What's the best career advice you ever received? "'Onward!' from a friend after particularly painful failure."
Name: Tim Heger
Job title: CSO/CISO
Date started current role: August 2017
Location: Grand Rapids, MI
Tim Heger is the CSO/CISO at HealthBridge, a first-of-its-kind employee financial security solution that provides a financial resource to help bridge the gap between the high cost of healthcare and an employee’s financial wellbeing. Heger has spent the last 20 years focused on emerging technologies and helping global companies scale to meet the demands of a consumer-centric digital ecosystem.
What was your first job? I was the French fry cook at our local A&W for $1.10 per hour. Coney dogs, fries and root beer would be my diet for several summers.
How did you get involved in cybersecurity? I’ve been involved with the internet/eCom/security for a long time. Prior to joining HealthBridge I spent many years in the eCom world where security and privacy has some of its roots. The move to the cloud greatly accelerated my focus on security, since as we all know, the “cloud” just means someone else’s data centre that you don’t have any visibility into.
What was your education? Do you hold any certifications? What are they? I have BS in Management from Central Michigan University. I am a certified Scrum Master and was PMP certified. I’m preparing for my CISSP and HCISPP certifications.
Explain your career path. Did you take any detours? If so, discuss. Detours is the theme of my career path! I started out my post-college career selling checks for Deluxe Check Printers. Having a strong entrepreneurial spirit, I left my corporate job after 5 years and my wife and I opened up a clone PC business where I learned the painful difference between cash-flow and profitability. While we had our computer store this new thing called the “internet” came into existence. I was fascinated by it and spent a good amount of my time teaching myself everything I could learn.
After we closed our computer store, I re-joined Deluxe as the Director of eCommerce Technology where I lead a project to bring them into the internet age. During that process we selected an eCom platform from Blue Martini Software. It was such an amazing technology and company I left Deluxe and spent the next 4 years working with the customers implementing Blue Martini. There I had the amazing good fortune to work with companies like Kohls, Harley Davidson, Wilson Sporting Goods, Sprint and many others.
When the internet bubble burst in 2004 I started my own consulting company focusing on strategic management guidance, program management and implementing and delivering difficult eCom projects. During those years I got to work with great companies and brands like Ugg, Teva, Payless ShoeSource, ASICS and others. In 2017, after 13 years of being on the road Monday through Thursday, I had the opportunity to be employee #3 at HealthBridge. All my years of working “at scale” with major retailers really helped me prepare for the incredible challenges I would be addressing to bring our Co-founders vision to a technical reality – all with an eye to performance, scale and most importantly, security.
Was there anyone who has inspired or mentored you in your career? Monte Zweben, the founder of Blue Martini has always been an inspiration due to his incredible vision and very positive attitude.
What do you feel is the most important aspect of your job? Being able to carefully listen to the clear vision our co-founders Amy Chambers and Greg VandenBosch have for HealthBridge and turn that into a secure and scalable architecture without so much process/tech burden that we cannot quickly follow the market and ever-changing demands of our clients and partners.
What metrics or KPIs do you use to measure security effectiveness? I would have to say I’m a numbers nut – if you don’t measure it how do you know how well you’re doing? We track a very large number of KPI’s/metrics that I review each week with my teams. Starting with our code we’re always reviewing 3rd party risk with the open-source packages we use. Automated tools looking for bugs, defects and poor programming practices also help us stay ahead of game. In our environments we track, manage and review our teams’ access and use of our environments. Just because someone can do something doesn’t mean they should be doing it when they did it. Context, timing and agreed upon processes are key indicators of intent. We conduct internal penetration tests each month leveraging all the tools and techniques the “bad guys” use.
Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We’ve addressed skill shortage by partnering with a few key partners who provide “Security Operations as a Service,” which allows me to keep my team small but provide the 24/7/365 vigilance required. It’s a tough balancing act but the reality of trying to hire top-notch security skills is daunting. I’ve very happy with the team I have and the partners I’ve chosen.
Cybersecurity is constantly changing – how do you keep learning? I subscribe to a number of daily email digests, podcasts, articles and talking with fellow CSO’s. It’s a daily focus of mine to end the day and be able to point to 2-3 things I learned that day that will have an impact on how and why I do things going forward.
What conferences are on your must-attend list? Global CISO Executive Summit, Cybersecurity & Fraud Summit, Black Hat and few others.
What is the best current trend in cybersecurity? The worst? Best is the quick maturation of cloud security. It still has a long way to go but over the past 24 months I’ve seen some amazing progress. Worst is having to put more and energy into combatting ransomware, malware, etc. These men and women are obviously incredibility smart, I just wish they use their superpowers for good and not evil.
What's the best career advice you ever received? “Onward!” from a friend after particularly painful failure.
What advice would you give to aspiring security leaders? Do not be driven by fear of what might happen – focus on being one-step ahead, be willing to share bad news quickly and dispassionately and always keep learning and researching. Security is not for the faint of heart and you have to be “all-in” on continual learning and rapid change.
What has been your greatest career achievement? Continued, relentless growth in my skill sets. I’m 100% self-taught and have an immense hunger for continual learning.
Looking back with 20:20 hindsight, what would you have done differently? I would do nothing differently. I believe that even the worst decisions I’ve made have played a critical role on who I am today. I focus on what is ahead and try to never look back.
What is your favourite quote? “Fail early, fail often but always fall forward.” The fear of failure keeps so many people from attempting to achieve their dreams. Sometimes the best answer to our prayers is “no”.
What are you reading now? Upstream by Dan Health, Unleashed by Frances Frei and Anne Morris, Summa Theological by St. Thomas Aquinas and a large number of articles from Harvard Business Review, Wired, CIO & CSO.
In my spare time, I like to… Build things out of pallets. For my daughter’s wedding my wife and I built 2 very large bars, 4 couches, 2 tables, and several hundred flower planters.
Most people don't know that I… Built a 3-story log cabin with my wife, and our marriage survived it!
Ask me to do anything but… Sit still and do nothing.