worse trend is the use of ML and AI by threat actors. What started as enhanced scripting, module-based malware, and deepfake is rapidly becoming highly automated and intelligent. Moreover, with ML and AI relentlessly scavenging vast stolen data stores and open-source intelligence, we’re facing an inflection point in threat capabilities.

Of course, in a few years cybersecurity is going to be turned upside down with quantum computing.

What's the best career advice you ever received? I think it’s the combination of four rules I’ve picked up throughout my career: You have a 100% chance of failure if you never try; quitting is not an option; inspect what you expect, but expect what you measure; and be a servant leader.

What advice would you give to aspiring security leaders? I’ve been lucky to have had the opportunity to give advice on occasion and I always start with the same thing: You have to love security to be a security professional. It’s not an easy job, no matter where you are in the spectrum of the industry or your professional journey. I affectionally call it the ‘crazy train’ - it’s always moving and changing. You have to be a professional learner, a natural collaborator, and look at the world just a little off kilter. Always ask for help, always share what you’ve learned, and always say something. Ultimately, create a vision of yourself, commit to it, and own it.

What has been your greatest career achievement? It’s a bit cliché, but the day I opened the shipment of my first published book in 2000. It represented an unprecedented amount of work and something I’m proud of to this day. I went on to author three more books and contribute to more than twenty, but this was the first one that made me feel good about how far I had come and how far I can go.

Looking back with 20:20 hindsight, what would you have done differently? I would have started my own company.