Secret CSO: Steve Sims, 11:11 Systems

What is the best current trend in cybersecurity? “Focus on prioritising vulnerabilities. Focusing on what matters – especially when a business has a small team – is super important.”

Headshot of Steve Sims, VP of Security & CISO at 11:11 Systems
11:11 Systems

Name: Steve Sims

Organisation: 11:11 Systems

Job title: VP of Security and CISO

Date started current role: December 2021

Location: Washington and Idaho, United States

With nearly two decades of experience in IT and security operations, Steve Sims serves as the VP of Security and CISO at 11:11 Systems. As a U.S. Air Force veteran, he began his career securing systems across the globe. Since making his transition to civilian life, Sims has been involved in roles at every level of security operations, including Information Security Officer and Principal Security Consultant for major healthcare organisations. Sims is a Certified Information Systems Security Professional (CISSP) that is dedicated to furthering education and awareness of security with his participation as a CompTIA SME Technical Advisory Committee member. Sims co-founded Cascade Defense, a managed security services provider that was acquired by Green Cloud Defense in March 2021, which was then acquired by 11:11 Systems in December 2021. 

What was your first job? My first real job was as a grocery store attendant for a lake resort and RV park. After a couple summers of that, I was able to move over to become a summer groundskeeper for Dry Falls State Park in central Washington. In this role, I managed a team of prison inmates on a work release program who helped me maintain the park. It was an incredible learning experience working with the inmates and gave me first-hand exposure into what can happen if someone does the wrong thing.

How did you get involved in cybersecurity? In 2003, I joined the Air Force with the intention of becoming an air traffic controller. After discovering that being colourblind disqualified me from the role, I stumbled into the cybersecurity field. At the time it was called “Communications and Computer Systems” which eventually morphed into cybersecurity.

What was your education? Do you hold any certifications? What are they? I’m a firm believer that knowledge-based certifications and on-the-job, real-world experience are the most important training tools in the cybersecurity field. While higher education can be valuable, there is nothing that can replace the skills gained by learning through doing. My education was primarily through the Air Force, with miscellaneous college courses here and there. I also completed military courses through various government agencies as well as CompTIA Security+ and ISC2 Certified Information Systems Security Professional certifications.

Explain your career path. Did you take any detours? If so, discuss. My cybersecurity work began in the Air Force, starting with the help desk at the HQ for Air Intelligence Agency at Lackland AFB. I performed various cybersecurity functions for unclassified and classified networks and gained experience on-the-job. From there, my role expanded as I was stationed at Hickam AFB and took on greater responsibilities supporting cybersecurity efforts for all of the Pacific Air Force. A lot of my work focused on preparing organisations for DoD cybersecurity audits and ran the vulnerability management shop with a 250,000-device footprint to manage across 3 networks. After leaving the military in 2014, I moved into a security sales engineer role for a data center and cloud provider. I eventually left to become an information security officer for a regional healthcare system overseeing two major hospitals and 73 clinics. Shortly after, I got the entrepreneurial bug and started Cascade Defense in 2017, focusing on managed security services. A few years later, we were acquired by Green Cloud Defense and eventually acquired by 11:11 Systems.

Was there anyone who has inspired or mentored you in your career? One of my government civilian leaders and retired Chief Master Sergeant in the Air Force taught me the ropes of compliance, audits, and the true meaning of due diligence. His guidance helped to form the ideas that helped to set the stage for starting our company and make it successful. In my career I have found that a lot of people like to talk about due diligence, but don’t actually follow through. If a business has all of its duck in a row ahead of the need – whether it be an audit or an incident, for example – it makes it easier to respond appropriately.

What do you feel is the most important aspect of your job? The most important aspect is ensuring that the entire team – from entry level employees all the way up the organisation to the executive level as a whole understands the concepts surrounding cybersecurity. Establishing a culture of why cybersecurity is important to ourselves, and our customers has always been a key focus in my role as a security leader.

