Devin Shirley – Arkansas Blue Cross and Blue Shield
- Written by: Neil Cote
- Produced by: Matthew Warner
- Estimated reading time: 4 mins
When it comes to data security, the buck’s got to stop somewhere. At Arkansas Blue Cross and Blue Shield, it stops with Devin Shirley.
“As technologies change, so do the bad guys,” explains Shirley, since 2016 the chief information security officer for Arkansas’ biggest insurer. “You can never depend on the system you have today. They, the bad guys, will always try to find a way around it tomorrow.”

Devin Shirley | Chief Information Security Officer | Arkansas Blue Cross and Blue Shield
While Shirley—like so many others at the forefront of data privacy—chooses not to discuss in detail what systems he’s implemented, he does say that since his responsibilities were upgraded to CISO three years ago, next-generation redundancies and enhanced general procedures are part of a refreshing new philosophy.
“Before this, there hadn’t been a single point of control,” he tells Toggle in midsummer while working remotely. “Oversight for security had been parceled out to different areas. They made another team in order to have someone in leadership who is responsible for leading security efforts and developing the security strategy.”
IT takes teamwork
With a diverse bunch under Shirley’s wing, he welcomes input from his team of 25, which varies by age and experience level.
“This isn’t your average 8-to-5 job,” Shirley says, reminding of the responsibility Arkansas Blue Cross and Blue Shield assumes when it gathers data on behalf of its members. “We have an impressive list of clients, and of course privacy is always at the forefront of everything we do.”
To serve their members, a digital transformation is well underway, with the company weighing the needs of longstanding customers against the phone- and app-driven expectations of the younger set.
Among Shirley’s goals is to have his team achieve by year’s end what’s known as HITRUST certification from the Dallas area company of the same name. An acronym for Health Information Trust Alliance, the certification provides independent verification of a service provider’s security controls, with a third party assessing on-site testing.
“It’s a good way to measure yourself every two years,” Shirley says, clarifying that certificates do become outdated.
Meanwhile, there are more basic lessons for the CISO team to teach.
Better mind the basics
Even in today’s heightened awareness of hacking risks, many people unwittingly render themselves vulnerable. Sometimes it’s with such basic errors as taping a password to a screen or opening phishing emails.
“We’re constantly sending out emails and posting internet stories and showing what phishing looks like,” he says. “We share headlines about what recently happened in which industry—health care, banking, the public sector—as a reminder to be extra cautious.”
And if ever there were a time to be extra cautious, Shirley says it’s now, as COVID-19 still has much of the Arkansas BCBS working remotely. The staffers by now well-aware of security risks, it’s been mostly business as usual, though Shirley remarks how familiar everyone’s getting with one another’s families and pets during virtual meetings.
With military precision
As to how Shirley pursued infotech as a career—it wasn’t all by design. A 1996 West Point mechanical engineering graduate, IT became an acquired interest when he was stationed as a signal officer in Fort Sill, Oklahoma, and the more Shirley got into it, the more appealing it became.
The need for info-security and encryption also growing exponentially, he stuck with it, earning a master’s in telecommunications management from Oklahoma State University in 2000. More recently, he’s been able to decorate his walls with an alphabet soup of such IT certifications as CCSK, CRISC, CCSFP, GISP, CISSP and, of course, CISO. Ever practicing what he preaches about this not being an 8-to-5 job, he’s a graduate of the FBI CISO Academy and a member of the IBM Security Services board of advisors.
And when not engaged in some type of cyber defense, Shirley still won’t let his guard down.
For he’s also a third-degree black belt in Krav Maga, the self-defense practice adopted by the Israeli Defense Forces. Offense might seem a better characterization for this fighting style that borrows from karate, wrestling and jiu jitsu. Though the student is advised to avoid a confrontation, it’s all aggression should there seem no other option.
An active and spry 46-year-old married father of four, Shirley is the chief instructor at Arkansas Self-Defense in Little Rock. He’s also writing a book on this martial art that he learned from his 19 years of training in Krav Maga and other forms of combat while in the Army.
Years well spent, he’s quick to remind.
“The Army made me who I am today,” he adds. “It instilled confidence and pushed me into leadership roles. It gave me the discipline and mindset to form a goal and execute the strategy necessary to get it done.”
Current goals, of course, include his team achieving that prestigious HITRUST certification in a matter of months.
“This mission never ends,” Shirley reminds.
Showcase your feature on your website with a custom “As Featured in Toggle” badge that links directly to your article!
Copy and paste this script into your page coding (ideally right before the closing