• United States



Mary K. Pratt
Contributing writer

GitHub’s Mike Hanley: Today’s CISOs have to be out talking to customers

Nov 08, 20215 mins
CSO and CISOIT LeadershipSecurity

As the CISO role expands beyond conventional expectations, what it takes to be successful in the role is also changing, with customer focus and having a deep understanding of business context at the center, says GitHub CSO Mike Hanley.

mike hanley github cso
Credit: GitHub

Security is part of the sales pitch for GitHub.

The company promises to “protect and defend” its platform, so the developers who use it can trust its safety. Its website declares it to be “safe and secure by design,” assuring users that “Security is at the core of everything we do.”

The person who must deliver on those guarantees is GitHub’s chief security officer, Mike Hanley.

As he explains his role, “It’s security in the most royal definition possible: internal IT and corporate security, product security and platform health, GRC [governance, risk and compliance, the GitHub Security Lab, and partnering with teams to build the security products we have.”

GitHub’s security needs reflect its business model, which is different from most organizations. GitHub is a code-hosting platform for developers to manage, maintain, and collaborate on open-source programming projects, and it offers a collection of features that enable those developers, their work, and their online collaborative communities.

Given all that, it’s not surprising that Hanley’s responsibilities are broader than those traditionally assigned to enterprise security chiefs. He acknowledges that the expanse of work he has as GitHub’s CSO is particular to the company, its industry, and its product. At the same time, though, Hanley says he believes more and more CISOs are seeing their roles expand beyond conventional expectations and will continue to do so moving forward.

“For security leaders who are coming into their roles today, it’s really important for them to recognize that their primary responsibility is to protect the business and their customers, and increasingly the mode by which they do that is having an excellent understanding of not just security but the business,” he says. “So you have to be out talking to your customers, your peers leading the business, and you have to be a leader of the business to make the best decisions possible. That customer centricity and that business context and business acumen have become extremely critical. You have to take that approach and tack to be a successful security leader today.”

Setting the strategy

For Hanley, one of the biggest challenges coming in as a new CSO at GitHub is “there are so many neat things going on here” that it can become a distraction. “You have to have discipline as a leader to not get distracted and keep focused on the business-level priorities.”

Hanley’s strategy for GitHub security rests on a meticulous application of fundamental security best practices. “We have to be excellent at the basics, and that’s hard, but we have to be brilliant at those and have a firm foundation before we move up,” he says.

The GitHub strategy relies equally on innovations, aiming to enable the business to easily operate in a secure manner. “Everything we do on my team should be in service of designing great experiences and interactions with security features and processes and controls,” Hanley explains. “The goal is not to slow people down but to apply the right amount of friction in a well-designed way so we can make sure that bad things don’t happen and we have guardrails to pave the way for what we want to happen. The goal is for the teams to actually go faster and take better-informed risks because they have strong security guardrails in place from the security team.”

At the same time, the unique security issues facing GitHub generate challenges for Hanley and his team.

“GitHub is operating at a unique scale. There’s no way to just say, ‘This is what we did last time [to counter a threat].’ And that comes with a unique set of challenges we need to think about on how to operate securely. I find it great, it’s super interesting, it’s a good challenge to have,” Hanley says.

Growing the team

To help tackle such challenges, Hanley is expanding GitHub’s security team. He says the company “already had a great set of capabilities, talent, and maturity in place” but he sees the need for more. “We want to lean forward into that and continue to lead in that space.”

He doubled the security staff size in the first eight months of his tenure and plans to hire several dozen more workers over the next eight months.

Hanley wouldn’t disclose exact size of GitHub’s security department, but said it has a high developers-to-security engineers ratio.

Additionally, GitHub is hiring for positions throughout the security department. Those positions include roles typically found in most enterprise security organizations—such as work in incident response and security research. But his open positions also include more uncommon roles. For example, GitHub security has a team devoted to addressing vulnerabilities identified through the company’s long-running bug bounty program and it has a platform health team enforcing its anti-spam and anti-abuse stance—both security functions with roles not common in most other enterprise security departments.

Hanley credits GitHub’s remote-first workplace—a policy that predates the Covid pandemic—for helping him attract workers even in today’s competitive talent market.

“It allows us to focus on getting the best overall talent on the team because it doesn’t restrict where we look,” he says. He’s based in Michigan, overseeing workers stretching from Australia to Spain. “It’s great because we get a diverse set of backgrounds, skills and experiences. That makes us a much stronger team. It’s been a real enabler for us.”

Hanley also has an expansive approach to partners, explaining that building a great security organization today requires CISOs to work with the broader cybersecurity community. “You can’t build great security products being solely in house,” he says. “And that’s the fun part of the role: to share and have open discussions.”

That, though, is also a challenge – but one he welcomes as he seeks to leave his mark on the company’s security roadmap.