A day in the life of a CISO: Chris Hughes of Aquia

One of the most challenging positions within an organization is that of a chief information security officer (CISO). A little while back, I had an opportunity to sit down with Chris Hughes, CISO and co-founder of Aquia, to discuss his experience in the role. Acquia is an open source digital experience company that empowers the world’s most ambitious brands to embrace innovation.

Hughs has experience with a lot in his professional career, including DevSecOps, Kubernetes, containers (and hardened containers), deployment pipelines, secure software factory reference architecture, security tooling, software bills of materials (SBOMs), and more. In the session, he discussed some of those topics, as well as what a day in the life of a CISO and co-founder is like.

Journey to becoming a CISO

Chris’s journey to becoming a cybersecurity CISO has been interesting. His career began with service in the US Air Force, where his interest in technology and cyber security began in earnest. Despite an initial lack of software development experience, he enjoyed working with computers and being a part of a thriving industry. Over the years, he realized that technology and software touched everything around us in one form or another — and that it all needed to be secured. After finishing his tenure with the United States Air Force, he worked in various industry roles and ultimately chose to focus on cybersecurity.

After meeting his two other co-founders, Aquia Inc was born. In addition to shepherding the fledgling company, Hughes also became very active in communities like the Cloud Security Alliance (CSA), Cloud Native Computing Foundation (CNCF), and many more. His journey from military member to co-founder and CISO has been remarkable.

Current concerns

Our discussion spanned many topics, but we focused on the developments around software supply chain security and SBOMs. We also discussed recent executive orders that have shown that the US government is increasingly interested in cybersecurity and ensuring things are streamlined according to supply chain security.

Hughes then talked about working with the publishing company Wiley to co-author a book on software supply chain transparency and security. Which led us to talk about how malicious actors that compromise a single aspect of the software supply chain, like with Log4Shell, can have a massive impact on organizations downstream — which is why it’s caught the attention of the federal government. In addition to the federal advisory around software supply chain security, the National Institute of Standards and Technology (NIST) has come out with guidelines for a secure software development framework, which will be mandatory for US vendors selling software to the federal government.

While SBOM’s, DevSecOps, and supply chain security, have dominated headlines, Hughes touched on another concerning challenge the industry is facing — which is its workforce.

Everyone out there is working on tools, licensing, and vendors, and not on the workforce and that's why many organizations are struggling with cybersecurity.

This raised questions about how to make sure that the workforce is ingrained with security, and how we talk about security champions programs. Hughes then acknowledged that we have to empower people to do the right thing and implement guardrails over gates. Everyone can't be everywhere all the time, and security is often exponentially outnumbered by developers within an organization. This is why providing cybersecurity training is imperative.

Working with development teams to help them understand security requirements and make sense of the data is vital to any organization’s security posture. Thankfully, organizations like the Linux Foundation and OWASP have started to provide secure development training, and many others are following in their footsteps.

Managing and mitigating risk

We also discussed compliance frameworks, risk management, and risk profiling for applications. Hughes, who has worked with the Department of Defense and other federal organizations,  knows the importance of a good risk management framework better than most. The NIST provides a lot of popular risk management frameworks, including  NIST 853, NIST 800, and NIST 171 — which Hughes has worked with first hand. These compliance frameworks serve as a guide to the federal defense industrial base for companies working with the government. Hughes has also worked with FedRAMP compliance and risk profiling of applications — which caught my attention in particular, since our current work on application security maturity assessment uses models like SAMM (software assurance maturity model) and BSAMM (building security and maturity model).

Learn more

Our conversation wrapped up with some great recommendations and references for continued learning. Hughes shared six of his favorite books on cloud native security, DevSecOps, and Kubernetes — many of them come from Wiley and great authors like Liz Rice and others. It’s so important that we prioritize communication and share our knowledge struggles with each other — that's what inspires us and keeps us going.

Head over to the Snyk YouTube channel for the full Snyk live discussion with Chris, as well as the other episodes in our Security Leadership Series.