[00:00:03] Voiceover: Gather round, my little hackers and defenders. You must have heard of big scary terms like SOC save our careers.
[00:00:11] Chaahat: Not quite. It’s actually SOC Security Operations Center.
[00:00:14] Voiceover: I wasn’t entirely wrong.
Speaking of careers, this lady who’s completely confused about which cyberpath to take is Chahat Bagla.
[00:00:25] Chaahat: Hey, it’s not that bad. I’m just curious.
[00:00:28] Voiceover: And so she is giving herself 12 episodes to explore 12 cyberpaths by asking professionals the right questions. Just curiosity leading the way. And if you’re in your figuring it out era, come along for the ride. This season we’re talking red teams, blue teams, AIGRC and all the juicy stuff. So plug in, scroll less and learn more. This is Destination Cyber Season 2. Powered by KBI Media Press Play. Your cyber origin story starts now.
[00:01:14] Chaahat: Hey there, my cyber explorers. Today we’ve got a powerhouse guest joining us, Jason Menar. Before stepping into the corporate world, Jason, Jason spent 16 years with the FBI, leading cybercrime operations and tackling some of the most complex threats out there.
Now he brings that experience into his role as a CISO at Kaseo, where he leads cybersecurity strategy across cloud SaaS and enterprise systems, making sure that security is built from the ground up. Jason combines real world investigative experience with modern security leadership and he’s passionate about building strong, high performing teams. This is going to be a great one. Let’s dive in.
Thank you so much, Jason, for joining us today.
So my very first question is, before the titles like CISO or FBI agent, it seems like there was a first moment where you realized that you were standing between harm and other people. So can you take us back to the earliest moment in your career where that responsibility became real, like straight out of university? Did you imagine yourself being an FBI agent or did you have a completely different career trajectory in your mind?
[00:02:24] Jason: Yeah, I had a completely different trajectory career in mind where I just wanted to help people. It started out helping people with special needs. I had just a passion for underprivileged and underservice areas and children.
And I wound up spending a semester teaching underprivileged kids.
And at that time, that was all I wanted to do was I wanted to find a way to connect to those that hadn’t been connected to in a way that was meaningful, where they understood how to learn. As I started that process, I was very blessed to run into some key leaders, key leaders in law enforcement, key leaders in cybersecurity that led me down a path to helping others in a very meaningful way through law enforcement and Then, just as I started helping those that were underprivileged, what I found is I grew up in a time where people didn’t understand technology very much. And technology was ever evolving as it is today. It’s very much ever evolving.
But we literally went from hardwired payphones, phones, pagers, to the Internet. It’s hard to believe I’m part of a generation that grew up without the Internet. You know, a great deal of the technology that we now have. And as that technology started to evolve, and I evolved with it, I saw where I could help others that were in harm’s way. I saw when I went into law enforcement before school shootings that there was this poor girl in a high school that was going through a terroristic incident where she was being threatened and no one was taking it seriously because it was happening on a computer. And no one understood how to investigate at that time and how to go to the ISPs and work with the ISPs and really start tracking down where the true person and adversary behind the keyboard was. It was one of the first cyber cases that I did where someone was stealing some services, threatening a girl that was in high school.
And then we were able to put the pieces of the case together and actually bring that person to justice.
And in that moment, everyone can relate to the harm that has befallen people with mass casualty events. And it becomes very real and it becomes very tactile. Just like with WannaCry. I was up at cyber headquarters and I remember dealing with hospitals that were having to make life and death decisions based upon their technology and their infrastructure being impacted by that ransomware event.
[00:05:12] Chaahat: So after years of seeing these breaches, investigations and human failure modes, how has your definition of trust evolved in both systems and people?
[00:05:22] Jason: Yeah, I always say trust but verify.
So when we start talking about the idea of trust versus people, I think there’s two different components there.
And when I start thinking about that, I really go to systems and process for technology and having a repeatable trusted that’s verified and versus the behavioral aspect and the inherent trust that we start talking about when you deal with people.
And so I think you’ve seen this kind of bore out in the zero trust and us moving things towards the perimeter.
But at the end of the day, what I see is I see us having to make sure that we, through frameworks and through our own human interaction, make sure that we are gaining and building trust with others. And trust is a two way street, right? It’s trusting your security professionals to provide the right guidance. It’s looking to make sure that security professionals aren’t just the island of no or a place where they are perceived as blockers, but enablers for the business.
