Devin Shirley – Arkansas BlueCross and BlueShield

True Blue for cybersecurity

Equally accomplished in martial arts and technology, Devin Shirley emphasizes the need to first address the immediate danger.

So someone’s choking you? Your first move had better be about regaining breath and then responding accordingly.

So your software’s been hacked? Stop the attack before pondering how to prevent its recurrence.

Devin Shirley | Chief Information Security Officer |Arkansas BlueCross

Devin Shirley | Chief Information Security Officer | Arkansas BlueCross

“If you don’t address that immediate danger, you distract yourself by taking actions that might not have very much impact,” Shirley tells Toggle in June. “If you’re not breathing, you’re not very effective.”

For training in physical self-defense, one can enroll in a Krav Maga class. As for fending off cyber attacks, one can borrow from the techniques he applies as chief information security officer at Arkansas BlueCross and BlueShield.

Cyber defense can’t rest

The wired world being what it is, Shirley warns that a cyber villain can harm far more people than one who mugs in the physical sense. Thus, it’s important to be fortified to begin with, which is why he led the organization through HITRUST certification from a Dallas-based independent company of the same name.

The go-to independent auditor for healthcare payments as well as colleges, travel agencies, insurance firms and other large-scale data holders, HITRUST puts its clientele through a months-long process that assesses numerous reporting domains including privacy, info and physical security, sanctity of core systems and regulatory compliance.

Having met numerous criteria, Arkansas Blue Cross will go through the process every two years to meet HITRUST’s evolving standards. HITRUST also encompasses the benchmarks for federal compliance set forth in the 1996 federal Health Insurance Portability and Accounting Act.

Devin Shirley | Chief Information Security Officer |Arkansas BlueCross

“HITRUST enhances what you do for security by providing a common approach that integrates numerous regulatory requirements like HIPAA and security frameworks such as NIST [National Institute of Standards and Technology] and ISO [International Organization for Standardization],” Shirley says. “It looks across many more security requirements and it’s something you refine year after year and eventually it becomes sustainable.”

Shirley’s also fronting initiatives that include cloud migration and looking at Zero Trust, which is becoming the favorite model of many industries and government agencies. It’s an ongoing process that includes the authentication of every device, network flow and connection.

“Many organizations are looking to move here, as we are,” he says. “It’s a model that can be adapted to a company’s needs. The bad actors won’t stop trying to adapt to new technologies and that’s why we’re always looking at new methods and changing trends to stay ahead of the game.”

Back to basics

While Shirley focuses on the big picture at Arkansas Blue Cross, he never stops encouraging his coworkers to not forget the basics of cybersecurity. One must still protect passwords and not click on suspicious emails and links, he emphasizes. He also continues to work to counter threats with next-generation redundancies and enhanced general procedures.

It’s all part of being the same good soldier at Arkansas Blue Cross that he was for the Army. A 1996 U.S. Military Academy at West Point graduate with a degree in mechanical engineering, Shirley logged five years as a signal officer. Post-service he enhanced his creds with a master’s in telecommunications management from Oklahoma State University.

Shirley has plied his IT skills for multiple companies since leaving the military in 2001. He served over three years as an IT manager for a semiconductor company, then became a convergence analyst at a hospital from 2004 to 2005. Next came a couple stints in telecommunications.

Devin Shirley | Chief Information Security Officer |Arkansas BlueCross

A member of the Arkansas Blue Cross IT team since 2016, Shirley celebrates his fifth anniversary as CISO in September. A 48-year-old father of four, he keeps physically fit by practicing Krav Maga, a self-defense practice adopted by Israeli soldiers and spies after World War II. Shirley got his introduction to it while in uniform, earning a third-degree black belt.

“While it’s high-intensity training, it provides a realistic and practical form of self-defense—and a great workout,” he says.

And, as he reminds, parallels exist between physical and virtual safety. All the best if you avoid at-risk situations and from an IT perspective, that means staying ahead of the hackers through network upgrades, cloud migration and educating your colleagues about what to be wary of each time they log into the system.

“Just as Krav Maga adapts to changes, so must our cybersecurity,” Shirley says. “Stop the immediate threat whether it’s physical or virtual.”

View this feature in the Summer II 2022 Edition here.

Published on: July 13, 2022



Showcase your feature on your website with a custom “As Featured in Toggle” badge that links directly to your article!

Copy and paste this script into your page coding (ideally right before the closing tag) where you want to display our review banner.


Alliant is very pleased with our experience working with the TrueLine Publishing team. We were not only impressed with the caliber of the whitepaper that was produced, but with the level of attention from the team we partnered with. They were very detailed oriented and I appreciated their follow up. They even offered to refresh the article and invited Alliant to participate in some of the design features. It is without reservation that I highly recommend other businesses partnering with this publication and I look forward to an opportunity to work with them again in the future.
— Katie Patterson, Director of Marketing, Alliant Technologies


Spring I 2024



  • * We’ll never share your email or info with anyone.
  • This field is for validation purposes and should be left unchanged.