Jason Loomis, Chief Information Security Officer at Freshworks, emphasizes the human side of cybersecurity and the importance of effective leadership. New CISOs should make an effort to understand not just existing security controls, but also the team dynamics at any new organization they’re helping to protect. The human element all too often goes unnoticed, according to Jason.
Jason Loomis, Chief Information Security Officer at Freshworks, emphasizes the human side of cybersecurity and the importance of effective leadership. New CISOs should make an effort to understand not just existing security controls, but also the team dynamics at any new organization they’re helping to protect. The human element all too often goes unnoticed, according to Jason.
In this WE’RE IN! episode, Jason discusses the need for strong communication skills and the ability to engage every employee in cybersecurity practices.
Listen to hear more about:
[00:00:00] Blake: So thanks again for joining us, Jason. It's great to have you on We're in.
[00:00:03] Jason Loomis: Great to be here.
[00:00:04] Blake: Now you've been a chief information security officer in a range of industries, including retail and now technology. I'd be curious to hear, what are some of the differences? Do Industries have similar cybersecurity struggles or is there an easier one for a CISO?
[00:00:20] Jason Loomis: Uh, whichever one comes with the most funding.
It's probably the easiest. no, you know, I get this, I get that question a lot, you know, during interview processes, especially, you know, and when they're looking for candidates, well, we got to find someone with finance and tech or find someone, you know, in FinTech or somebody in SaaS or somebody in retail and not in my opinion, man, it's security is security is security.
You know, there's these basic controls that are just consistent across all organizations. It's the same way the security frameworks. Can apply. You don't say there is NIST for SaaS and then there's NIST for retail.
[00:00:50] Blake: I can't imagine if there was, that would be a whole headache.
[00:00:53] Jason Loomis: Right. It's just, you know, and every company is going to have their unique way of developing whatever their product is, whether it's shoes or it's software, you know, and then protecting how we develop that product and making sure our secrets are safe and our customers information is safe.
[00:01:08] Blake: That makes sense. A lot of the same goals ultimately across a range of industries there. Now, did want to flip back to your first 100 days at Freshworks. And, uh, you once described that in an interview as a quote, drinking from the fire hose. Well, of course, crediting the, uh, the talent of the team that you started working with there.
What advice would you give to CISOs who are just ramping up into a new position?
[00:01:29] Jason Loomis: Yeah. Wow. Um, one, you need 200 days. A hundred is not enough, but there's some magic number with it. you know, to be honest, it's, shut up, that's my advice. Just sit down, be quiet, listen, if you can, and it's, I know this isn't fair because some CISOs are there.
Okay. Brought in, you got to fix everything immediately. And there's these high expectations that you're supposed to do something. And I have to act to show my value in my first 90 days to my senior leadership and the, and the board. And you know, that I found the opposite to be true that, or the most effective is just sit down, listen.
I made the effort to promise. I probably made about 95 percent of this goal with my team was I wasn't going to make any decisions in the first a hundred days. As much as I can help it. I, you know, it's a budget, something you need to sign off on. And then when I do make a decision, it ain't me making the decision, it's me working with my team to come together to say, Okay, what do you think we should do here?
What should be the decision But as much as I can, try not to make decisions in the first hundred days. Listen, learn, trust your team. You got a room full of security experts, hopefully, if you're Coming in as a new CISO that they've been around for longer than you have at that organization. They understand the socio political environment that you're working within, why things are the way they are.
Don't just immediately come in and think you have a better way of doing something until you understand context.
[00:02:48] Blake: And I imagine that's part of the challenge. I mean, if you're not, unless you're spinning up a startup from square one and get to kind of build everything yourself, if you're inheriting a stack of, you know, legacy systems or politics in an organization, I mean, how are you suddenly expected to protect that right away?
[00:03:02] Jason Loomis: Exactly. Yeah. And you know, nine times out of 10, when, when you go, you'll come into a place and be like, why did they do it that way? You know, why was this done? Why did someone put on a, if you're working on a car, a left handed bolt on a right handed, you know, you're like, why, there is a reason.
I guarantee you just don't know what it is. So find out that reason why things were done that way and then help the team improve.
