Bil Harmer, Operating Partner, Security and Chief Information Security Officer for Craft Ventures, would love to see the CISO role go away.

“That means you’ve reached a point where you’re all doing the right things,” said Harmer, whose career has taken him to industries as varied as startups, a financial institution and even porn sites.

“We walk around telling people, don’t walk down that alley, don’t talk to that sketchy person. But most people know not to go down the alley at 2 o’clock in the morning. Today, 25 years and two generations of workforce into the commercialization of the internet, younger people are much more aware. They know what not to do. So I would like to see the CISO role transform into a risk role, where you’re helping the company set the risk. “

Boards don’t want to hear CISOs talk about the number of attacks they averted, or the patches they put out or the servers they cover, he said.

“They want to know, what’s the risk to the business,” he said.

“If you understand how the business makes money, then you will understand what to secure. It’s about looking at the areas of risk and how they total up to company risk – and to be able to articulate and implement programs that reduce risk to acceptable levels.”

Harmer doesn’t even like the term “CISO,” because it implies a separation between the physical world and the data.

“If you don’t control your physical world, you don’t control your data,” he said. “Ask any good hacker and they will tell you, give me physical access to something and I will own you sooner or later.”

Harmer disagrees that users are the weakest link in a security program.

“That is not true. They’re the easiest target, and they’re the easiest target because they’re not trained,” he said. “So we need to remove those decisions from them.

“We need to be able to ingrain in them the basics so they make safe, unrisky decisions. And then we put the other pieces around. Just like cars, right? We put three-point seat belts in cars. We put airbags in cars. The safety stuff comes by default. The same with security. The other pieces become less risky because you’ve taken away some of the bigger, greater risks and you’ve limited the impact that they can do.”

In the mid-1990s, Harmer – then working at Sony of Canada — proposed the company build an internal website to collect information amassed each day for a major project, instead of printing out workbooks nightly.

“I’ll never forget these words, and I thank my manager for saying them to me. ‘Why do you want to screw around with that internet stuff? The internet’s a fad, and it’ll be gone next year,’” he recalled. “So I quit.”

Harmer took the experience he had accumulated building networks and websites and doing a little bit of security to the porn industry.

“I joined a friend at a company whose primary funding was adult content,” Harmer said. “We built the second-largest porn site in the world called Smutland. In 1997, I pushed more traffic to the internet than all of Bell Canada’s home internet users. So we were at the forefront.”

Because the porn industry is attacked so regularly, he started building firewalls and intrusion detection and incident response systems.

“I’m at a point in my career where truthfully, that job is a badge of honor,” he said with a laugh. “I built some of the biggest websites, one of them still in operation today. We were doing G3 live video broadcasts because we had access to all of this technology back then. I have plans to write a book someday, and the title of one chapter or maybe the whole book will be ‘Diary of a Smut Peddler’ because I just love that title.”

As a university student, Harmer wandered into computer work to pay the bills so he could pursue a career in special effects. A summer job at data centers changed his trajectory, but he channeled his love of special effects into a lifelong hobby of building things.

For Halloween this year, Harmer built a Freddy Krueger knifehand – a companion piece to one he built when he was 18 and still has. It was a memorable day four years ago when he met Nightmare on Elm Street star Robert Englund at a convention and had him sign the original.

“You need a secondary thing that is not what you do every day,” he said. “So this became my hobby. I started building masks, props, costumes, replica guns from video games.

“I built a 49 international pickup truck, and a 23 Ford Rat Rod. I also built custom motorcycles. My last bike was in the Austin Handbuilt Show in 2022. I like to play ice hockey as well. I’m just dumb enough to be a goaltender. So I’m out on the ice two, three times a week with people ripping 80 mile- an-hour pucks at my head.”

Harmer’s security career has taken him to startups like DocSpace, SuccessFactors, Zscaler and SecureAuth; financial institutions like Manulife Financial; and now Craft.

DocSpace was acquired by Critical Path, which later became embroiled in a securities fraud scandal. But it was there that he was first exposed to the business side of companies as Critical Path set out to rebuild.

“It showed me that side of the business, how decisions get made, how you have to make decisions very quickly in some cases if you want to survive,” he said.

While at SuccessFactors, later acquired by SAP, Harmer pioneered the use of the SAS70 coupled with ISO to create a trusted security audit methodology used by the SaaS industry until the introduction of SOC2.

Act of survival

A presentation he created at Zscaler, called “Change is simply an act of survival,” articulated from a security standpoint why companies needed to change their architecture to be able to work from anywhere.

“I had no idea what I was talking about would end up being the pandemic,” he said.

At Craft, Harmer provides vCISO services to portfolio companies, and also functions as Craft’s CISO.

His highly varied career history has influenced his execution of the CISO role.

“That’s given me an empathy and an understanding that you have to look at things from everybody else’s perspective,” he said. “It’s taught me that change is an act of survival. You need to adapt to the situation you’re in.”

A lot of security people tend to focus on their expertise, he said. “Get out of your comfort zone and start learning things,” he advised.

Future of internet

For Harmer, the missing piece in security is identity, because there’s no way to verify who typed the password.

“To me, identity is still the future of the internet, especially with AI and its ability to impersonate video and voice,” he said.

“We need a much more global, holistic approach to digital identity that bridges both personal and business. That’s going to be a while, but we’re starting to see inroads there.”

Harmer also expects big changes to emanate from the convergence of more real-time monitoring and execution with advanced, hyper-fast AI decision making.

“When those two collide, I think we’ll have some amazing things come out,” he said.