And so when we start talking about the idea of trust, I very much think about a mutual, beneficial, symbiotic relationship between the business and between security that ultimately leads to a fundamental alignment and hardening of the security posture for that entity and for that business.
[00:07:08] Chaahat: I think that’s a very well said point, that there has to be a sort of symbiotic relationship between business and the security.
So driving from your experience in law enforcement, I believe that authority is explicit through a badge and a clear mandate. And in corporate cybersecurity I imagine things to be a lot different.
The influence replaces the authority. So what was the first moment when you realized that power worked differently and how did you adapt?
[00:07:38] Jason: Well, I would argue while there are some explicit authorities that someone has, just as there are in, in business, you don’t have overreaching authority, right? You have certain authorities that are governed by law, just as you have certain authorities that are governed by policy.
But any good law enforcement officer and any good cyber practitioner is going to build common ground and going to seek first to really ensure understanding. Now that doesn’t mean that there’s not going to be one offs within a corporation where you have to isolate machines immediately. You have to take direct and decisive action just as you would in law enforcement. But the majority of interactions, whether it be law enforcement or whether it be on the corporation side, it is really a communication and education process.
Think, if you will, of the many times somebody is getting pulled over.
You know, while there are one off incidents where there will be escalations and things that have to be called out in authority, usually that’s a, that that’s a communication that takes place on the side of the road or wherever that law enforcement interaction works. And there is a communication between understanding of what happened, a transaction of ensuring that someone understands the violation of the law.
Just like in corporate America, an understanding of where there may be violation of policy.
Now the biggest thing that I’ll say is at the end of the day, whether it’s in law enforcement, especially at the executive level or, or at the executive level in corporate America or corporate corporations worldwide, is there is the huge influence piece and without the influence and understanding of others, you are not going to get anywhere solely based on your authority. Security is a team sport.
Security only can truly exist the way that it is meant to protect the institution with the buy in of not only leadership, but everyone in the organization.
It is everyone’s responsibility at the end of the day to uphold the security principles of an organization.
Just like at the end of the day when we are all one nation, we have a duty to that nation to make sure that we are abiding within their laws and regulations.
[00:10:27] Chaahat: Yeah, you spoke a great deal about influence as well, and how it impacts people more than the authority does. How do you go on about building that influence? What’s your sort of strategy to interacting with people and making them understand that, you know, how some people believe that it’s not going to be attackers are not going to target me. I’m just a part of a piece, but I’m not the main person.
So how do you make them understand that every single piece is as important?
[00:10:54] Jason: Yeah, so even some of the terminology that you just used, I try to back away from and try not to get to absolutes where it’s making someone understand.
Because at the end of the day, what we want to do is we want to find out what matters most to that person, what do they care about, not only within the organization, but what drives that person, what drives them and their teams, and what are they trying to ultimately accomplish within the organization.
And then from a security perspective, we want to provide a way that’s not only secure, but reduces the friction that they would otherwise have without these security principles. And it is really a partnership to get them in a better position where they can be more autonomous and they can be more efficient with, with the things that they are currently doing.
Oftentimes that will help in many, many areas. Especially when you talk about dev lab environments and different environments where if set up correctly, your developers can actually have more control over the things that they are developing and the ways in which they can develop if you have them in the right environment.
And so you’re reducing the friction that they would otherwise have in a very restricted environment. And it meets the needs and meets the organization where they’re at to fulfill the organizational goal, to rapidly get them to accelerate towards their objectives, their timelines and at the end of the day, their proficiency in outcomes. It’s all about ensuring outcomes, safe and effective outcomes for the team and the company.
[00:12:45] Chaahat: That’s a very valid point.
So what is a survival instinct from your law enforcement days that once protected you, but then later when you came to corporate cyber security became sort of a liability, sort of slowing down? Was there ever a case like that or no?
[00:13:01] Jason: There are several things that can potentially be stumbling blocks Right. Hypervigilance. You want your security team to be very hyper vigilant, but not at the expense of the company. I think most CISOs out there would love the security footprint if they were able to detach everything from any outward facing network. However, I don’t think it would benefit the company very much. Right. It may be a very, very secure environment, but at the end of the day, it’s not going to fulfill the business needs and outcomes.
