This post is based on an interview with Jason Zann. It is part of our series of interviews of OODA Network members. Our objective with these interviews is to provide actionable information of interest to the community, including insights that can help with your own career progression. We also really like highlighting some of the great people that make our continued research and reporting possible.

Career Progression: Most of the successful superstars I get to interview started their professional careers on a spoon-fed diet:  either through Military Training or through a traditional College Education. Jason is an exception.  He carved out his education by patching together a BS in Telecommunications and a Master’s in Project Management from an on-line University – in just five years.

His first job working for Q-Networks, an ISP, gave him a peek at “network security” issues.  He discovered that no matter how much he sold, smart college kids were hacking into their network to get free dial-up time.  Unless they could secure their network, they would never be able to provide the capability paying customers demanded.  In self-defense, he learned the art of firewalls and access control.

He saw a different problem set when he transitioned to Information Security for a large Bank that handled most of the financial Mutual Fund transactions (think: your retirement funds!).  At the time, there was a “static understanding of Security” Jason says.  “We created a Castle – Moat – Bridge type solution to protect critical data.  I was soon bombarded with concerns. How could an outside provider be trusted to protect the data? How do you define the lines of authority between us?”  These questions seemed to be generic to all companies working with security solutions, especially as the discipline of network security became more dynamic.

Jason expanded his reach across all market segments while working at iSIGHT Partners.   He learned the importance of intelligence driven security.  A cyber threat can spread rapidly, fueled by the very existence of the network.  If you had good cyber intelligence, you could dynamically reconfigure your stacks and reassign your people to address the threat.

“Cyber experts today spend their time responding to unwanted events.” Jason says.  “The idea that you can make a great cyber plan, and stick to it, is not reasonable!  Cyber security is a GAME – and not a board-game where you have a path you can follow and clear-cut options.  It’s more like a card-game.  After you learn the numbers and the suits, you can learn how to play many games, and they can constantly evolve.  For the game of cyber security, we need lots of talented players.  That’s why I believe good cyber intelligence should be available to everyone.  If we can expose where the bad infrastructures are, we can all be better game players.”

At RiskIQ, Jason is dedicated to providing total transparency of where the threats are. “The bad guys are constantly evolving.  The more money you spend on this problem, the more you discover problems. It’s impossible to adequately train cyber experts and deploy 100% cyber security solutions. Did anyone teach you how to use Google?  We need to create the same type of environment for cyber security.  I envision a world where the Junior analysts can easily do sophisticated correlation, allowing the Senior analysts to consistently acquire data and focus on analyzing data instead of collecting it.”

Surprises:  Jason is surprised how many companies and organizations fall into the obvious cyber traps.  “All successful hacks have three things in common” Jason says.  “There is either a problem with their 1. Patching, 2. Configuration management, or 3. Their Identity Management. These three things have been the root of a secure network for over 40 years!  I’m always surprised when these fundamentals are not adequately prepared for.”

Advice for Decision Makers: “When approaching a security problem, Corporate leaders should answer this very important question: ‘Are you a target of choice?  Or are you a target of chance?’” Jason advises.   “If you are killed by a bullet, whether it was by a sniper or a drive-by shooting isn’t important after the fact.  But it IS important if you are preparing for the attack!  You need to know the difference between the two.”

Jason worries that the elected officials aren’t taking the long-view.  “Politicians are asking companies the wrong questions and making decisions based solely on party lines.  Every effort needs to be made to bring us all together to solve these problems.  Everyone has to be in the game!”

Security Improvements:  In the last five years, we have finally seen security become a Board Level conversation; and this is essential to making progress.   “Unfortunately, when the leaders feel the pain, they are more motivated to fix it.  Now we have people making decisions that have to live with them!  That’s a good thing.” Jason says.

Risks in The Near Future: “Market confusion!  Cyber is hot.  There are 3200 organizations with a cyber security shingle hanging on their door.  Less than 2% of these companies are doing more than $20M a year in revenue. There are a lot of ZOMBIES out there!!”  Jason notes that there hasn’t yet been a compression in this crowded market space.  “As long as the Venture Capital money keeps flowing, we will continue to support a lot of companies that can’t’ actually solve problems.  Complexity is always a problem in cyber security, and until we have a market push-back, it will continue to be a confused place.”

Technology of Interest:  Jason is watching web-based supply chains, and how they operate.  A standard web-site can load as many as 140 discreet things on each page (Java, weather, chat, point of sale, etc.).  Today you don’t need to attack an entire organization: just find their weakest link!  “CIO’s are supposed to own all the “assets, but they don’t really have a good grasp on their digital services.  This is an asset class that is growing exponentially!” Jason muses. “If you can’t see it, you can’t possibly win the game!”

Views on Thought Leaders: Jason seeks out practitioners and executives who are working in the cyber security space: not just “rearranging the deck chairs on the Titanic”!  He also follows Ross Anderson, to see where the Economic impacts of these market shifts are headed.

Quick Hits:

• Book Recommendations: The Five Disfunctions of a Team by Patrick Lencioni.
• He also recommends NETFLIX’s “The Great Hack”.
• Favorite piece of content on OODAloop: Jason uses OODA to help him “bridge out to additional things I want to learn about, from the safety of a secured lens”.
• LinkedIn: https://www.linkedin.com/in/jasonzann/