Secret CSO: Jason Loomis, Freshworks

Name: Jason Loomis

Organisation: Freshworks

Job title: Chief Information Security Officer

Date started current role: September 2022

Location: San Mateo, CA

Jason Loomis is the Chief Information Security Officer for Freshworks. Freshworks (FRSH) is a global provider of SaaS customer engagement solutions for IT, customer service, sales, marketers and HR. Loomis has a BS in MIS from the University of San Francisco and an MBA from the University of Oregon. Loomis is CISSP, CISM, CISA, multiple GIAC, and SCUBA certified. No, really, he does SCUBA – it's the most exciting and relatable of his certifications for sure. While cybersecurity may be his chosen career path, his passion, drive, and intellectual curiosity are in leadership, organisational decision making, and giving to those who have less through national and international disaster relief. In his spare time, Loomis is co-host of a podcast called F-Sides (fsides.com) about the human side of cybersecurity and is an avid snowboarder; he is into beach volleyball and fitness and just picked up surfing in May of 2022.

What was your first job?  I worked at a Pet Store when I was 14.

How did you get involved in cybersecurity? I got lucky. I had been in technology for close to a decade when three events occurred: I went to grad school, I got a unique security-focused job (HIPAA), I met two mentors (Paul Love and Gene Kim) in cyber that planted the desire to keep going in security through grad school. 

What was your education? Do you hold any certifications? What are they? Lots of junior college. I was on an 8-year plan for a 2-year program ha! I got my BS in MIS from the University of San Francisco and my MBA from the University of Oregon. Besides SCUBA? I have the usual CISSP, CISM, CISA, and a few GIAC.

Explain your career path. Did you take any detours? If so, discuss. If you count bartending and waiting tables, then yeah. I had a long 10-year detour. I got into tech when I was 28. What did it? Local area network (LAN) parties. I was playing Doom and Duke Nukem and building home networks with coax and BNC’s! 10-Base-T was years away…

Was there anyone who has inspired or mentored you in your career? My podcast co-host, Paul Love – we met in grad school. My old CTO and CEO, Tim Collins and Adam Goldenberg over at Fabletics – I got lucky to have empathetic and moral executive senior leadership. I won’t settle for anything less, and it is one of the things that brought me here to Freshworks.

What do you feel is the most important aspect of your job? How my teams make decisions are more important than the decisions themselves. I LIVE by this. I don’t make decisions in a bubble. There’s so many cognitive biases in decision making to battle – you can only do it as a team.

What metrics or KPIs do you use to measure security effectiveness? This is a good question and hard to answer in a short time. I’ll give three tips and one metric I like: #1 Use ratios (think EPS versus stock price) #2 use trendlines (are we improving? Just running laps? or falling behind), #3 the metric needs to tell a story and you need to have that story ready every time you present that metric. Favorite metric: the “Jimmy Griffin Snow Index.”

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? No, they are not affecting our organisation. While the allocation of budget to keep up to increase demand for talent within an extremely limited supply can be challenging, Freshworks is doing a great job navigating this. I find that communication, critical thinking and organisational management are often the most difficult to find. Tech is actually easy -- being human and working with people can be tough! 

Cybersecurity is constantly changing – how do you keep learning? I’m surrounded by talent here at Freshworks so I constantly learn from them. Probably 95% of a CISO’s job is head up. Meaning, I’m meeting with people not reading a computer screen or a book. When I do have time, my team teaches me A LOT. Blueprint podcast by SANS is a must, and anything Krebs writes…oh and I hear there’s a pretty cool podcast called fsides.com that you should check out.

What conferences are on your must-attend list? My top two are Black Hat and Innovate Cybersecurity.

What is the best current trend in cybersecurity? The worst? The new tech they are building is amazing – I consider that trending. From CNAAP (that’s you WIZ!) to CAASM (Axonius!). I can’t wait to see what tech can solve next. Worst trend: marketing terms like “Shift Left.”

What's the best career advice you ever received? “Hire someone you can see yourself working for.” - Dane Pescaia.

What advice would you give to aspiring security leaders? Focus on the soft skills and how you lead your teams. Tech is easy. Leadership is harder.

What has been your greatest career achievement? Every time someone who works for me leaves to go on to bigger and better things, I encourage it. I do everything I can to train, educate and coach my team, and if we can’t accommodate the growth they seek, I’ll write their recommendation letter.

Looking back with 20:20 hindsight, what would you have done differently? I would have gotten my MBA a little sooner (maybe five years after some corporate experience). There was so much value I could have used earlier.