So understanding that at the end of the day that the company has a risk profile and a risk acceptance profile set up by the board and the CEO and other executive stakeholders, that at the end of the day, it’s our job to make sure that they are aware of the risk and the potential harm, impact and blast radius and then for them to either remediate against that or in some rare cases accept the risk on the organization’s behalf. And so I think that’s one of the areas that people could get tripped up. The other thing is there is information within security and this is a very delicate balance that must remain confidential and must remain compartmentalized. But there’s a tug and pull on that constantly because you have to be as transparent as possible to ensure that developers and stakeholders. Right. Are constantly aware of what those risks are, how those risks have been developed and how to remediate those. And so one of the things, if you’re not careful, is to open over compartmentalize certain aspects or pieces of security, whether you’re in law enforcement or whether you’re coming from a different part of corporate America. That’s something that you always have to be careful of.
[00:15:08] Chaahat: So when you accept the risk, what does it feel like after the meeting ends, after you have explained to people that either we can accept it or we can remediate it, and if they choose accepting it. So when it’s just you and the consequences, how do you sit with that?
[00:15:25] Jason: So it’s not going to be just you and the consequences, because if it’s just you and the consequences, you are making a unilateral decision and that’s where people get into trouble. So when you sit with the board, when you sit with the CEO, when you sit with whoever the CISO is directly reporting into, it is making sure that you are documenting the risk and that you are thoroughly explaining the risk, and then that is the point where a lot of times it will feel actually better, because now you know that it is very clearly stated, documented and articulated what the risk are to the institution if we continue down a certain path. Where things are not remediated. And then that’s a business decision.
Now, we need to make sure at the end of the day, which is why most of the time organizations have a risk committee that makes up. And so it’s not just a single person, where it’s a CEO or a single board member, but this risk committee has thoroughly explained all the risk within the organization based on a priority basis. And then that in turn report will go up to your audit committee, your board, your CEO, et cetera, et cetera. But usually after that conversation, you feel much better because everyone understands the risk that the organization is facing. Now, whether you agree or disagree on the approach that is being taken, everyone understands. And as I always say, at the end of the day, as long as it’s not illegal or unlawful, immoral, unethical, we are going to make sure that we get behind the decision that the companies make, right, Whatever that company makes.
And sometimes I’ve seen corporations, especially in my FBI career, where they have been explained in horrifying detail risks that would bring companies to their knees only within the next three to four months to a company being brought to its knees, and then them wishing that they would have done something else. Right.
And unfortunately, I have story after story after story where it has cost companies millions and millions of dollars because they didn’t incorporate the proper remediations needed for oftentimes a lot of historical debt and a lot of very bad practices.
[00:17:57] Chaahat: So would you say, being in your position as a ciso, there is a transparency between either you, yourself and your team or between yourself and the board, so that there’s no information that’s just to yourself, but it’s always transparent communication between either to the team and certain confidential things to the board.
[00:18:17] Jason: Yes. So you have, oftentimes you’ll have a risk registry. That risk registry you will go through with several different team members and executives to explain within their business and within their organization the span of risk within that registry. Right. You’re going to have some type of risk committee that is typically made up of executive stakeholders where all these things are being briefed, you know, at least on a quarterly basis, typically made up of the ciso, the cto, the cfo, and then other various, you know, leaders within the organization where you are going into a lot of detail on, on the various risk that are out there in the company, how they are being addressed, how they’re being mitigated, and what’s going on at any given time. And then you’re having, at least twice a year, you Know, a close session, board meeting, where you are going over, you know, the top risks, the top programs, what you’re seeing as far as the threat landscape. And you are educating the board on what the company is currently doing about cybersecurity, what the roadmap looks like and where we are headed.
[00:19:31] Chaahat: And then you also mentioned something that during your FBI years you have seen companies that have the risk, but they’re not able to solve them or remediate them and then it has brought them to their knees. So is there a particular incident where you think that human behavior during a crisis has surprised you the most?
[00:19:51] Jason: I can give you several examples of where human behavior has surprised me. One case that I remember is there was a web based company that was worth hundreds of millions of dollars and did millions of dollars in revenue each week out of that had been attacked and they were undergoing a ransomware attack. And we were called the FBI was called the day of the ransomware. We had already, I had already briefed that company’s board and explained the amount of legacy debt within that organization and some of the items that needed to be changed. We would later find out had they done even half of the items that were suggested, they would have likely not encountered the disruption that they went through.
Unfortunately they didn’t have outside cyber legal counsel in place. They didn’t have third party entity remediation IR team ready to go. It took them over a week to just sign the documentation to get the IR company in the door, which was a week of downtime and then another four days before they were able to get even parts of their site back up and running. And the total cost wound up being around $20 million.
And on top of that, I don’t believe that they even had cyber insurance. So there were several different things that wound up costing that company dearly. Now the good news is that company’s still in business, but for almost two years that company was reeling from that particular disaster.
The other company that I remember was a critical infrastructure company that had come up from a three person company.
And when I was talking to the board and I started asking them about the size of their team, what they had done for some legacy systems that were nearing end of life and a lot of historical debt that they were encountering and a lot of challenges they were encountering, they literally just looked over and said, well Bob’s our guy. Bob’s been here since it started.
And I’m like, does Bob have any help? Does Bob have a team?
There was no team. There was no thought in how the security organization was going to scale or was even going to keep the lights on. And there hadn’t even been conversations around the infrastructure of the organization and the upkeep of the infrastructure aside from security. And so I think those are some human behaviors that I kind of found very fascinating because they were not the norm, they were outside of the norm.
Usually you would go in and usually companies would have some type of security personnel and security team in place. They would oftentimes be underfunded. They would oftentimes not get time in front of the board, they would oftentimes not have proper structural alignment.
And we would come in and we’d be able to make some suggestions.
And so I was very blessed in the FBI that while I was an agent and while I was in a leadership position within the FBI, because I got to work so closely with boards, because I got to work so closely with CISOs from across the world, I was really, in some sense, you know, more like a contractor or the Deloitte’s of the world, where we were able to provide some guidance and really specialized insight into what proper cybersecurity look like, as well as the current threat landscape because of the information that was at our fingertips within the FBI.
[00:23:45] Chaahat: Sounds like a very high stake job. Also that you now that we’re talking about ransomware and the attacks, it sounds like in the situations when company is facing the attack, again, the stakes are high and the deadlines are just beating around the corner that you have to make a decision really quickly. So how do you decide? Was there ever a case where there was no right answer, only the consequences?
And how do you decide whether you have to pay off the attackers or you don’t pay off the attackers and then you face the consequences and that goes on costing the company even more than paying off the attackers?
[00:24:19] Jason: There’s no better example than this. And there’s been numerous cases, and I don’t know that I can speak to anyone specifically where the government has had knowledge of illicit activity and may even have had the ability to see said activity. But communicating it broadly to potentially future victims, or more widely to the public would cause them to lose that visibility.
And so what you were faced with is, do we continue to learn more about the adversary and go as deep as you can to get the entirety of the network or for the good of society as a whole? Do we make sure that everyone knows about this immediately? And when I say everyone, obviously the victims would be notified and we could work with the victims, but oftentimes you had a decent idea of who would be future victims based upon the profiles of the victims that they had gone gone with before and getting that information out in a timely fashion. There’s many different ways that the FBI tries to communicate that and other entities try to communicate that, but there really seems like there’s no right answer. Right. If you’re a victim or if you’re somebody that has been ransomware and you lose thousands or hundreds of thousands or millions of dollars, you’re going to say, no, the right thing to do is protect me immediately. Yet if, you know, if you let that information out prematurely, that all that’s going to happen is you’re going to make a slight disruption, and in two weeks, this ransomware adversary is going to be back up and running and then affect another 150 million.
Well, you weigh what those consequences are, and sometimes you decide that you need to go deeper and you need to try to find as many of the adversarial actors as you possibly can. And sometimes you say, hey, the harm is too risk to the global community, and we’re going to go ahead and we’re going to make sure that they know immediately the risk that is out there.
So when you’re dealing with something like that, there’s no right answer. There’s only consequences.
Consequences that the adversary will get away and continue to harm a greater number of the civilian population, or that what are we doing?
We’re not stopping the adversary immediately, and someone is going to lose their life savings that we can’t otherwise replace.
And now you’ve earned, you know, a family’s life. And those are some of the toughest consequences and toughest decisions that I think anyone ever has to make.
And I would just say that they are not made by a single entity. This goes all the way up sometimes to the National Security Administration and in very high levels of government, you know, to help make these decisions, because they truly are decisions that have consequences no matter what choice you make.
[00:27:25] Chaahat: I feel like when you deal with such kind of consequences, then you go into thinking, even like after work like you have, you go down the rabbit hole whether you. You’re doing the right thing and you have to sort of sit with the decision. And not oftentimes it is that you can raise your voice and it’s being heard. Sometimes you have to do, like you said, for the good of the society. So what does this career take from you over the time if you don’t actively protect yourself?
[00:27:52] Jason: I’ve seen it take everything from people I’ve seen It destroy marriages.
I’ve seen people battle with, you know, personal mental health. It is one of the most stressful jobs that anyone will ever have to be in cybersecurity. It is second only, I think, to law enforcement and other very actively dangerous jobs where you are risking physical harm.
Because at the end of the day, we understand that people’s livelihoods are on the line, whether it’s your company, whether it’s a downstream company, whether you’re investigating and you’re doing, you’re part of an insider threat team and you’re literally investigating people and shaping the outcome of their professional careers. You know, it is very hard to compartmentalize even when people make wrong mistakes within organizations. When you’re having to do the investigation, you have to think especially like insider threat teams, they see the worst day in and day out, right? They see the ugly side of what is this human experiment that we have in society. And so by seeing that if you’re not careful and you don’t have the right outlets and you’re not talking to people, you don’t take mental health seriously.
You can be jaded. And even when you do, it takes a very unique person to continually be subjected to this level of stress, to be subjected to this environment.
So what I, what I’ll say is the thing that has helped me most is I was literally in life and death situations. I remember kicking down doors and facing people with weapons on the other side, whether and convicted murderers and looking down the barrel of firearms in real life. And that is the one thing that helps with the perspective of even with everything that we’re dealing with, this is truly not a life or death situation. Yes, it is very impactful for people. Yes, it impacts their financial livelihood and it affects their personal life.
But at the end of the day, we will get to go home.
I can’t say that for everyone in law enforcement, in the military, I can’t say that for everyone in different areas of job where they are actively going up against potential physical harm. But the mental stress of what our teams deal with, as well as operational tone and operational cadence.
There is such a strong operational cadence on cert, on SOC teams that are just the only thing that I can really relate to them is, you know, on call surgeons, law enforcement.
The hours that these CERT and SOC and security operators keep is absolutely unbelievable.
And with that, you get a certain type of person that usually likes this, right? People that are thrill seekers, people that, you know, like to live on the edge, but at the same time, you know, burnout is a real possibility and you have to watch that in your teams. It’s one of the things that we talk about all the time about making sure that you take time for yourself, making sure that you surround yourself with people that care, making sure that you reflect on the impact that you’ve had within the organization and without, and making sure that you do something that fills you back up. Giving back to the community is a great way to do that. We have several team building exercises internally that we are constantly doing and we provide various different outlets. But it is a important part of understanding, you know, the long term potential effects of what high stress environments, you know, can do to people.
And we are truly in one of the higher stress environments, you know, in cybersecurity in the world, I feel like
[00:32:09] Chaahat: from the outside, as a civilian, we don’t really know what’s happening. As a student, it seems cyber security is the most exciting. And we see in the movies as robots and hackers. What we didn’t realize is when people like yourself are in those shoes, there are consequences as well. And it’s very important to, yes, move forward in the field, but at the same time step back and then realize what you’re doing is important. And the ways to sort of sit with the decisions and think about it really. And then you mentioned about giving back to community and I think that’s very important because it does make you feel happier, more happier inside.
[00:32:50] Jason: Oh, absolutely. Appreciation to others and making sure that you are finding ways be productive not only at work, but in the community.
It really is fuel for yourself.
[00:33:05] Chaahat: Yeah. So if tomorrow you stepped away from cyber security entirely, I don’t see that happening. But let’s imagine what parts of this work would still shape who you are. And for the students who and early career professionals who are trying to choose a path in cyber security, what internal questions matter more than certification or job titles?
[00:33:28] Jason: If I stepped away tomorrow, I think the biggest thing that has shaped me, it is trusting, but verifying what I talked about before.
Right. At the end of the day, we have seen so many things that are supposed to be a certain way and you have to verify that they are what they say they are. And I think that goes as very applicable as we step away.
The other thing is being the calm in the storm.
In cybersecurity, when something happens, being able to pause, take a breath, be the one that brings calm to a very high tension situation or a high pressure situation, I think is applicable anywhere that you go in the world. And so you’re able to Bring calm, I think, faster than the normal person.