[00:03:22] Blake: Well, it sounds like you've had quite a bit of luck and success. With that approach at Freshworks. now switching gears here for a second, for a little cross podcast promotion, I see that you're the host of F sides, the cyber humanity podcast. And, you know, that's a really interesting concept that I feel like it doesn't really get its due in the cybersecurity space, which is this human psychology of cyber.
I'd be curious just to hear some of the things you've learned as host and picked up on.
[00:03:48] Jason Loomis: you know, I've learned that, the human side of cyber doesn't get much airplay, most of the podcasts I listened to in cyber are going to be, here's the latest threat report, look out, the sky is falling and here's the latest, or it's, it's so full of technical jargon. or the opposite of that are, you know, and, I'll be careful what I say, cause I don't want people that run these podcasts to come bashing me cause I've been on some of them and they're great,
[00:04:10] Blake: you can bash, this podcast. You can bash and we can take it.
[00:04:12] Jason Loomis: they can end up being ego grooming, just like, Oh, what was your background?
And you spend, you know, an hour talking about your favorite books and oh, and when I was five, I, you know, and I'm passionate about how important. Your team and the individuals contributing to cybersecurity are in the, you know, we say it's people, processor, technology.
One of those, those three things make up the foundation of any IT program or any cybersecurity program. And for me, the most important aspect of that is people. And I don't think there's enough attention paid to it. You know, you go get a cybersecurity degree, you understand pen testing, you understand IR, all these technical stuff, but have you ever led a team?
You know, during an incident, you understand what it takes to make a good team work well together and to be a good leader. And that's the stuff that I really wanted to focus on in my podcast.
[00:04:56] Blake: No, that's a really good point. And on the flip side of that, I feel like when we do focus on people and speaking, we in industry writ large here, obviously not speaking for me or you individually, but there's this tendency to also blame the people behind cybersecurity incidents or whatnot. I, I'm reminded of this comic of, uh, You know, the, the wrestling ring or whatever.
And you have like in one corner, all of these state of the art cyber defenses. And then in the other corner, Steve,
you know, like who, yeah, Bob, exactly. Like who, who will win. Right. And, uh, that tendency to just blame the person instead of viewing them as, potentially part of the solution.
I, how do you reach a more human centered approach to your cybersecurity program?
[00:05:36] Jason Loomis: okay, so I feel there's two aspects to that because sometimes the guy Bob is not the security team, but the, you know, the customer service rep at the keyboard. I think that's what that's meant to be is like, you know, you make a simple mistake. So to me, there's, there's two pieces of that. For one, from the internal team perspective of how I focus on people, I'd say it's kind of, I should get a tattoo.
I think my wife has outlawed tattoos for me, but
[00:05:56] Blake: I
do have tattoos. I was going to say, is this,
that's a dangerous question.
[00:06:01] Jason Loomis: I do I have one tattoo. Maybe we can get to that later. I have
one tattoo of mother's maiden name on my arm, and I was sober when I got it in Croatia,
because I'm half Croatian. Alright, how my teams make decisions are more important than the decisions themselves. That's how I lead my team. Organizational decision making and team decision making is critical for me and for me to function as a team. So that's literally the approach. I start there. Yeah, there's a lot more to it. It's not as simple as that, but that's really sort of my core framework when I approach my team.
There's, CISOs don't work in a silo. You should not be working in a silo. And if you're the only one making the decision, that's bad. And I'll tell you another thing, if no one else is disagreeing with you, That's bad. It's a great quote from the CEO of Avis. I think Rand, ex
CEO of Avis. He said, if you have a yes man working for you, one of you is redundant. another concept of the idea of conflict and debate and coming to good technical decision making. So that's the part that I work with my team. For working for end users, man, you just, that's where communication is key and it's another overlooked, piece of what cybersecurity is important for and especially as a CISO.
