Secret CSO: Jason Lee, Zoom Video Communications

Name: Jason Lee

Organisation: Zoom Video Communications, Inc.

Job title: Chief Information Security Officer

Date started current role: June 2020

Location: Seattle, USA

Jason Lee has over 20 years of experience working in technology. Prior to his current role, he held positions as SVP of Security Operations at Salesforce, and Principal Director of Security Engineering for the Windows and Devices division at Microsoft, where he developed his specialisation in information security and operating mission-critical services. Lee joined Zoom in June 2020, as the company was experiencing rapid growth amid the pandemic and the mass shift to remote working. 

What was your first job? My first security role was at Microsoft, where I was responsible for testing the security controls in an audit type of function. It became apparent quickly I should be moved to the security team so it lasted only a few months!  From this experience, I grew and developed into other positions at Microsoft, and I worked there for fifteen years.

How did you get involved in cybersecurity? In college, I started out pursuing a degree in finance, but I was also a bit of a hacking hobbyist. After taking several computer science courses in college, I ended up a double major in finance and computer science, combining my passions for both areas of study.

What was your education? Do you hold any certifications? What are they? I received my bachelor’s degree in Management and Information Systems from Washington State University. I also hold professional certifications in CIPP and CISSP, and I am an NCipher Certified System Engineer.

Explain your career path. Did you take any detours? If so, discuss. Looking back at my career, I consider the path I took to be fairly “traditional.” I have 20 years of experience in technology, and specialise in information security and operating mission-critical services. I started my career at Microsoft, and that’s where my interest and passion for security ignited. I stayed there for fifteen years and throughout my time at the company, I progressed to Principal Director of Security Engineering for the Windows Devices Group. In this role, I managed a global team of developers, engineers, PMs, and analysts who were responsible for driving threat and vulnerability management, and delivering tools for intrusion detection, incident response, security assurance, and compliance.

My next role was at Salesforce where I was SVP of Security. I headed up a team of more than 300 security professionals who delivered critical end-to-end security operations to customers and employees. These solutions included company-wide network and system security, incident response, threat intel, data protection, vulnerability management, intrusion detection and identity and access management.

Then in June of 2020 I joined Zoom as Chief Information Security Officer. Zoom was experiencing rapid growth at the time, and the majority of my new colleagues were  working remotely. As a result, my primary focus has been to protect critical information, including customer data, employee data, and source code. I’m also responsible for educating and arming employees with security best practices to ensure they’re prepared for and protected against security threats.  

While I maintained a relatively traditional career path, there was a point when I thought about becoming a winemaker. I ended up on the retailer side rather than a winemaker, and I actually still own a wine business to this day called “Washington Wine Society.”

Was there anyone who has inspired or mentored you in your career? I’ve had several notable mentors over the course of my career. One of which, Karen Worstell, the first CISO at Microsoft, remains a mentor of mine to this day. She had such a great career path, going from CISO to chaplain and then back into security. She eventually started her own company and remains a security advisor for VMWare. She’s someone in the industry I greatly admire.

A prior manager of mine, Jim Alkove, the Chief Trust Officer at Salesforce, also had a great impact on me professionally. He taught me the importance of “seeing the forest for the trees” and how critical it is to take that perspective when developing programs and managing the security of an organisation.

Last and certainly not least, Mario Pipkin was influential in shaping my leadership style. He shared with me this philosophy of viewing mentorship through the notion of being a multiplier. One of the most valuable abilities that you or those you manage should have is being able to use your own skills and intelligence to amplify and bring out the smarts and capabilities of those around you.

What do you feel is the most important aspect of your job? The most important aspect of my job is thinking about the bigger picture. In security, you always need to be thinking ahead about what might come down the pipeline. This includes looking at third parties related to the business and assessing how to best manage any risks. CISOs need to make sure that vendors are also secure. At Zoom, it’s not just our security that’s crucial, but the entire ecosystem's security.

Companies can’t rest on their laurels when it comes to security. Regular training sessions and refreshers have to be put in place so that all employees recognise their responsibility for keeping the business secure. 

