Secret CSO: Jason Manar, Kaseya

What advice would you give to aspiring security leaders? “You must be able to explain fundamental concepts in a way a layperson can understand. The more you’re able to simplify the complex and explain in simplistic terms as you educate, the more successful you will be.”

IDGConnect_secretcso_suppliedart_jasonmanarkaseya_1200x800
Kaseya

Name: Jason Manar

Organisation: Kaseya

Job title: Chief Information Security Officer (CISO)

Date started current role: October 2021

Location: Miami

Jason Manar brings extensive experience with the Federal Bureau of Investigation (FBI) to Kaseya as the chief information security officer (CISO) where he plays a pivotal role in further solidifying the company’s security stance. He oversees information security and compliance, leading the cybersecurity division to identify the industry’s latest threats and vulnerabilities and intercept them. As CISO, Manar also ensures compliance with security requirements associated with government regulations, which vary by global region.

What was your first job? My first job, related to my field, was as a state trooper for the Kentucky State Police. I had a case where high school students were bullying a fellow student and eventually charged with “terroristic threatening” for making explicit threats of violence. By utilising innovative techniques at the time, I was able to locate the individual who had unlawfully intruded upon someone’s personal home network to conceal their identity and send the threatening emails. It was the first time in my department’s history that we used this technique. That sparked an interest in utilising novel cyber techniques that at the time people didn’t really understand to locate the adversary.

How did you get involved in cybersecurity? This Kentucky State Police experience sparked an interest in me and then, a Special Agent in Charge saw my potential years later and I pulled the trigger.

What was your education? Do you hold any certifications? What are they? I have a Bachelor of Science. I have various certifications from the SANS Institute, including GIAC Information Security Fundamentals (GISF), GIAC Information Security Professional (GISP), GIAC Security Leadership Certification (GSLC) and GIAC Strategic Planning, Policy and Leadership (GSTRT). There is no certificate for the experience of being involved and working up to 1,000 intrusions, from Advanced Persistent Threats (APTs), Zero-Days and Nation State Actors to those committed by high-level, financially motivated cyber criminals. I also have experience working with all U.S. government agencies. My work in building relationships in the private sector has allowed me to gain unparalleled knowledge from CISOs around the world and learn best practices.

Explain your career path. Did you take any detours? If so, discuss. My career path has always been around protecting others, which is at the heart of being a CISO - to protect the company, its clients, its people, and their livelihood. I was a watchdog for the past 22 years, as a public servant, and I look forward to continuing to protect others in my new role. For me, the detour was cybersecurity. I always thought I would have a career as a public servant, and as I became more and more involved in understanding the risk associated with the new digital landscape, I found more enjoyment educating people and providing risk-based analysis that helped people make difficult decisions as it relates to their security posture. There is always something new and exciting as the digital landscape is ever-changing. In the early 2000s, I was looking to find ways to use data analytics to expose risk to the country and now that’s exactly what I do for the private sector as a CISO – prioritise risk and deploy resources to negate those risks to our company and our customers.

Was there anyone who has inspired or mentored you in your career? There have been numerous people who inspired and mentored me along the way, including the top CISOs in the country who I have great relationships with that helped me, over the last decade, to understand the mutual challenges in the government and the private sector.

What do you feel is the most important aspect of your job? The most important aspect of my job is effectively leading and inspiring our team and gaining cybersecurity buy-in from employees, in addition to evaluating and mitigating risk. One of the aspects I love the most is educating people on the overall aspects of cybersecurity and best practices.

What metrics or KPIs do you use to measure security effectiveness? The mean time to detect, contain and resolve. You also have to ensure that you follow through and retest your policies and procedures. You cannot set it and forget it - you have to test and retest solutions. Validity testing ensures the prescribed methods you’ve instituted are having the desired impact.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes, the job market is extremely competitive with security engineers, coders and people who have extensive experience with engineering backgrounds being some of the most difficult to find.

Cybersecurity is constantly changing – how do you keep learning? Fortunately, I have a very robust network that I continuously utilise to keep up with the latest threats. Not only am I connected to the majority of CISOs here in Miami, but also around the world. We’re constantly sharing information about the latest threats and new reports that affect different industries as a whole, knowing it’s not a matter of if, but when your sector will get hit. Additionally, I still receive regular briefings from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). I’m also constantly learning from our teams. As our team members train and pursue their advanced education, they bring back that training and share it with the rest of us and add value to the organisation. I particularly pick individuals in deputy roles that have strengths that I don’t; it shows a level of vulnerability and willingness to learn.

What conferences are on your must-attend list? Connect IT and RSA Conference. Both conferences are a must-attend. DEF CON, the largest notable hacker convention, is another one, but leave your devices at home.  

What is the best current trend in cybersecurity? The worst? The best is that we’re talking about cybersecurity more than ever before. We’ve taken cybersecurity seriously by creating dedicated positions such as the CISO to centralise efforts. Companies are starting to have board members who have cybersecurity experience, which is helpful in the education process and understanding what is necessary for cybersecurity within their environments. The worst is still the mentality of ‘we haven’t been hit so we must be doing everything right; it hasn’t happened to us yet, so we’ll worry about it when/if it does.’

What's the best career advice you ever received? A Special Agent in Charge telling me to go into cybersecurity even when I thought I didn’t have that aptitude because he saw something in me that I didn’t yet see.

What advice would you give to aspiring security leaders? It’s not all about the ones and the zeros (binary code)! A lot of technical people have trouble communicating to C-Suite executives. A large part of your career will be obtaining buy-in and educating others. You must be able to explain fundamental concepts in a way a layperson can understand. The more you’re able to simplify the complex and explain in simplistic terms as you educate, the more successful you will be.

What has been your greatest career achievement? When I think about my greatest career achievement, I think about the direct impact I had on people. It’s working cases that involve crimes against children. I had a 12-year-old girl that gave me a hug and said, ‘you saved me; you were my guardian angel.’  It was the drug-infested house that was forfeited to the government and turned into a playground. It’s the entities that never thought about cybersecurity and I was able to get the message out and they listened and heeded our advice taking corrective actions that prevented them from becoming the next victim.

Looking back with 20:20 hindsight, what would you have done differently? If I would have had to go back, I don’t think I would have done anything differently professionally. I wouldn’t have figured out cybersecurity was my true love any other way. I took the non-traditional path, but I think it’s the one I had to take to get where I’m at today. I wish I was aware that for every moment in time, I was the person I needed to be in that moment. Insecurities make us think we’re never enough. We have to be lifelong learners - constantly learning and applying new things. I want to be a better CISO tomorrow than I was today.

What is your favourite quote? I can do all things through Christ who strengthens me. Philippians 4:13.

What are you reading now? I love Sheryl Sandberg’s Lean In. I just got through the Five Dysfunctions of a Team and am currently reading How to Measure Anything in Cybersecurity.

In my spare time, I like to… spend time with my family. Whatever my kids are into at the time, sporting activities, and supporting them.

Most people don't know that I… work on my own cars. About three years ago, my wife came home while I was working on our car with most of the engine completely taken apart and spread all over the ground. Did I mention, I had never worked on cars before and had only ever changed the brakes with a friend the previous week? My wife said, "WHAT ARE YOU DOING!!!!!!" and then I said, "Don't worry, I watched YouTube four days straight." I've been servicing our cars ever since.

Ask me to do anything but… Do the dishes, clean the bathroom and dance.