Heather Hinton. Image: PagerDuty
Heather Hinton of PagerDuty discusses her role as CISO and the company’s “slow down then accelerate” approach to IT automation.
Heather Hinton is the chief information security officer (CISO) at PagerDuty, a cloud computing company specialising in a SaaS incident response platform for IT departments. With more than three decades of experience in IT and cybersecurity, Hinton now leads PagerDuty’s security-first approach to operations and development designed to deepen the resiliency of PagerDuty’s operations cloud.
Previously, Hinton held multiple roles at IBM, including CISO of IBM Cloud and Cognitive Software, IBM distinguished engineer and CTO for the company’s security and compliance specialty service area, where she addressed security and compliance concerns for internal adopters and external clients. She was also chief architect for the Worldwide Technical Sales and Solutions group where she was responsible for driving the adoption of IBM cloud solutions with key strategic clients.
As an IBM master inventor, Heather holds more than 100 patents covering federated identity management, cloud security and policy management. She was inducted into the Women in Technology Hall of Fame in 2019. She has a PhD in electrical and computer engineering from the University of Toronto and has taught computer security at the University of Toronto, the Nortel Institute and the Harvard University Extension School.
“My role is to embed security in all aspects of our business in support of our business goals and our customer’s operations.”
‘It is not uncommon to see digital transformation activities that are solving problems where they are observed, instead of where they are actually occurring’
What are some of the biggest challenges you’re facing in the current IT landscape?
One of the biggest challenges is the move to automation – not just the amount of work that is going on to automate tasks, but the impact on the people who are building the automation and are going to benefit from it. It’s a bit of an ever-accelerating process: we have more IT, and we can’t manage it with staff on hand, so we add more automation, but as we add automation (which is IT), we need more people to manage, and so we need more automation – and so on. At some point, if we have not handled this well, we will have built a brittle, non-resilient tech stack that we can’t secure, manage or maintain.
Within PagerDuty, we are addressing this by making sure that we balance our robust secure design discipline and change management discipline with a future-looking and present-informed business impact analysis. We start with a solid understanding of our existing work effort, understanding where it might be brittle or introduce friction, and then add automation to support the reduction of friction. Where we can, we use our own products (we are “customer zero”) to automate work and build flexible workflows. Where we need to bring in third-party products and tools, we make sure that they support our work, not the third party’s definition of a (related) problem.
Put another way, instead of embracing a “move fast and break things” mentality, we are adopting a “slow down then accelerate” approach: we explicitly slow down before the corner, accelerate through it, and come out going faster in the intended direction.
What are your thoughts on digital transformation?
It is not uncommon to see digital transformation activities that are solving problems where they are observed, instead of where they are actually occurring. I think that we see this where automation and sustainability collide: we are so focused on minimising our footprint that we focus on what is right in front of us (the observation of the problem) and not the origin of the problem.
By being mindful with a “slow down then accelerate” approach to IT automation, we are helping to ensure that we are solving the right problem, with the appropriate technologies in a way that supports our people and our business goals.
What are your thoughts on how sustainability can be addressed from an IT perspective?
In 1987, the United Nations Brundtland Commission defined sustainability as “meeting the needs of the present without compromising the ability of future generations to meet their own needs.” The Harvard Business Review provides this definition: In business, sustainability refers to doing business without negatively impacting the environment, community, or society as a whole.
While this absolutely includes big issues like climate change, renewable energy, clean water, education and healthcare, for me, this must be mindful of the impact on people as individuals (instead of members of a community).
Are we ensuring that IT (and automation) helps us employ, develop and challenge our current and future employees? From a security point of view, this means that the IT and automation that we are embracing needs to be easy to use and maintain, and security must be part of the process as early as the design phases.
What big tech trends do you believe are changing the world?
Zero trust is a strong trend that improves an organisation’s security posture for all of us. But in my industry specifically, assisting developers ‘shift left’ and add in security all at once via DevSecOps is critical.
For PagerDuty and our customers alike, security teams are engaging with developers earlier and making a tighter feedback cycle as part of the development cycle. This solves the ‘security as an afterthought’ issue that has plagued parts of the technology ecosystem for decades. The results should include increased speed and agility, happier customers, a shared responsibility for security – seen as an enabler of quality.
As we move to a more aggressive CI/CD model, this will become even more important as the speed of operations will require robust design, secure operations, and always on, intelligent alerting for anything suspicious.
Where the CISO gets particularly involved is in the journey of bringing security closer to the speed of DevOps flow and the introduction of new technologies which will bind people and processes together.
How we can address the security challenges currently facing your industry?
My teams face the same security challenges as other organisations. Monitoring and securing all the cloud workloads and those in the development pipeline, plus the physical networks and endpoints too.
Monitoring for security awareness is starting to become its own operational discipline: monitoring is made more complicated as we add more things to monitor, each with its own tool to monitor and interpret the results. Within PagerDuty, we are working as “customer zero” to make sure that we are monitoring and responding to the right things in a timely manner.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