You’re able to treat things as you would like an incident response plan, being able to determine what’s truly essential and what’s noise, where your choke points are and, you know, where you can get different things restored.
And so I think you take that away, that’s really muscle memory that is applicable outside of cybersecurity. Right.
And then the other thing that I would take away is my love for continuing to work with and pass on knowledge. I got a call just today from someone who is new to a VP role, who unfortunately is. Is going through their own incident right now.
And I was able to talk to them for about 30 minutes and really walk them through various steps. And to me it was all normal. And they were just like, oh my gosh, you know, I don’t think I would have ever thought about all this or done this or, you know, this is just amazing. And so I took a step back and I said, okay, how did I. How was I able to add value?
And yes, I’ve done this for 25 years. Yes, I’ve been around.
But ultimately it is because I put myself in situations outside of whatever I was doing at the time, if I was doing something that was just investigative or some kind of different crime. When I saw that I like cybersecurity, I took my own time after hours, embedded myself with those investigators, asked them questions about how I could help them add value to them totally outside my current roles and responsibilities.
When I got into leadership, I literally started asking my supervisor, what are the things that you hate to do the most? And as they started mentioning them, I said, great, can I help you with them? And I started learning portions of the role. And so stepping outside your comfort zone, learning what others do, really expanding your repertoire outside of just your specialty, I think is huge.
And I think those are the things that help you be in a position to use all that knowledge in the future, whether you’re in the cybersecurity industry or not.
[00:36:49] Chaahat: Very well said. You know, asking someone what they hate to do the most and offering your service, like at that point, there is no denying either, because they would be like, yes, go take this away from me. That’s a very good point. Point and a very good question. I’m going to be using that question in my years to come.
So what does cyber security needs less of right now and more of? I know there’s a lot of AI, and in every business these days, people are using AI to automate a lot of processes. So is Cyber security industry in Cassera, for example, are you guys using AI to automate any part of cyber security?
And what do you think it needs more?
[00:37:27] Jason: Yeah. So, yes. I mean, AI is, is the wave of the future, right? And when we say the wave of the future, we mean. And what I also am taking into consideration is a large part of our automation, because AI can help automate things that up till now have been very complex things to potentially automate. It also provides clarity. It also helps and communication. So I think if you’re not utilizing AI, you’re not utilizing, you know, AI agents and bots and learning how to. How for those to be applicable to you in any given moment, you’re going to fall behind.
But let’s step back and say, hey, what are the things that matter most? I think, and this is at the heart of your question, what matters most right now for people early in their careers?
What matters most right now for people that are coming up? So it is understanding the technical nuances of how AI and technology fits into the various roles that you see yourself in over your lifetime of work. Right. And whatever vertical that may be, and getting very deep into explaining how that’s going to help shape not only the role, but the decision and differentiating yourself around the use of AI and how it moves the needle for the impact that you have to the organization and to your work.
And I think that is very, very key to communicate right now to people, and that’s what people are looking for. The other thing is that I think we all, myself included, we have to work on our communication skills. And I think AI is just. It is such a phenomenal tool to do that. We can literally go back and forth with AI, set it up as whatever we’re trying to work through, think through for various interviews, for various problem solving.
It’s going to help take us out of the box in the various things that we think about, how we come across different problems, how we solve different problems. It is not just a tool that we should think of that we’re using to go and explicitly get an answer. It should help us challenge our own thought processes and go much deeper and wider.
That is going to help the algorithm, it’s going to help the LLM, it’s going to help you and really diving down, because even through the course of this podcast, I can guarantee, I feel like I have communicated certain things.
But there will be people in the podcast that may hear something different. And so really, truly understanding the weight of your words, the impact that they have, and being able to effectively communicate is what is going to differentiate you.
And when you connect that to that technology piece and the understanding of AI that I talked about earlier, I feel
[00:40:57] Chaahat: we can do anything today with AI only if we know how to do it. There’s certain ways that are right to talk with the air and then, you know, it’s just like a door. If you know, if you have the right key, you’re going to open the door with like prizes. If you don’t have the right key, you’re only going to get how much information you provide.
So I also want, I don’t know if you remember, but from our chat, the once before, you talked about how you went back to university for your masters and then you realized there are certain gaps in how the cybersecurity is being taught in the university versus what the real world cybersecurity looks like. Can you tell me more about that? How did you help shape the new curriculum or what gaps did you see?
