The Secret CSO: Roger Hale, Informatica

The Secret CSO: Roger Hale, Informatica

Name: Roger Hale

Organisation: Informatica

Job title: VP & CISO

Date started current role: January 2017

Location: Austin, TX

Roger Hale is Vice President and Chief Information Security Officer at Informatica. In this role Roger and his team are responsible for the Enterprise Information Security of an Enterprise Cloud Data Management service provider. Roger has more than 25 years of experience working in the high-tech industry and brings specialisation in marrying risk, information security, customer advocacy, and service delivery with the agility of cloud services. He has a proven track record of delivering effective strategies that align information lifecycle management with business objectives, information assurance, and risk management.

What was your first job? I was a mainframe database developer… but I think we all were in the ‘80s.

How did you get involved in cybersecurity? It began when I was working in Silicon Valley during the DotCom boom and my customers were concerned about protecting their data to keep their competitive advantage. I was a Managed Service Provider in the Bay Area when there was a confluence of virus attacks (e.g., ILoveYou, Code Red, Melissa), data breaches (e.g. Eli Lilly), and federal regulations (e.g., Sarbanes Oxley, HIPAA). For me, it started by challenging myself and my team on how to maintain the integrity of and access to our customers' data. We had to not just be technologists, but also understand our customers' business requirements and consider what could impact the availability and integrity of the data. Ultimately, a combination of customers and the industry paved my path to Information Security, where confidentiality, integrity and availability became the three standards of security.

What was your education? Do you hold any certifications? What are they? I started my career as a developer, before continuing into database development once client server technologies started to take off. I then moved into infrastructure. Having experienced both backgrounds and witnessed the impact of Information Security as it became a global challenge in the early 2000s, it was a logical step for me to transition into InfoSec. However, I strongly believe that regardless of your educational background, it can be relevant to Information Security. Regarding certifications, I hold the ISC2 CISSP and CISSP-ISSMP certifications.

Explain your career path. Did you take any detours? If so, discuss. Building off the above responses, there weren't any realistic Information Security career paths in the ‘80s for me to pursue. My career went from developer, to infrastructure, to Information Security. However, this career path has provided me with a breadth of incomparable first-hand experiences dealing with the challenges and risks across the technology sector.

Was there anyone who has inspired or mentored you in your career? The obvious answer is Steve Katz! It was 25 years ago that he was hired by Citibank as their CISO, and I had the honor of sitting on a panel Steve moderated back in 2009. He was asking questions back then that are still relevant today. I've had many mentors in my career and some are deliberately from outside of the IT security community. I'm not saying there aren't any inspiring leaders in InfoSec; however, early on I realised that understanding the business was as important as good tech. Today, I network with leaders in High Tech, FinTech, Retail, and Data Protection, and this makes me a better CISO by helping me look at my responsibilities from all perspectives.

What do you feel is the most important aspect of your job? Relationships. At the CISO level, it's not about the tech but rather contextualised risk management. The relationships established across the organisation and amongst my peers provide me with the visibility and organisational goals that best align to a data protection programme that:

    1. Protects the Company
    2. Protects our Customers
    3. Be the Customer (use our own products)

What metrics or KPIs do you use to measure security effectiveness? This is another one of those questions that is really industry-specific. For example, my KPIs would be different than, say, a CISO in the manufacturing industry. But I hope some hold true across industries:

    1. Cybersecurity Monitoring - We retain a cyber monitoring service that scores our internet footprint in addition to other areas. We review these scores over time, adjusting for growth of internet services and/or M&A activity, and compile a report on our cyber maturity and our time to respond to cyber events.
    2. Internal Vulnerability Monitoring - Patch management, manual vs automated, and configuration management help monitor the maturity of the based security programs to protect an organisation.
    3. Security Incident Response - Orchestration, automation and business process risks that can be mitigated or remediated.
    4. Business Continuity - Disaster Recovery is your last resort in Business Continuity. Are systems designed to be fault tolerant, and are systems built with High Availability included? Are your programs designed to follow the sun or do you need to consider regional events affecting your critical services (whether internal or customer facing)?
    5. People - Is the department resourced with the right personnel who have the right skillsets to meet the company's roadmap?

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes, and all of them! Seriously, I haven't had one role across all three areas of my security team that I could immediately find qualified candidates to fill. Security engineers are in crazy demand and GRC analysts have become even more difficult to find with the EU's GDPR (and good luck trying to find a security strategist)! Finding people with both the business acumen, program management, and depth of understanding across risk, compliance and technology can take over a year if you don't have a deep network to pull from.

Cybersecurity is constantly changing - how do you keep learning? First off, I believe that CISOs have a responsibility to give back to the technology community as well as to the InfoSec community. I try to keep up-to-date by sharing information with my peers from organisations (i.e. I am a member of the TX CISO Council as well as the Bay Area CSO Council) and attending more casual "meetup" type events. Professional organisations like Wisegate and the IT-ISAC are also important in helping me stay informed on what's relevant. Additionally, there are countless great online resources available. However, to get any real value out of the information sharing environment, you need be willing to contribute to it.

What conferences are on your must-attend list? My list won't be the same as others'. As a CISO, conferences are as much about networking with my peers as they are about exploring emerging tech. From that perspective, RSA, BlackHat and Defcon are relevant. With the growing importance of privacy, the IAAP Summit is also now on my list.

What is the best current trend in cybersecurity? The worst? I love the ongoing trend in third-party risks and cybersecurity monitoring. I can't wait to see how these applications end up integrated within CASBI and EPP.  On the other hand, it remains frustrating to hear businesses still talking about cybersecurity as something special or different from Information Security. Every Information Security Programme is a Cybersecurity Programme!

What's the best career advice you ever received? Looking back, the best advice I was ever given was to not be afraid of being wrong. This is different than ‘Learn Fast' or ‘Fail Fast'. To me, it is about being able to take the information you have and make the best decision you can with it.

What advice would you give to aspiring security leaders? Your security programme doesn't need to look just like mine or anyone else's. Your job as a security leader is to enable your company's success within the accepted risk posture of your board and your executives.

What has been your greatest career achievement? Not being fired for a security breach (kidding, of course). Seriously, I feel my greatest career achievement is that my team includes multiple people that have worked with me in more than one previous company.

Looking back with 20:20 hindsight, what would you have done differently? I can't answer that. Good or bad, the career decisions I have made are mine. If I was to change something in the past, I don't know where I would be today.

What is your favourite quote?"Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. ... But there are also unknown unknowns—the ones we don't know we don't know." - Donald Rumsfeld

What are you reading now? RSS Feeds. Is that bad?

In my spare time, I like to… Stay occupied with my hobbies, which are split in two categories: mechanical and civil engineering. In general, they are things that require working with my hands and tools. It helps keep my work vs home separate.

Most people don't know that I… Grew up an Idaho country boy. I first developed my attention to detail and work ethic from working dairy farms and fly fishing.

Ask me to do anything but… Accept the status quo. My passion is in building and improving. The hardest thing for me is to be in a position that didn't encourage growth and provide value.


« AI veteran sees 'dream teams' accelerating AI in business


The CMO Files: Jen Grant, Looker »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail