William (Bil) Harmer
CISSP, CISM, CIPP
Operating Partner and CISO
@ Craft Ventures
CISSP, CISM, CIPP
Operating Partner and CISO
@ Craft Ventures
Bil oversees Security, Privacy, IT and CloudOps for Craft and its portfolio companies.
“If you understand how the business makes money, then you will understand what to secure. It’s about looking at the areas of risk and how they total up to company risk – and to be able to articulate and implement programs that reduce risk to acceptable levels.”
Harmer doesn’t even like the term “CISO,” because it implies a separation between the physical world and the data. “If you don’t control your physical world, you don’t control your data,” he said. “Ask any good hacker and they will tell you, give me physical access to something and I will own you sooner or later.
https://securitycurrent.com/ciso-spotlight-bil-harmer-craft-ventures-ciso/
February 21, 2024
In this episode of the SecurityANGLE, host Shelly Kramer is joined by fellow analyst and member of theCUBE Collective community, Jo Peterson for a conversation about the rise of AI-enhanced phishing. smishing, and vishing and how to combat that with Bil Harmer, the operating partner and CISO at Craft Ventures. Prior to joining Craft Ventures, Bil was the head of security and the global privacy officer for SuccessFactors pre-IPO, and through that public offering into the acquisition by SAP. From there, he went to Zscaler pre-IPO for about five years, then to SecureAuth for a stint, and then joined Craft Ventures in 2022.
The conference mobilizes leaders from across Canada as speakers and attendees form pwer-packed sessions and round tables, followed by an executive reception. The conference will conclude with an awards ceremony celebrating cybersecurity leaders. Registration is ope to director-level and above information security practitioners.
February 12-13, 2024
Sheraton Parkway Toronto North Hotel and Suites (in person)
siberxchange.ca (virtual attendees)
Register at siberx.org
It used to be a CISO had to know programming, network architecture, and how to read a vendor contract.
Now understanding the goals of senior executives is the key skill, IT managers have been told.
“If CISOs can learn one thing, it’s empathy,” Bil Harmer, chief evangelist and CISO at SecureAuth said during a panel Monday, on the first day of the CISO Forum Canada 2021 conference.
“Learn what the startup is thinking, what the CIO is thinking, what the finance guy is thinking, what the CEO is thinking. You want to know what they’re thinking and why they are thinking,” he said. “And then you can put their wants in your world.”
Harmer was a member of a panel asking whether the CISO today is a technical leader or compliance expert.
Panelists agreed the days of the CISO as strictly a technical leader are gone.
“It’s a business role,” agreed Harmer. But he added, don’t discount the importance of the ability to translate the technical to the business side. “That probably one of our key aspects — how do we talk to the business about what we’re doing.”
For some INFOSEC leaders years ago “security was purity. It was a higher level, almost religious experience — ‘We’re going to have perfect security — and we became very closed. Now we have to open up and understand the business.”
“We have to compromise in what we deliver,” he admitted. “If it [security] is too expensive, it’s not good for the business. If it’s not usable people go around it.”
Risk and enabling business will always be at odds with each other, he added. “You’re always pushing the business. No one wants to spend more money building a product than they have to. Look at startups. Startups aren’t going to put money into security [in their products], simply because there is no product yet to deliver, no customer, no product stream. So why are they going to put it in? So how do you balance the risk? By building the hooks [in the product for security] on the premise that you will be successful.
“I tell startups if you’re not at least building the hooks and the fundamental basis for a good solid security program in your product, you’re telling investors you do not expect to succeed. That turns it around.”
The fight between minimizing security risk, meeting compliance obligations and helping the business is never-ending, said Pinsky. “My job is a facilitator.” The business wants to push a product or service out, but IT’s job is to remind others there are PCI, ISO or NIST requirements to be met. “Then it’s our job to pull in the right stakeholders from around the organization and ensure we maintain that — but at the same time allow the business to push itself forward … It’s a lot of educating different areas of the organization, helping them understand the business must keep moving forward but the other pieces are balanced.”
As for who the CISO should report to, there was no disagreement: Only to the CEO.
“When you report to a CIO there’s a massive conflict of interest,” Harmer argued, because the CISO reports on the gaps in the infrastructure — which the CIO designs. That criticism (or honesty) “will always affect you come compensation or bonus time. Even in your career path,” he said.
One last observation: Harmer noted that for some CIOs, designing an organization’s infrastructure has become easier as more applications move into the cloud. As a result, they’re changing careers.
As for who the CISO should report to, there was no disagreement: Only to the CEO.
“When you report to a CIO there’s a massive conflict of interest,” Harmer argued, because the CISO reports on the gaps in the infrastructure — which the CIO designs. That criticism (or honesty) “will always affect you come compensation or bonus time. Even in your career path,” he said.
One last observation: Harmer noted that for some CIOs, designing an organization’s infrastructure has become easier as more applications move into the cloud. As a result, they’re changing careers.
They’re becoming CISOs.
https://www.itworldcanada.com/article/empathy-is-now-a-key-skill-of-a-ciso-conference-told/464447
"There was so much chaos during the first few months of the lockdown that every CISO will need to go back and review all of the access and changes that happened," said Bil Harmer, who is the chief information security officer (CISO) and chief evangelist at computer identity security software maker SecureAuth.