What metrics or KPIs do you use to measure security effectiveness? We follow the recommended security controls established by the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

In measuring security effectiveness, we first focus on nailing the basics, like threat and vulnerability management, patch management, and ensuring processes and all components are up to date. For example, from an identity perspective, we use KPIs such as percentage of multi-factor authentication usage. And with phishing, we focus on who reported the phishing incident first and whether or not it could have been mitigated -- not just how many people clicked on a phishing link test.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? While the security skills shortage isn’t necessarily new, it is something that has been exacerbated by the pandemic. With more people working from home than ever before, business security operations have been called into question. For example, how do you protect your IP if the majority of employees are accessing it outside the office? This caused increased pressure to hire and retain security talent that could ensure that critical business data stays protected.

The industry is also growing faster than the number of people who have the skills and capabilities to fill the vacancies. There are several ways to combat this. Providing opportunities to grow within the company means that talent is retained. Hiring people with a passion to learn and develop themselves allows their expertise to grow with the company. Bringing in diverse talent is very important, as problems in security are diverse and require people from different backgrounds to solve these complex issues.

I look to recruit team members who have a learner mindset and are genuinely interested and excited. I’ve found it’s critical to have strong collaborators and communicators because security is across all parts of the organisation and being able to communicate and collaborate well with counterparts in engineering, IT, and so on, is so important.

At Zoom, our significant growth throughout the pandemic has meant we have been looking to recruit more individuals across all areas of the business, including security.

Cybersecurity is constantly changing – how do you keep learning? To keep abreast of the changing security landscape and learn from those around me, I take part in a security forum with CISOs at other Fortune 500 companies. During these sessions, we are able to share other experiences, learn from each other, and discuss current trends. I am also on an executive advisory board for VMware, which offers fresh perspectives and new insights on the industry.

On my own teams, I also enjoy implementing gamification into our training. By creating a fun environment where development teams compete against each other to find the most vulnerabilities, for example, we all learn from each other and practice new strategies.

What conferences are on your must-attend list? There are so many incredible conferences, and they’re becoming even more accessible with organisers embracing virtual and hybrid events.

My must-attend event is B-sides, which is a smaller series of local cybersecurity conferences. There’s also the “Day of Shecurity,” which is open to all women, but is invite-only for men. Its mission is to help build diversity in the security community, which is something I’m incredibly passionate about.

A few others that I’m looking forward to are RSA Conference, the CSO50 Conference, Black Hat, DEF CON and of course Zoom’s own annual conference, Zoomtopia.

What is the best current trend in cybersecurity? The worst? The zero-trust model is one that has gained increased attention and adoption. I’m a firm believer in this model, which Zoom has implemented. Additionally, multi-factor authentication is critical for supporting employees on both their personal devices and corporate-owned devices. These approaches are fundamental for securing the hybrid workforce, empowering employees to work from wherever while still safeguarding a company’s assets.

In terms of worst trends, I’d look at phishing and ransomware. That’s a crucial part of my role in security. Verizon’s 2021 Data Breach Investigations Report, showed that 36% of all breaches involved phishing, which is 11% more than last year. We have added monthly phishing simulations and anti-phishing training for our employees, to better withstand these attacks.

What's the best career advice you ever received? Early on in my career, I had an exceptional manager who impacted how I work today by teaching me an important lesson about taking feedback. They helped teach me to view feedback as a gift that helps push you to make improvements and grow. You may not like the feedback, but you should be constructive and take it. This manager also taught me the importance of making sure you’re receiving and continually asking for feedback from those around you. These are lessons I still apply each and every day.

What advice would you give to aspiring security leaders? In addition to graciously accepting and providing feedback, another piece of advice I’d give, especially to any up and coming CISOs out there, is to always look for opportunities to be a multiplier.

Don’t specialise in one area of security – you want to be able to do many different things. You should also have business acumen and the soft skills necessary to communicate with a board of directors and your executive team.

What has been your greatest career achievement? One that’s up there for me is joining Zoom during a period of such rapid growth and navigating the challenges of a tremendous shift to remote and hybrid work. Now that I’m just past the one-year mark since joining the company, it’s incredible to look back at all we have accomplished since then and all of the innovations on the horizon.

Looking back with 20:20 hindsight, what would you have done differently? One of the most impactful things we did this year was start a cybersecurity committee on our board. It’s a  team that’s part of Zoom’s board of directors and dedicated to cybersecurity issues. It’s still relatively new, but it’s been incredibly beneficial, and I wish we had started it even sooner.