What metrics or KPIs do you use to measure security effectiveness? First and foremost, customer satisfaction provides a window into the security effectiveness of our services. What we hear (and don’t hear) from customers tells us a lot about how well equipped they are to handle security incidents. From an internal perspective, I have specific KPIs for the SOC team such as mean time to detect and respond that help me measure how we’re doing as a whole.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Absolutely. Just about every position that we hire for regularly receives a quality pool of candidates but finding skillsets that appropriately match is difficult. As leaders in security, we are challenged with finding ways to bring new people into the field who can provide a fresh perspective. We no longer have the luxury of posting entry level roles that require 5+ years of experience in IT. Instead, we must look at different skillsets and consider how they benefit the team as a whole in new ways.

Cybersecurity is constantly changing – how do you keep learning? One of my favourite ways to learn is to consume content, whether it’s through podcasts or books. I particularly like the CISO Vendor Relationship Podcast, SANS Internet Storm Center and CyberWire Daily for some quick listens on the road to the office. I also enjoy reading books that provide a perspective outside of the technical pieces of the puzzle, such as military strategy and entrepreneurial-focused books.

What conferences are on your must-attend list? Blue Team Con is the top conference I aim to attend each year, and one that I find many security leaders overlook since it’s on the smaller side.

What is the best current trend in cybersecurity? The worst? Currently, I’d say the best trend is the push to focus on prioritising vulnerabilities. Focusing on what matters – especially when a business has a small team – is super important. Appropriately identifying vulnerabilities that truly matter to the security posture of your specific organisation is a critical component of managing resources. One of the worst trends is the increasing and seemingly never-ending amount of marketing acronyms. It can sometimes seem like companies are not accomplishing the true goals of security and instead getting lost in creating new products for the sake of it.

What's the best career advice you ever received? The best career advice was from a brutally honest Senior Enlisted leader that I had in the Air Force. Early in my career I had a habit of speaking seemingly just to get my point out, whether it was needed or not. He told me to just sit back and listen. I still struggle with doing that sometimes but do make a conscious effort to be a better listener. When I’m successful, I find my way to better and more informed decisions and give my team the opportunity to run with their own great ideas.

What advice would you give to aspiring security leaders? It’s really easy when you’re passionate about security to take decisions of the business or the customer personally. Don’t fall into this trap. It’s terrible for your mental health. We all have a job to do and at the end of the day, everyone has a different perspective on how it should be done. As you’re starting your career, don’t feel like you have to be an expert in everything. It’s a broad space which can be intimidating especially as you’re trying to forge your path. Take chances and try new things often.

What has been your greatest career achievement? I am proudest of building Cascade Defense and taking it to acquisition with the help of my co-founder and support of my family.

Looking back with 20:20 hindsight, what would you have done differently? I feel fortunate to have had a range of experiences and at this point in my career, I’d do it all over again without changing a thing.

What is your favourite quote? I don’t have a favuorite quote really. I have favuorite chapters of books and favuorite segments of speeches depending on the topic, but there is no single quote that I choose to live by or personify. One that I tend to use often is “A lack of planning on your part does not constitute an emergency on my part.”

What are you reading now? Three books are currently on rotation right now including, “Risk, A User’s Guide,” “CISO Desk Reference Guide Vol 1,” and “The Mom Test.”

In my spare time, I like to… You can most often find me outside in the woods, tinkering with landscaping and property maintenance for my 22-acre property. My family and I also love to enjoy all that the Pacific Northwest has to offer with regular camping trips and kayaking. I also enjoy riding my motorcycle when I get the opportunity.

Most people don't know that I… am colour blind and can’t read much of what shows up on multi-coloured slide presentations or documents. I just nod my head and pretend sometimes.

Ask me to do anything but… I will not sit with my back to the door of any bar, restaurant, or other room that I am in. I hate not having the situational awareness of seeing who comes in and who leaves.