On the lighter side of things, we ‘go phishing’ with Matt Hillary, CISO, Drata, who tells us about life inside and outside the office.
What would you describe as your most memorable achievement in the cybersecurity industry?
I’ve been honoured that a number of organisations have taken a chance on me, my skills, my talents and my abilities to be their security leader. For many of these organisations, I was the first security leader who built the foundations of the security program, expanding the program to include incredibly talented security, GRC, privacy and IT professionals.
Notably, being asked to be Drata’s CISO has been one of the highlights of my career. Being a CISO at a security company demands more from a security person than any of the prior CISO roles I’ve had, including heavy involvement in product, marketing, sales, customer success, strategy, and – scariest of all for me – being up on stage presenting in front of large audiences!
Aside from professional achievements, a personal accomplishment of mine is being able to share what I do with my family. When we take family road trips with our kiddos, they all look forward to catching up on the latest Darknet Diaries podcast episode together!
What first made you think of a career in cybersecurity?
I was born in the GRC space, starting my career at Ernst & Young’s Seattle office helping a number of Seattle-area technology companies start, accelerate and assess their GRC programs. From there, I moved over to AWS to help be part of the founding AWS Compliance team with incredible people, defining how GRC practices apply to the newly available ‘cloud’. Early in this journey, I realised how foundational a well operating GRC program has on a well-rounded and robust security program.
After helping six products go through the FedRAMP authorisation process at Adobe, I realised I wanted to set out to become a security leader. I joined a fintech company where that journey included a deep dive into the technical security engineering and operations aspects that not many GRC team members have the opportunity to do.
This is what really fuelled the passion I had inside of me for hardcore security – all still while not neglecting all of the GRC and customer-facing, trust-building abilities I had accrued during the first part of my career. Unsurprisingly, my mechanical-engineering-wired brain is wired to dissect how everything works around me.
This ability applied to technology, organisations and processes seemed to make a pairing that has been inseparable to the point of loving security space with like-minded people who use this same ability to protect and defend our organisations.
What style of management philosophy do you employ in your current position?
My style of management philosophy has been an on-going journey of discovery, but is rooted in being collaborative, inclusive, transparent, authentic, and vulnerable. I shamelessly admit that I’m a recovering a**hole, but I’ve actually come to realise that I was, more times than not, grappling with dysregulation and ADHD (and I still battle everyday with how my mind is built).
I share this context because my style of management has been a journey built on the discovery of how critically important connections are with others as a leader – especially as a CISO. CISOs are key influencers. I’ve learned the hard way how some of the negative behaviours and reactions I have had in the past significantly impede the ability to influence.
Ultimately, my management philosophy is what my late friend Brandon Dewitt shared with me years ago: “Being the smartest person in the room is cheap. When we meet others where they are at, instead of expecting them to meet us where we’re at – that’s where leadership is born.”
What do you think is the current hot cybersecurity talking point?
AI, of course! We’re in the midst of seeing how an incredible technology is accelerating every aspect of our lives. Security and GRC are industries where we’re seeing AI augment efforts at almost every level. From using it to find security weaknesses in our applications to answering hundreds of security, compliance and privacy questions within minutes, to writing the first draft of a slide deck, to writing and understanding code, and to fueling limitless numbers of tasks with viable results, AI is here to help us go faster and more capable than ever before in our security and GRC efforts.
How do you deal with stress and unwind outside the office?
A number of things! First – meditation. I use Sam Harris’ Waking Up App nearly daily to help calm my mind, become present and ultimately, remove the barrier between intentional, formal practice and (hopefully always) being mindful of what I’m doing throughout the day. Many of us are lost in thought, not realising that there’s a greater awareness to be had as we go about our days.
Second – social connection. I have a close group of friends and family members that are always a safe place for me to create and experience fun memories together.
Third – Electronic Dance Music (EDM) shows. I regularly go to shows where my brain is appeased by the lasers, fire, lights, visuals, and, of course, the deafening music and deep bass to the point of overriding the dissonance of stress that always rings in a CISO’s ear.
If you could go back and change one career decision, what would it be?
Creating more boundaries, earlier on in my career, between work and personal time. I can’t get the time back that was spent on doing work related things that took away from time spent being present with family and friends. After joining and leaving so many organisations, I realise how expendable and replaceable we all are in our roles, to the point that realising that guarding the time being present with loved ones is worth guarding from the endless demands our workplaces continue to have waiting for us.
What do you currently identify as the major areas of investment in the cybersecurity industry?
Using AI to augment our day-to-day security operations, security engineering, application security, GRC, and other efforts in this space. Automating these same areas with capable tooling.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?
While the technical underpinnings of security threats (e.g., malware, phishing, ransomware, etc.) may be pretty universal, I’ve seen some regional nuances and challenges, especially from a legal, cultural and other technological contexts that may vary significantly throughout the world. Some that come to mind are regulatory and legal frameworks – some countries have national-level security and privacy strategies, whereas others may be more localised – such as the states in the US having their own distinct privacy laws or industry-specific standards. Certain regions may be more mature than others on their respective privacy, security, and regulatory journeys and cultural awareness of known good standards and practices.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
The scope of the CISO role continues to expand to include many other areas of the business – some now including oversight of an organisation’s IT, enterprise applications, privacy, and other teams beyond the traditional scope of the CISO focusing on security engineering, security operations, application security and corporate security.
I’m seeing the skillset of the CISO up-leveling to include the ability to eloquently present the state of risks to their board of directors, executive team member peers, and others who have a stake in the success of their organisation.
Lastly, I see and feel the personal risk associated with being a CISO. We are having to learn how to live with and effectively communicate to our leadership teams the reality that we are in an unwinnable scenario of a role: we can literally do everything right and still be subjected to a security breach. Navigating this successfully continues to be a direct contributor to CISO’s tenure.
What advice would you offer somebody aspiring to obtain a C-level position in the security industry?
Connections and relationships with others is the most important part of the journey. We’re an industry of amazingly smart, quirky and out-of-this-world fun people. Build and foster meaningful relationships with others – because the memories and experiences made together payout more dividends than any monetary compensation package will.
Build a solid technical foundation and stay technical. To me, technical acumen is a key differentiating factor between CISOs. Balance this technical acumen with an equally capable business acumen and ability to communicate. Your ability to connect with, persuade and influence others is now table stakes to this high-demand role.
Lastly, stay humble and never stop learning. Even at the top, this role is likely the most humbling of C-level positions. Learn to live with the dissonance that security is a journey and is never perfect. That reality will either drive you to insanity or fuel your drive to take your security program to the next level.
