Mike Hamilton understands that being a CISO, or chief information security officer, is a Sisyphean task.
For more than 30 years, the former CISO of Seattle and current field CISO at Lumifi Cybersecurity, a company that manages cybersecurity for organizations, has helped small non-profits to the world’s largest companies defend against malicious hackers.
Hamilton spent years as a cybersecurity consultant for VeriSign Global Security, where he worked with Fortune 500 companies. His life, like that of many consultants, consisted of commuting through airports, hotels, rental cars, and restaurants. Then, his daughter was born and “dad’s not going to work on an airplane anymore,” he said. So, in 2006 Hamilton took a pay cut and became involved in protecting critical infrastructure as Seattle’s CISO.
“When I got there, everything changed,” Hamilton said. “I’m now working for an organization that keeps people alive. You knock over a waste treatment plant and, three days later, you have a public health emergency.”
Before getting into security consulting, Hamilton worked at some of the first companies that sold remote network security monitoring. With that background, his realization that few in state and local government kept a close eye on their networks set off an alarm.
Giving students experience
Helped by a mentor who knew federal government grants well, Hamilton was able to start a project that provided free network monitoring to state, local, tribal, and territorial governments.
The program, the Public Infrastructure Security Cyber Education System, uses trained students to monitor the networks of smaller communities that otherwise couldn’t afford to protect their technology, and report vulnerabilities or attacks on them. The program, known as PISCES, focused on critical infrastructure, or systems that keep the power, water, and other vital services operating.
The students in the program get much-needed operational experience that is often missing in the typical cybersecurity curriculum. PISCES was a big success and continues to train the next generation of cybersecurity workers at 20 states colleges and universities.
Hamilton is set on getting the next generation up to speed because they need to be ready for the increasing tempo of operational impacts from attacks. After a long career in cybersecurity, he also believes that a college education simply isn’t enough.
After Seattle, Hamilton continued his focus on the protection of vital systems and co-founded the cybersecurity firm Critical Insight in 2015. The company manages cybersecurity services like network monitoring and response if an incident occurs, complying with the litany of federal and state regulations, and testing networks for vulnerabilities. Hamilton spent nearly a decade as the CISO of Critical Insight before it was acquired last year by Lumifi Cybersecurity for an undisclosed amount.
Lumifi Cybersecurity serves some of the most vulnerable industries like water and wastewater, counties and small governments, education facilities, manufacturing, and rural hospitals.
Although Hamilton may have changed the direction of his career, his time as Seattle’s CISO is “not a job I ever want again.” It’s not just because of the burnout, which is already an expected part of the job, or the psychological trauma, or the fear of getting sued. CISO’s are fighting battles without a way to end the war.
“You’re not going to ‘win’ this thing. All you can do is minimize impact,” Hamilton said.
The industry is undergoing a much needed switch—one not nearly fast enough Hamilton argues—from focusing on trying to prevent all unauthorized access to company networks to minimizing impact when a breach does occur. Because some breaches, at least, are nearly impossible to stop.
Ultimately, the dizzying number of cybersecurity products are failing to stop a growing number of successful cyberattacks hitting organizations each year. The lack of success can be seen from major events. Just last year, there was the Change Healthcare breach that resulted in 190 million Americans sensitive health care data while ransomware attacks are frequently evading detection tools.
Reducing impact requires more than prevention, Hamilton said. Cybersecurity defenders should instead think of solutions rather than just Band-Aids. Removing network access completely where it is not needed instead of bolting on a cybersecurity product and hoping it will detect malicious code is one example of re-thinking policies around cybersecurity, Hamilton said.
Research firm Cybersecurity Ventures predicts cybercrime will cost more than $10 trillion in 2025. The estimate includes stolen money, extortions like ransomware attacks, intellectual property theft, fraud, recovery efforts, but not the cost of defense. New hacker organizations are operating less like small-time criminals and more like small empires with huge revenue streams that rival the economies of small countries.
“That’s the GDP of a country,” Hamilton said. “That’s who you are up against.”