Can you tell a good story? Not only can you tell a good story to your board to get them to get that budget that we talked about, I mentioned earlier for a great team to get what you need and the resources you need to do your job. Can you convince them that it's important and that it's a critical business?
strategy for cybersecurity, but can you also get employees to engage? Can you get employees interested? And the everyman, the Bob that's sitting in the ring in front of the keyboard, you know, can you get those guys on board? And for me, that's an absolute critical aspect. So I make cybersecurity fun. I make it open.
you know, I use humor a lot in a lot of our training videos or awareness videos. We try to make it fun and engaging. we're not a hospital. People aren't going to die on our watch if somebody does make a mistake. So we try to, I take that approach and just make it fun and engaging for my employees.
[00:07:46] Blake: I wanted to zero in on your mention of conversations with the board, and it sounds like that's a, uh, situation that you're used to navigating in your career. How have you witnessed the evolution of board level perceptions of cybersecurity? Are those conversations getting easier with the steady drumbeat of breaches that happen in the news?
Or is it still the same language that you need to speak, you know, to the board to get these points across and secure that budget? Uh
[00:08:12] Jason Loomis: You know, that's a really good question that I can't empirically answer, you know, to be honest, I only have my anecdotal situation and it's, for me, it's always been very specific to the board. I'm blessed at Freshworks that we have a board with some cybers, people that worked in cybersecurity, you know, I think one of ours, CrowdStrike, one or two of them, so they understand cyber, so, like, they came in speaking my language.
So at Freshworks, I don't have that problem, we understand, from a board level, how important cybersecurity is. Now I've worked at other organizations, like retail. What is security? I got to make sure my, you know, I get a key card to get into the building and that's it. Do I have a antivirus? Yeah, check.
Those are much more challenging because the experience just isn't there with technology. It's, you know, it's fast fashion. So it really, for me, it really depends on the board, but I'll tell you the, the recent changes that we've seen with the security and exchanges commission and the requirements for that board level reporting for public companies, absolutely is changing the industry to focus more and it's becoming, I mean, they have to, And when you tell somebody they have to do it and you have a regulation for the SEC, it's going to happen. So it is changing.
[00:09:14] Blake: No, the Securities and Exchange Commission, funnily enough, actually right down the street from me in DC here. They've been pretty busy on the cyber front lately, for sure, keeping people on their toes. Now, spoken about the need to shift left in security, which is all fine and good, but I feel like that has to fall under the category of easier said than done for a large and complex environment like Freshworks and its 50, 000 plus customers.
How do you approach the challenge of baking in some of those good security practices and hygiene from, from the very beginning of a product development?
[00:09:46] Jason Loomis: it can be challenging, especially how fast growing we are. You know, we're now at 66, 000 customers. and that was just, I think since I joined, maybe we're at 50, 000, it's been only a year, so we're growing fast. How do you get, by the way, one of the most overused marketing terms in security, Shift left.
[00:10:00] Blake: Shift left. Hey, I love it.
[00:10:02] Jason Loomis: took over the new cloud. you know, this goes back to the people part of that. It's all about relationship building with your developers because the developers are the ones that you're trying to get so that they're not writing bad code because it costs the company and higher risk, the further that code is in production, like meaning that I wrote, Hey, I wrote this really cool piece of code for this new function, makes it all the way to production.
It's going to cost us 10 X, 20 X to remediate that it's higher risk because it's sitting in production. So it's just exponentially more expensive and worse for us if we've. Move it, that's called moving it, shifting left, right? And right is in production all the way at the end. If you go to the beginning, when he first started, that developer, he or she first started writing it and do the work there, that shift left.
And it just saves time and money for the company and makes their life easier. Cause it's like, you know, Blake, if you were like creating, building a, let's say you're a chef and you just cooked a pie and you had to wait until the end to see if the pie is going to come out
[00:10:57] Blake: Oh God. I can't cook pies for the life of me.
[00:11:00] Jason Loomis: okay, pie is a bad analogy, bad analogy.
[00:11:03] Blake: Maybe, maybe, maybe a scramble or, uh, or, you know, I don't know something. I guess I can do some baked goods. I can, I can do some like, uh, some good baked lasagnas sometimes. Let's say lasagna.
[00:11:13] Jason Loomis: Yeah. Okay. So a good lasagna, you know, either your experience and you know, but if you don't know, you want to check as you go. Am I measuring correctly? Am I doing this right? Is the oven set to correct? And you have these steps and you want to catch anything before it goes in the oven and it turns out bad, you know, like, oh, I, I don't know.
I put in the wrong amount of pepper and now it tastes like, pepper popper kosh.
[00:11:31] Blake: Beautiful, beautiful. No, that's a really good point. And I think couching it in that language of, Hey, this is going to save. This is going to save money and effort in the long haul here, has to resonate on some level. And, you know, speaking of money and effort, compliance, how do you navigate that tug of war between, uh, effective compliance and effective security?
I, I feel like, you know, speaking of buzzwords of, uh, shift left, it's almost become a cliche in the cybersecurity industry that quote, you know, just because you're compliant doesn't mean that you're secure. is there more nuance to it than that? How do you navigate that?
[00:12:03] Jason Loomis: no, that statement hits the nail on the head. You, just because you're compliant does absolutely not mean you're secure. But any good. A security practitioner or CISO like myself is going to use compliant, you use compliance to your benefit. It's one of the many tools that you can do to use to get where you need to be in security.
Sometimes you can be, you know, the statement would be, we are compliant and we're secure. Absolutely. But maybe you're compliant, not secure. You can use that compliance as sort of, you know, to get things moving along. Because when you have to do something, because it's either a regulatory or compulsory compliance requirement.
The company's going to do it. So use that to then get in your regular security things. Like, Hey, by the way, we're doing this PCI, which is the credit card security controls, you're doing this thing for PCI. You can use that and say, wouldn't it be much easier just to do this everywhere instead of having to do it here and here and all this tech to figure out where let's just set this password requirement across the organization.
So good CISOs will use compliance to expand their security controls elsewhere.
[00:13:06] Blake: That makes sense. That makes sense. Against that backdrop though, what's something troubling or a cyber threat or attack trend that you've picked up on in the last couple of years, say?
[00:13:16] Jason Loomis: Oh, it's the last six months and I'm sure you're, reading about it and you're going to hear a lot more about it. And it's the other overly used term. Surprise, we haven't talked about AI already because
that's
[00:13:25] Blake: I was gonna say it's been, it's been a little while and
we're into the podcast and we
[00:13:29] Jason Loomis: about an hour,
about an hour ago I was talking about it.
Yeah, so it is really, and it's, it's really the threat actors use of AI that, IS Is going to change, going to bet, I'm making a wager, a little premonition to the future that you're going to see major social engineering breaches occur, meaning the cause of social engineering, and there's going to be a huge breach from that social engineering using AI.
Like, imagine if, you know, Blake, I could be talking to an AI bot right now. You could be all AI and I wouldn't know any better. It's going to get that good. It's going to sound like, it's going to look like you could have the CFO zooming you. You're a support engineer working and all of a sudden the CFO pops up on his zoom.
Hey man, can you reset my password real quick? got to get in. Looks like him. Sounds like him. That's the crazy stuff that I think is coming down the pipe.
[00:14:15] Blake: Well, I appreciate you even joining me on the podcast here for the reasons that maybe bad actors could scrape both of our voices here and use them to package some sort of convincing AI deepfake. It's interesting, though, you know, that you say that and I will just. If not, push back on that, just, you know, a follow up question, which is why haven't we seen more breaches tied to this yet?
Is there just a lag time? Because I feel like the power of some of these chat GPTs and large language models to, for instance, assist somebody who maybe English isn't their first language. I were in their shoes to kind of put myself in the adversarial perspective, I'd be all over this stuff, trying to make like the really convincing phishing emails and, maybe I'm missing out on the threat, you know, intelligence feeds or something, but I feel like we, we haven't quite seen that yet.
[00:15:00] Jason Loomis: here's, my belief. can't prove this, but my idea of why that's so. I believe we already have, and I believe there's multiple reasons for that. I think one, the reporting, we get this much of what is actually going out there for breaches. Companies do not proactively say, Hey, we got breached.
Yay. If they can keep it quiet, they'll keep it quiet. And then the attack methods the attackers are using, especially for recon or getting that first social engineering, we don't have insight into that unless, you know, we're breaking down their door and finding out how did they write that cool phishing email?
