“If everything is a priority, nothing is a priority.”

Signal to Noise: An Interview with Mark Hillick, CISO at Brex

In this edition of Signal to Noise, I sat down with Mark Hillick, Chief Information Security Officer at Brex. Mark has one of the most unusual vantage points of any modern security leader I have spoken to. He is not only responsible for the traditional CISO remit. In addition to Security and GRC, he also leads a significant portion of engineering - including platform, infrastructure, IT, and product security. The result is a perspective that blends the pragmatism of an operator with the instincts of a builder. Our conversation traced his journey in tech, from traditional banking in Ireland to high scale, low latency gaming at Riot to the fast moving world of fintech at Brex. It also surfaced a leadership philosophy rooted in enablement, clarity, and ruthless prioritization.

From Ireland to Brex: A Career Built on Change

Mark started his career in Ireland around the time the internet was beginning its transformation of traditional industries. He joined a bank at a moment when digital services were moving from novelty to necessity. Firewalls were still an emerging idea. Applications were becoming online products for the first time. It was an environment defined by rapid change and uncertainty, and those early experiences shaped the way he understood both technology and risk.

After a period of travel and volunteer work, he returned to the bank before eventually moving into roles that pushed him far outside his comfort zone. He joined Citrix as a dedicated network security engineer supporting customers like Amazon at a time when AWS had only a handful of services. In supporting gambling companies and AWS, he learned what high performance networking looked like when milliseconds mattered. He then joined MongoDB during its early years, despite not coming from a database background. It was a stretch role that set up the next defining chapter of his career.

Riot Games recruited him to build its security team in Europe. This was at the height of escalating threats, large scale DDoS attacks, udp reflection attacks, and nation state level disruption of online games. He helped build Riot Direct, led anti-cheat, scaled global operations, and eventually owned security for the company at large. Once security had become part of the company’s fabric and Riot shifted to a multi game studio, Mark felt the pull back toward earlier stage challenges. A brief period at a startup followed, and then he joined Brex, where he has spent the last four and a half years leading both security and a large portion of engineering.

Security as an Enabler, Not a Gate

Throughout his career, Mark has held a consistent belief. Security becomes a blocker the moment you behave like one. Once people begin working around security, trust is lost and the environment becomes weaker. The goal is not to be permissive, but to be a partner who helps the company move faster without taking on unnecessary risk.

That philosophy is one of the reasons he now leads far more than security. At Brex, he is responsible for platform engineering, infrastructure, IT, GRC, and critical services like authentication and authorization. These are foundational systems that every product team depends on. In Mark’s view, if these platforms cannot provide a secure and reliable foundation, nothing above them can function well. It is a unique model for a CISO, but one that reflects his belief that security is most effective when it is integrated directly into how products are built and operated.

Building a Culture of Clear Thinking

When I asked Mark how he encourages teams to adopt this mindset, he returned to something simple: transparency.

Security cannot be the group that says no without explanation. It cannot behave as if certain rules apply to everyone except the people who work in security. It cannot hide behind the idea that clarity itself is sensitive. He made the point that trust is fragile. The moment you lose your audience, you lose your influence. And without influence, security becomes an isolated function that teams avoid rather than collaborate with.

Mark’s teams aim to be clear, supportive, and predictable. They publish the principles they care most about. They teach people how to think about risk. They create a secure product lifecycle that offers guidance instead of mysterious requirements. Over time, engineers begin to develop their own intuition about risk. Their own version of what he jokingly calls ‘spidey senses.’

Signal to Noise: Experience Creates Clarity

Mark’s definition of signal to noise is grounded in experience rather than abstraction. Experienced leaders recognize patterns. They have seen decisions that went well and decisions that went poorly. They understand stories that rhyme. They can anticipate problems that feel invisible to others.

He translates that intuition into a framework that teams can apply consistently. The biggest drivers he looks for are clear:

1. Does the change introduce new access to customer data?

2. Does it involve employee data?

3. Does it create or expose a new externally reachable service?

4. Does it modify authentication or authorization paths?

5. Does it introduce any class of injection risk that would meaningfully disrupt customers?

These questions form the backbone of a shared mental model. They help teams reason independently so security is not a bottleneck. They also help distinguish signal from noise in an environment where everything can appear urgent.

Navigating AI: Pressure, Risk, and Imperfect Tools

Perhaps the most candid part of our conversation surfaced when we talked about AI. Mark was clear: the pressure to adopt AI is intense. Boards expect companies to be seen as innovators. Leadership feels that same pressure. Every modern team is wrestling with the tension between enabling AI and protecting data that older controls cannot fully safeguard.

AI tooling often lacks core security capabilities, like SSO. Many of the security controls companies rely on simply do not work for this new class of applications. Protocols like MCP are still young and not designed with robust security in mind, yet the business value is real.

So the approach is pragmatic.

1. Partner with teams early.

2. Integrate security where it is possible, and monitor where it is not.

3. Educate people about what they should and should not do, while acknowledging that the tools are evolving.

4. Create a procurement path that moves quickly without creating disproportionate risk.

5. …and accept that this is a continuous journey rather than a one time solution.

Vendor Noise and the Art of Ruthless Prioritization

When I asked Mark how he separates vendor signal from noise in a market full of young, unproven AI native companies, his answer was refreshingly simple. He delegates when it makes sense, but he protects his team’s time. He has roughly twenty five meaningful problems he wants to solve, but realistically he can only fund three. He might have another five he is thinking about for the year ahead. If a vendor’s solution does not fit into those eight opportunities, he simply cannot engage.

It is not cynicism, but the reality of competing priorities. If everything is a priority, nothing is a priority. He zero bases his thinking regularly. Whenever his role changes or his scope expands, he takes a step back and reevaluates everything. It is a discipline that keeps him focused on what matters rather than what is loud.

Finding Signal

My conversation with Mark was a reminder that security leadership is not about resisting change. It is about partnering and guiding it responsibly while keeping the company moving. He has built his career by seeking out discomfort, by embracing emerging technologies, and by building relationships that make security a partner rather than a hurdle. His philosophy is clear: empower people, articulate principles, narrow the field to the few priorities that truly matter, and continually revisit those priorities as the world shifts.

Experience sharpens intuition, and intuition applied consistently becomes culture. For Mark, that is where signal lives, everything else is noise.

Stay secure, and stay curious, my friends.

Damien