[00:41:41] Jason: Yeah, so in certain situations I see where they’re, they’re teaching, I hesitate to say, but much older and not cutting edge principles, sometimes they’re not using the latest technology.
The other thing is that we really tweaked a lot of the material when it came to practical application, really pushed the university to refresh that practical application. We also looked more at how we could get a true sense of an individual in a team environment. Because what I found when I was interviewing so many new graduates is I would say at least 60% that I talked to had trouble explaining how they worked in teams, had trouble truly explaining the team concept, and had trouble talking through a process in which or a system that allowed them to set up a process and then how they or someone else took true leadership of teams.
So there was some of the curriculum was actually okay, making sure that we gave the proper framework for somebody to understand various roles that would be needed within the team, how those should be executed on, and then having peer review of how people did in those roles and not just based on the total technical content.
Because when you’re hiring someone, while the technical content is very important, almost equally important is how they are going to fit in as a member of the team. And if they can’t fit in as a member of the team and contribute to the overall team, it’s going to be very hard to hire somebody. And so that’s one of the things that we focused on. We saw immediate results when those that had gone through that graduated.
We also saw immediate results of feedback when there was direct ownership of certain projects and you were able to give them certain freedoms within the projects to explore newer technologies.
You saw newer, inventive, more inventive ideas instead of strictly giving an if then statement and leaving it more open ended. And so having frameworks and guardrails, having things a little more open ended where you had the freedom to actually utilize and explore new technologies while really diving in and explaining team concepts and introducing that early on in the life cycle of the CIS program made a large different difference. And then we looked at the various curriculums and elements and I don’t think we have enough time to go through every single element in every single curriculum piece, but just really updating that and utilize some of that same thought process of how can we make sure that we develop this in such a way that it scales and it is not a snapshot in time to where we’re just utilizing current things today on 129, you know, 26.
And this is going to scale for 129. 29. Right. And so you. There will still be a plan to tweak some of the content, but the scalability and the tool sets interchangeable to whatever that of the time is a necessity.
[00:45:33] Chaahat: I feel like this is very important because when I was in university I absolutely hated doing the teamwork because some of the it depends on what team you get. Sometimes you get a really good team, but sometimes you get a team of people where they are overly reliant on you. And then you get all the responsibility. And then people managing is very hard. You have to make them understand that it’s their role and it’s something in their capacity that you have to do. And I would have loved to learn all that within like university and not just being thrown into a team, but actually understanding what it is like to be what are your responsibilities versus what are the other team members responsibility and not having to take up the work of somebody else or them not having to report to you.
[00:46:15] Jason: That is my point because that was the initial feedback when we were going through this process. And I said how is what you just explained any different than what we experience in real life? Because you will be thrown into teams in real life where there will be a high performer, there will be somebody that is performing at expectations and there will typically be a low performer. Unfortunately, you know, while there are some very good teams, almost universally at some point in your career, you will have to deal with that. And how we deal with that is going to be very impactful on your initial performance. Because the one thing that we know is that as security practitioners, very few times is it our hands on keyboards that does the remediation changes. It is our recommendations and our ability to work with other teams and get their buy in to ensure that the remediation is done correctly. And then we get to validate that.
And so we will not always get, you know, team members that are necessarily always willing to, you know, work with us. And then how we work with others and how we get them on board is equally important. As important as, like I said, that logical knowledge. Right.
So anyway, yeah, I think making sure that you are given those types of tools is what is going to help you in the future. And that’s what we tried to set up at university.
[00:47:53] Chaahat: I feel like it will come with time. If nothing else. Time is the best teacher.
[00:47:57] Jason: Yes, it is.
[00:47:59] Chaahat: And I also read somewhere that you led to the creation of Microsoft Cybersecurity Center. Can you tell me more about it? What does the center do?
[00:48:07] Jason: Yeah, so I was very fortunate in working very closely with them when I was at the FBI, that center. I have to be careful what I say, what’s public and what what’s not. But what I’ll say is there are many technical organizations around the world that seek to get the latest information on adversarial news or adversarial information as they can. And while many of the top organizations, whether it’s Microsoft, Google, Amazon may have those, various governments around the world will have those.
And having a center collectively where people can come together and communicate in real time what those threats are has a meaningful impact to customers around the world. And that’s what Microsoft came up with. And I was very happy to have a part in the creation of that and working with some tremendous folks and individuals who went on and have continued that.
But it’s an amazing place where information and knowledge is shared, all for the good of not only Microsoft customers. But quite frankly, much of that information is shared openly in a way that everyone is able to gain access to it. So some great men and women that have done some amazing things there and I was just happy to be a small part of that.
[00:49:36] Chaahat: Well, it all sounds fascinating. Thank you so much for your time. But in the end I like to do like a rapid fire questions.
[00:49:43] Jason: Okay.
[00:49:44] Chaahat: Okay. So what drains you faster? Chaos or complacency?
[00:49:49] Jason: Complacency.
[00:49:50] Chaahat: One leadership habit that you had to consciously unlearn.
[00:49:55] Jason: Wow. Immediately I just want to say I said yes to too many projects and too many things trying to be helpful, which led to me not being as Focused as I could be. So learning how to say no as a leader and learning that unfortunately I have to say no to things because There are only 24 hours in a day.
[00:50:18] Chaahat: Yep, a belief about cybersecurity that you no longer hold.
[00:50:22] Jason: Gosh, I remember very. Oh gosh, very early days.
Oh God, this is a little embarrassing to say.
Very early days.
Back when cloud just came out.
I have to admit when it very first came out, I was somewhat skeptical of cloud environments. The right cloud environment. I am no longer. I am not skeptical of cloud environments anymore. It is just like any other environment.
If it is set up correctly, if it is cared for, if it is taken care of, they can be very safe. But in the very, very early days I was skeptical of cloud environments.
[00:51:02] Chaahat: A question that you still ask yourself before high stake decisions.
[00:51:06] Jason: Have I truly listened to everyone?
And when I say everyone, it is not getting, quote unquote, everyone’s opinion, but it’s a quick check.
Am I really listening or am I. Am I being an active listener or a passive listener, I guess is the way I should frame that? Am I actively listening? Am I actively understanding what is being conveyed? And if not, am I asking the right questions?
[00:51:34] Chaahat: A very thoughtful question. A moment when you, when slowing down, saved you more than sweet, more than speed.
[00:51:41] Jason: Oh my gosh, that is. I always say slow is smooth and smooth is fast.
So slow to me is synonymous with methodical and it is taking the information that you have at hand and making the best decision you can. There are times that you have to make decisions very quickly, but you take the information you have and you make sure that you have been very thoughtful with whatever decision you’re making and make sure that just like anyone that’s getting a phishing email right?
When I think of people that ask me about speed of response, I think about phishing emails because there’s always a sense of urgency with a phishing email. Do you really have to be that urgent? Do you really need to take that action at this time?
The majority of times you don’t need to take it as quickly as you think you do. Now that doesn’t mean analysis through paralysis.
That means being thoughtful, truly understanding the problem and then the potential solution with the potential outcomes and consequences.
Once you have those things, you can make a decision.
[00:52:57] Chaahat: I think that’s very well said. I’ve recently been a victim of phishing email. I joined a recent. I started a new job and I got a message on a public holiday saying to go to the nearest schools or woolies to get an apple gift card. And the urgency that you mentioned, it is very urgent. It’s like, oh, I can’t take calls, I’m in a meeting, but I need to do this task as quickly as possible. And they pretend to be your boss, but then there are certain hints that you can see, you can see the email is not right. And I cross checked with my boss because I was like, there’s no way he’s going to call me on a public holiday. And I just started there. I’m not handling any tasks like that.
Well, thank you so much for your time, Jason. I feel like this is the best podcast ever. I’ve learned so much and I hope my audience take as much as possible as well.
[00:53:43] Jason: Well, thank you so much for taking the time to chat with me and I really appreciate you doing this and very much appreciate you bringing podcasts like this to the forefront so that we all can learn from each other. So thanks again. Really appreciate it.
[00:54:00] Chaahat: Thank you for tuning into this episode of Destination Saba Season 2.
[00:54:04] Jason: Knowledge is a gift, but its true value is in how you you use it.
[00:54:09] Chaahat: Whoa. Where did you come from?
[00:54:11] Voiceover: Just dropping by to remind everyone. Learning is great, but doing is even better.
[00:54:16] Chaahat: Timely advice. If today’s episode left you with questions or sparked new ideas, feel free to connect with me on LinkedIn. And don’t forget to follow the podcast so you’re always ready for the next stop on our cyber journey. This is Shahid signing off. Until we re encrypt another conversation on Destination Cyber Season 2.
