David Hahn describes himself as a security evangelist.
“I think security should be very democratized,” said Hahn, the inaugural CISO in residence at Ballistic Ventures. “Part of a CISO’s job is to evangelize and to really get people – from board members all the way down – to understand what security is and what they need to do to protect the company.”
A CISO’s staff is not only their team, but the entire company, he said.
“Everybody in my company is a security person,” he said. “They have a role to play and can always learn more. We want them to feel both engaged and empowered to protect the company. That’s the only way that we can scale across, and we need everybody to get to be a security person.”
Before joining Ballistic, Hahn worked for CDK, a leading retail automotive technology developer; Silicon Valley Bank, a specialized lender focusing on startups; the Hearst Corp., and and Intuit, a Silicon Valley financial software company. His longest career stint – 23 years – was at Wells Fargo Bank, where he started as manager of employee benefits and investment plans, and wrapped up as senior vice president and information security officer for the internet services group.
“When I started working out of college, the internet was just getting started. I certainly didn’t know what I wanted to do back then,” he said. “But everything I have done I have taken into subsequent roles: business acumen, solving problems, working with difficult people and complex situations, dealing with large-scale size.”
Today, the CISO’s role has evolved to take much more of a risk-based approach. CISOs have to learn what’s most important to their company and how to put in controls that protect data, its integrity and its availability, while enabling the business to grow, he said.
“You’re going to have a hard time being one unless you have the business acumen and understand that you cannot just rely on your technical background or competence,” he said.
“You can be successful by solving complex problems, by working on bringing people together,” he said. “As CISO, you get involved in all aspects of what your company is doing, and get to speak to just about everybody, because everybody has some kind of security issue. You have to have that ability to work across different levels of management and positions, trying to get people to understand what the risks are for each of them.”
During his 15 years in the infosec trenches, Hahn spent a lot of time with startups and people in the venture capital world, and the idea of crossing over to that segment of the security industry intrigued him. So when Ballistic Ventures offered him the opportunity to become its inaugural CISO in residence, the time seemed ripe to make a move.
“I wanted to get more involved in the investment world and see what that was like, see the other side of the glass, so to say,” he said. “If you have been a CISO for, let’s say, 15 years, which I have, you start to see that just about every company’s got the same kind of problems, no matter what the industry. So you’re looking for something different. And the stress and pressure that you’re under as a CISO is wearing.
““You can certainly take your passion and extend it without having to be a so-called operator all the time,” he added. “For me, this was a great chance to divert a little bit. You need to get a fresh perspective, and I think I’m getting that now.”
For years, Hahn was a marathon runner, and he can see analogies between running endurance races and working as a CISO.
“It’s not a sprint, it’s a marathon,” he said. “You have to be patient as well as endure. You have to live through lots of pain. You have to be relaxed. There are a lot of pieces you can draw together. You create wear and tear. It’s also a little bit crazy, and something you have to commit to. So there’s a lot of little things you can correlate.”
While he’s scaled back distances, Hahn is still running, heading out several times a week.
“It’s mental relief. I’ve been doing it my whole life. Blank out, zone out, listen to things. I used to listen to music, now I listen to books. It’s a good way to destress yourself from the day, and then I go home and take a shower and have a glass of wine. You need a routine, but also an outlet to separate yourself from work. You can’t do it 24 hours a day.”
The biggest challenge in a CISO’s job are the many competing priorities that a business has to face, he said.
“For a CISO to be successful, you have to be part of the conversation of where the business priorities are, and not somebody who says don’t do anything. You’re never going to enable the business that way,” he said.
“You have to explain what the risks are, but you also have to be able to help the business accept certain risks. You can never be at a point where there will be zero risk. If you approach things that way, you’ll probably be overspending and not doing enough to move the business forward. A good CISO can help a business make good decisions on taking risks.”
Hahn makes it a point to look at business trends, not just specific trends in cyber.
“It’s all about how companies are changing the way they work,” he said. “Security people have to be at every one of these things to be able to figure out how to protect data, its availability, and its integrity.”
His advice to people just entering the field: Don’t worry so much about the end position or the title.
“Instead, make sure you have a curious mindset and that you want to learn. And if you do that, things open up,” he said. “Always be curious about understanding how things work, and be good at what you do. If you’re good at it, you will actually enjoy it. Get involved and ask questions so you can learn from there. Learning is so important.”