Go Phish: Chris Evans, CISO and Chief Hacking Officer, HackerOne

Go Phish: Chris Evans, CISO and Chief Hacking Officer, HackerOne

On the lighter side of things, we Go Phishing with Chris Evans, CISO and Chief Hacking Officer, HackerOne, about what makes him tick. 

Chris Evans, CISO and Chief Hacking Officer, HackerOne

What would you describe as your most memorable achievement in the cybersecurity industry?

My most memorable achievement is the work I did to pioneer the modern Bug Bounty Program. This was around 2010 at Google. We started with a bounty program for Google Chrome and quickly moved on to grander things, launching the first broad program targeting web and server assets. It was a progressive experiment, and some people thought we were crazy. But it worked – we built relationships, encountered huge security surprises and achieved a significant increase in quality and reduction of risk.

Now, bug bounty is an industry, and the crazy people are those who haven’t yet launched a bug bounty program. We’re at the stage where failure to have one is a meaningful deficiency in security. These programs are now ubiquitous in the Fortune 100 and beyond, particularly in the very conservative verticals of financial services. If banks can do it, then you can certainly do it.

Looking at the overall outcomes of this work, the most satisfying aspect is bringing new economic opportunities to hackers. For some hackers, this has been directly life-changing. For others, bug bounty has enabled them to demonstrate real-world and practical security skills and, as a result, gain access to additional jobs and opportunities.

What first made you think of a career in cybersecurity?

I started out studying chemistry at Oxford, but halfway through my course realised that my passion was computers, not chemicals. More specifically, I became increasingly interested in engineering and security.

At this time, it was still very early days of cybersecurity, and there were very few jobs to be a hacker or even a security engineer. So, I started my cybersecurity journey in open-source. This area was something where, if you have the talent and the drive, you can dive in and start hacking things and improving them. My first-day job was as a software engineer, but I was moonlighting as an open-source hacker and enjoying it.

After a few years, the cybersecurity landscape started to develop, and a few more progressive tech companies started hiring hackers and security engineers. One of these companies was Google, and I jumped at the opportunity to be able to align my private passion with my day job.

What style of management philosophy do you employ with your current position?

There are different ways to run a security program. Some are hyper-focused on compliance checklists. We do our fair share of them, including some tough ones like FedRAMP. However, our north star is to be hyper-focused on risks. We have an objective risk analysis process that runs quarterly and gives us ranked risks. It’s important to be focused on those and re-evaluate them regularly because we are in a changing cybersecurity landscape. We are always learning new things about our internal posture and systems, as well as new things about the external threat environment. Thanks to our processes, whenever we are working on a given project, everyone knows exactly why.

What do you think is the current hot cybersecurity talking point?

It’s AI, of course. Every decade or so, a new powerful technology or shift comes along, and it takes the cybersecurity industry a little while to get a handle on things. With AI, we’re still sorting through how it will make defenders’ lives as well as attackers’ lives easier. We’re working out how to integrate it into products, how to make it work and how to make it go wrong.

Who is on top of AI security and leading the charge? It’s hackers. It’s always hackers. Hackers have the creativity and tenacity to get hands-on with any new technology and tell us all how it can fail. Hackers have already done this with AI and continue to do so. We now have broad categories defined for the different types of failure that AI systems and AI integrations can exhibit. These categories can be used to better operate Bug Bounty Programs, Pentests and AI Red Team exercises. They are built based on real security vulnerabilities and other errors that hackers have found in early AI systems. As with any change in the world of computing, hackers are leading the charge to understand the implications, and I am grateful to them.

We’ve already had hackers report valid AI bugs and deficiencies to our Bug Bounty Program. Every company participating in the rush to AI needs a hacker by their side to protect them. Every company should have a Bug Bounty Program, and AI bugs and deficiencies should be fully included.

How do you deal with stress and unwind outside the office?

I coach my young son’s soccer team. It is about as opposite from the CISO job as possible – I don’t know if that’s an accident or a subconscious decision. It’s outside, physical and there are a lot more pizza parties. It’s also satisfying in a different way from the CISO job because it’s very transactional. You show up to a game, and you win, lose or draw. Then, you can switch off until the next practice or game. By contrast, the CISO job has an endless stream of things to track on an on-going basis.

If you could go back and change one career decision what would it be?

I would not change anything. I have always directed my career based on what seems interesting, or ideally, both interesting and needed. This has served me well! I’ve had a lot of fun, learned many different things and met many different people. I’ve had the fortune to have had plenty of impact, so I now get more satisfaction from helping others have impact.

What do you currently identify as the major areas of investment in the cybersecurity industry?

We’re at an interesting point in time where there is pressure on corporate budgets, including cybersecurity. So, companies are keen to invest in cybersecurity solutions that are capital-efficient. I’m fortunate to work in the bug bounty space, which is at what I call the ‘sharp end’ of security. This is to say that the results we and hackers provide are not theoretical or abstract.

We offer a stream of real, serious risk information that can be acted on urgently to prevent a criminal from showing up and causing a breach. I think we’re going to see more scrutiny on whether – really – a given cybersecurity product meaningfully changes your risk profile. If not, out goes the solution. I’m privileged to work with many household-name financial institutions that know a thing or two about calculating return on investment.

Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?

Different regions have different regulations. For example, in Europe, there’s the GDPR. Here in my home of California, we have the CCPA law. One approach that simplifies things is to take some of the commonalities of these laws and treat them as a baseline of excellence that you apply to all your user base. For example, if a user has a question about their account, is it simpler to ask them where they’re based and then decline their request if you can? Or is it simpler to just help them regardless of where they are based?

What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?

There have certainly been some shockwaves resonating through the CISO community over the past year or two. We’re seeing more accountability for CISOs and in some organisations this has led to changes. In my role, I already report directly to the CEO and meet with the board twice a year, so I feel I have the support and the direct connections I need to prioritise anything with a cross-organisational component.

What advice would you offer somebody aspiring to obtain a C-level position in the security industry?

Optimise your career around learning and gaining experience. If you have a C-level position, no two days are going to look the same. To be effective, you’re going to need a lot of experience in many different situations. To get this experience, make sure you choose an organisation you can learn from. Make sure you work for an organisation and a leader you can learn from. A good leader will take the craziness and complexity of running a security program and make it digestible to you. They will explain the rationale and decisions and ask for your input, and they will show you how they balance business needs with risk analysis.

Push your comfort level. Perhaps you have large company experience? Working for a smaller company or even a start-up will often let you get ‘closer to the action’. This will accelerate your learning of how a security program is run and how to make difficult trade-offs. Or perhaps you have small company experience? Working for a larger company with a mature and competent security posture will show you ‘what good looks like’ so you can chart a journey if you hold a more senior position at a smaller company.

But before you embark on this journey to the C-suite, take a pause and make sure you know yourself. Why are you aiming for a C-level position? You need a good answer to this. Perhaps more importantly, you need to have confidence you’d be happy in such a position. There are different joys and frustrations to every job, so make sure you are going in eyes wide open.

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive