Secret CSO: Rob Hughes, RSA

What metrics or KPIs do you use to measure security effectiveness? “There’s no one metric that’s going to tell the full security story.”

Headshot of Rob Hughes, CISO at RSA

Name: Rob Hughes

Organisation: RSA

Job title: Chief Information Security Officer

Date started current role: November 2022

Location: Massachusetts

As the Chief Information Security Officer (CISO), Robert Hughes leads the Security and Risk Office and is responsible for ensuring the security of RSA products and solutions and the RSA corporate environment, leading the organisation’s cybersecurity, Information Security Governance Risk and Compliance (GRC), corporate physical security, privacy, product and IT application security functions. Hughes has more than 25 years of experience leading security and infrastructure teams, including life-critical operations and business critical PCI-DSS level 1 transaction processing environments. Previously, he worked in the Philips Home Monitoring division, leading the Security and Systems Design team and co-founded the original website, where he served as Chief Technologist.

What was your first job? My first job was working with the tech support lines for a software company that sold a CD-ROM product; it was so long ago that we had to take a lot of calls about how certain CD-ROM drives couldn’t read CD’s that were almost full of data – but still within spec. I moved from that support role to managing their IT infrastructure services, which included a dash of security for good measure.

How did you get involved in cybersecurity? I got involved in cybersecurity through that same tech support job when I moved to managing the IT infrastructure of the company. Back then we were using dial-up internet, managing a firewall, and making sure our Windows systems were patched. Some very interesting utilities came out that made a basic security posture a requirement and let an attacker do just about anything they wanted on a Windows system. There's a myth about an old curse—'May you live in interesting times'—and back then was interesting times for cybersecurity: we'd see very simplistic attacks – sometimes accidentally - take down networks or even much of the Internet.

What was your education? Do you hold any certifications? What are they? I double-majored in computer science and mathematics at Brandeis University.

Explain your career path. Did you take any detours? If so, discuss. I took a partial detour. Shortly after leaving that first job, I co-founded In my role I focused a lot on business development and content, so there was a lot of writing and editing on the front-end even while I was also managing the back-end of a 24/7 consumer facing internet property that in the end was getting something on the order of 1 million unique viewers per month. I was still doing security, just in a different context for a smaller company, getting my hands into Linux and server hardening. My cybersecurity work at looped back around.

Was there anyone who has inspired or mentored you in your career? My boss for about 10 years at Phillips was a mentor for me. He showed me the patience and understanding needed to deal with difficult technical, personnel, and political issues. That’s where I got my start in corporate management—moving from an individual contributor to a manager leading a team and manager of managers.

What do you feel is the most important aspect of your job? Communication is the most important aspect of my job. I need to be accessible to my colleagues about the issues that affect RSA’s security posture and accessible to our customers about the business. I never want to use cybersecurity as an excuse to block a business from moving ahead with its goals. To do that, I frequently need to communicate what the risks are, what needs to be protected, and how to balance security and usability.  

What metrics or KPIs do you use to measure security effectiveness? My philosophy is that there are millions of KPIs and there’s no one metric that’s going to tell the full security story. What I like to do is use a maturity matrix to understand how advanced a given security control or compliance program is today and work to improve them tomorrow. You can use some metrics to get a sense of that maturity, but there’s no KPI silver bullet that will tell you the full story.  I suggest to use your maturity of controls as a metric and measure with KPI’s to make sure you are improving the maturity over time.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Hiring for cybersecurity is always challenging. That’s in part because it’s not enough to just know security: most people in the security field have some other experience in a related technical or compliance field. I think it’s always challenging to find the right mix of ‘security plus’ people who bring the right mix of core cybersecurity competencies and some other background that meets your needs. Beyond those technical skills, I think it’s hard finding the right leadership and communication skills and drive all in one package like in the DevSecOps model. The hiring time for a lot of roles across the industry can be more than 6 months.

Cybersecurity is constantly changing – how do you keep learning? I feel like I learn something new every day. There’s such a wide amount of material out there—reading articles, listening to podcasts, and reading outside of tech to round yourself out. One of the ways I keep learning is finding a topic that I’m not confident in and just really digging into it. Start with a Google search or go to the R/Cybersecurity Sub-Reddit and you’re bound to at least learn the basics—and maybe even find the next expert you should listen to.

What conferences are on your must-attend list? It’s going to sound like an advertisement but certainly RSA Conference is a must-attend event for me. I also respect AWS Reinvent, Black Hat, and Def Con.

What is the best current trend in cybersecurity? The worst? I don’t know if it’s the best or worst trend, but I think one trend with the greatest overall impact is the ubiquitous move to multi-factor authentication and zero trust. Don’t get me wrong: these are core cybersecurity principles that everyone needs to adopt. But the implementation can really vary. I’ve even had some trouble getting my MFA working between my Amazon account, my utilities, and streaming services. It’s not always a fun journey. We need to continue to make these security measures accessible and useable if we’re going to ask everyone to use them. 

What's the best career advice you ever received? If you don’t know what you want to do, figure out what you don’t want to do, and do something else. That may sound odd, but it leaves you open to a lot of new challenges and opportunities if you don’t shoe-horn yourself into a specific role. There is a strength in that in the security realm as while some of the fundamentals are engraved in stone, the application of those fundamentals is ever-changing.

What advice would you give to aspiring security leaders? Tools and budget won’t solve all your problems. Spend your time exposing the business issues you have and risks you are dealing with and attack the root of those by shedding some light on them with your management and leadership. This goes back to communication.

What has been your greatest career achievement? Last year I became CISO of RSA, a worldwide brand, a brand with a rich security history, and a business I’ve worked to protect over the last 8 years.

Looking back with 20:20 hindsight, what would you have done differently? I would have mined and Bitcoin back in 2009. But seriously, related to my career and experiences, I don’t have a lot of regrets. I have worked securing and protecting life-critical infrastructures and financial data as well as being the sole system owner of a tech stack to run a dot-com boom website. I think all of those different experiences gathered together brought me to where I am today.

What is your favourite quote? It is lengthy – The Person in the Arena - from Theodore Roosevelt, I always remember it was printed on Dan Joyce’s desk from my days at Philips: It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat.

What are you reading now? I’m often in the middle of multiple books, for better or worse. The current ones are Threat Modeling – Designing for Security by Adam Shostack and Catch 22, the classic.

In my spare time, I like to… Hike, eat, drink, read, carpentry, repair household appliances and mechanical things, play a horribly complex game called Grim Dawn to clear my mind, and generally spend time with my family and pets doing all of those things.

Most people don't know that I… Have a 1979 Chevy Malibu that is constantly under repair and I kind of like it that way.

Ask me to do anything but… Run a security program without leadership support.