In this week’s episode of The Future of Security Operations podcast, I'm joined by Mark Hillick, CISO at Brex. Mark’s experience in the security industry spans more than two decades. He started out as a security engineer at Allied Irish Banks before advancing through companies like MongoDB to become Director and Head of Security at Riot Games. His book, The Security Path, features over 70 interviews with security professionals on their career journeys.
Mark and I discuss:
What’s kept him excited about security for over two decades
How he gives and receives feedback as a security leader
Turning vendor relationships into meaningful partnerships
Lessons from major incidents and building team resilience
Creating space for innovation without overextending the team
Fostering a culture where all voices feel safe to speak up
Where to find Mark:
Where to find Thomas Kinsella:
Resources mentioned:
The Security Path - click here to redeem a free copy for podcast listeners (first come, first serve)
Digital Safety for Parents - click here to redeem a free copy for podcast listeners (first come, first serve)
In this episode:
[02:06] His early career journey - from a mathematics background to building early online banking systems
[03:32] What’s kept Mark excited about security for over two decades
[04:40] The compound benefits of growing within a company over time
[07:20] Mark’s leadership style - defined by transparency, directness, and genuine care for his teammates
[12:45] Communicating the business trade-off between risk and return
[16:45] Reflecting on the team’s response to major incidents at Riot Games
[21:00] The unique challenges of securing gaming platforms
[26:30] How Mark approaches strategy and planning in the fintech space
[28:08] The case for building strong, partnership-driven vendor relationships
[31:13] Creating space for creativity - without spreading the team too thin
[34:35] Empowering his team to speak openly - even if it means calling him out
[36:35] The inspiration behind Mark’s books Digital Safety for Parents and The Security Path
[40:20] Connect with Mark
TL;DL? Read Mark’s take on:
The most rewarding part of working in security
“It’s a combination of things. There’s always something new to learn, something unexpected. As well, I would say 99% of people in the industry are absolutely amazing - super collaborative, always willing to teach, learn, listen.’”
There’s also the reward afterward - the endorphin rush of incidents, or when a project goes really well.
His leadership approach
“I like to build strong relationships with people. I have regular one-on-ones with all my directs. I’ve got office hours, which no one takes me up on, and I find that kind of hilarious. Every 6 weeks, I have roundtables with individual contributors in security, DRC, and IT. When you don't know someone, you don't really ask questions. But as you build those relationships, by the second or third roundtable, the questions come out.”
I want people to be able to make mistakes, learn from them, and move on. I'm there to support them, but I'm not there to micromanage. They know that I'm going to ask a lot of questions, but I want to understand what's going on.
On giving and receiving feedback
“When someone’s giving me feedback or sharing a concern, I very much operate in ‘listening’ mode. One of the mistakes I made in my first few years of leading was diving into the solution immediately. I really wanted to get their feedback, and then I started asking, ‘How can I help?’”
When someone gives you feedback, they put themselves in a really vulnerable position. As much as you want to solve it right there and then, they don’t want to. They’re like, ‘I just want to tell you, and then I want you to figure it out so we can move on.’
Security’s role within the business
“There’s still this inherent misunderstanding that the business serves security. But it's not like that - security serves the business. If you can't log in, you can't play the game. If you can't play the game, you can't spend. If you can't spend, the company doesn't make money.”
Without the business, there would be no need for a security team or security program. Many people forget that.
Responding to a major security incident
“In 2013, my third month at Riot, we lost a password database. We lost game content. JAR files were taken from an artifactory server and leaked onto the Internet via the co-CEO’s and co-founder’s Twitter account. I specifically remember standing in the kitchen in my house in Dublin, just watching it on the Internet and going, ‘Oh, boy!’"
It's constantly like, we build the bigger wall, they build the bigger ladder.
Creating solid vendor partnerships
“There has to be mutual skin in the game. You want to make money, but I don't want to pay a lot. But I also want like a better security posture and a more mature security program. I can't have too cheap of a price; you can't have too expensive a price. We both equally have to be a little bit uncomfortable.”
I want tooling and solutions from companies that are partners. I don't want to just hear from you now and then not hear from you again for three years. This is a partnership.
Listen to more episodes of the Future of Security Operations podcast.