"When there is chaos and change, the threat actors will be there looking for ways in."
He predicted that companies "will begin putting more and more focus on digital identities and a continuous authentication methodology that will allow them to adjust access on the fly as the landscape or the user behavior changes."
Bil Harmer, chief information security officer/chief evangelist, SucreAuth in Irvine.
"The hybrid model will not go away, there is far too much upside for companies in it. From 48 extra minutes per day per employee in productivity to reduced footprints in the office (desks, power, coffee, etc), this is a model that will continue.
"Companies will begin moving to Secure Identity as the first line of defense. They will begin putting more and more focus on digital identities and a continuous authentication methodology that will allow them to adjust access on the fly as the landscape or the user behavior changes.
"This will allow the user to move around the physical world and have their authentication and authorization adjust as they do to keep them within the acceptable risk profile."
In the gunslingin' world of cybersecurity, there are threats everywhere. It can sometimes feel as dangerous to run a modern business as it was to run a saloon in the shadiest part of the Wild West.
Actually, the parallels between the cowboy days and modern cybersecurity issues are aplenty — and one need look no further for proof of that than HBO's standout series Westworld.
Bil Harmer participated in a podcast on October 24, 2019 hosted by Wendy Austin, discussing where security fits into the Big Data industry.
Article published on Tuesday October 22, 2019 in Belfast Telegraph, UK.
Tech supremo Bil Harmer keeps a treasured photograph of an east Belfast terrace. it shows four generations of his family, each standing in front of the same wall of the house at Moorfield Street where his father was born.
This week he'll be paying his regular visit to his dad William's old home when he returns to Belfast as one of the keynote speakers at Big Data Belfast.
NE, Calif., Jan. 23, 2020 (GLOBE NEWSWIRE) -- SecureAuth, the secure identity company, has announced the appointment of Bil Harmer as chief information security officer and chief evangelist. Harmer joins the executive team to “bring trust back to a zero-trust world” and support the rapid growth of the company.
(View full article in link below)
Chief evangelist | CISO | Trusted Advisor| Strategist | Leader in Cloud Cyber Security
Bil has been in Information Technology for 30 + years. He has been at the forefront of the Internet since 1995 and his work in security began in 1998. He has led security for startups, Government and well established Financial Institutions. In 2007 he pioneered the use of the SAS70 coupled with ISO to create a trusted security audit methodology used by the SaaS industry until the introduction of the SOC2. He has presented on Security and Privacy in Canada, Europe and the US at conferences such as RSA, ISSA, GrrCon and the Cloud Security Alliance. He has been interviewed by and has written for various publications such as Dark Reading, Data Informed, SecureWorld and Security Intelligence. His vision and technical abilities have been used on advisory boards for Adallom, Trust Science, ShieldX, Resolve and Integris. He has served as Chief Security Office for GoodData, VP Security & Global Privacy Officer for the Cloud Division of SAP and now serves as a Strategist for Zscaler where he runs the Office of the CISO for the Americas.
His personal passion for all things security is what drives his desire to make the web a safer place.
CSO ONLINE - Equifax Proves The CISOS Right
https://www.csoonline.com/article/3230521/equifax-proves-the-cisos-right.htmlhttps://www.csoonline.com/author/Bil-Harmer/
CSO ONLINE - Equifax Data Breech
https://www.csoonline.com/article/3229508/in-equifax-data-breach-three-hard-lessons-in-risk.html
LINKEDIN - Where security industry is going
https://www.linkedin.com/pulse/where-security-industry-going-harmer-iii-cissp-cism-cipp-c
LINKEDIN - Did Hackers Just Win US Election?
https://www.linkedin.com/pulse/did-hackers-just-win-us-election-harmer-iii-cissp-cism-cipp-c
LINKEDIN - Looking At 2015 In Rearview Mirror
https://www.linkedin.com/pulse/looking-2015-rearview-mirror-harmer-iii-cissp-cism-cipp-c
LINKEDIN - Who's Responsible
https://www.linkedin.com/pulse/whos-responsible-security-board-harmer-iii-cissp-cism-cipp-c
LINKEDIN - Better To Sink The Ship Than Dock Safe Harbor
https://www.linkedin.com/pulse/better-sink-ship-than-dock-safe-harbor-william-bil-
Resolve Systems Appoints New Security Product Advisory Board Member, Bil Harmer
ShieldX Networks, San Jose, CA
GoodData Corporation, San Francisco, CA
Adallom, Palo Alto, CA
Acquired by Microsoft for $320m. Congrats to the team at Adallom. Looking forward to future endeavors.
How much security risk can an organization accept before it’s on very thin ice?
From exploring the tropics to getting inside the Shark Tank at The Mandalay, Las Vegas, Its a rush every time.
Riding for a cause at the Distinguished Gentlemen's Ride to raise awareness for Men's Health
Learning Kendo from a Master and descendent of one of the last Samurai. Kyoto, Japan .
Learning to forge a knife with a Master Swordsmith. Kyoto, Japan
With over 30 years specializing in Information Technology and more than 20 years focused on security,, William has a goal to help educate the business world in making their products and services safer and value the ever growing need for Security In The Cloud.