We're not really going to know if AI generated, not yet or not yet. So those, to me, I think they are being used and I think the attacks are getting better. If anything, I would say maybe we'll see an uptick in the amount of successful phishing emails. And that would be one of the, things that might point to causation.
Like we'll see a correlation. Wow. Phishing just ticked up. Successful phishing ticked up from 10 percent to 30%. And then we can maybe attribute that to, oh, it must be because they're using AI to make better phishing emails.
[00:15:57] Blake: That's a good point. And I guess it can be still quite tricky to reverse engineer. Oh, this was crafted by AI, right? And, you know, the success rates of phishing are still so convincing that, I almost wonder
if you even do bad actors even need the AI assist at this point? Really? I mean,
[00:16:13] Jason Loomis: Not yet. They're doing a good job without it.
[00:16:14] Blake: I was going to say, it doesn't seem like we've, uh, we've solved cybersecurity before AI
came along.
[00:16:19] Jason Loomis: job with it.
[00:16:20] Blake: Right, right. No, it's very dangerous. And, you know, this is something that I do like to ask our guests, given that it is on the tip of everyone's tongues and, you shared some of your perspective as to how it could assist attackers. But do you think that in the long run AI will benefit attacker defense more?
[00:16:37] Jason Loomis: I'm kind of on the, paranoid piece where I, I actually think AI is bad for humanity, but we don't need to go down that path. So, you know, for
me,
it's not a great, I don't think it's the right direction, man. I, you know, and I grew up with Terminator, Wargames, Whopper, man. I mean,
[00:16:54] Blake: Aged very well, actually, the Terminator movies, I have to
say,
[00:16:58] Jason Loomis: Hello. It's that's, you know, that kind of stuff. Skynet
[00:17:02] Blake: a bit, a bit, scarily well. Yeah, scarily
[00:17:04] Jason Loomis: Yeah.
[00:17:04] Blake: would say.
[00:17:05] Jason Loomis: honestly, it kind of freaks me out, so, it needs to be regulated. Hope that regulation is enough. Often it's not, can, you control it like you can nuclear, you know, plutonium, nuclear grade plutonium, and make sure we control who has access to it and what countries do or don't.
Man, that's tough. But as much as we can, we need to regulate the crap out of it, in my opinion,
because that's the only way we're gonna put controls around it.
[00:17:25] Blake: Well, speaking of Terminator, what first drew you to the field of cybersecurity? Was it, I guess Terminator isn't really a cyber movie so much as an AI movie, but,
[00:17:33] Jason Loomis: You know, I was always into tech, into technology, and I started in tech working just in technology. So I was, uh, like, network administration was my big thing for like 10 years. you know, how I pivoted to cyber, it was a confluence of events.
One of them was, um, when I went to Haiti, actually, and I was doing some disaster response work after this huge tsunami. And imagine, like, You know, this four foot wave just comes in and brings the earth along with it, you know, uh, tens of twenties and thirties of miles inshore. and these people's houses who really, they didn't have much in their life.
These people, two bedroom houses were just filled with four feet of mud. So our job was to dig mud out of these houses. And I remember digging this one house out and the family, a family of four had maybe 50 things in their entire life. Like, that's what we're covering now. Pots, pans, clothes, including everything.
50 material possessions in their life. Like, they just don't have much. But, I remember everyone having a cell phone. And I was like, and this is 2009, dating
myself. So I'm like, what? How can you barely afford food and clothing for your kids? But you have a luxury item like a cell phone. This is my very Western mindset at the time.
And I just, I got set straight by a buddy of mine, we're having beers, one of the local volunteers who was working with us, he said, you know, when I asked him about, why you got a cell phone when, you know, nobody can afford anything around here? He's like, dude, this is, this is my lifeline of communication.
This is the most important thing in the world to me. It's how I talk to my father over in Jacmel, which is across the island, which you can't just hop on a bus. It's really hard to travel. It's the way that he shares photos with his mother, who also lives in a different city, and it's the only way for them to communicate with their family.
Like it's such an important communication tool. So it was that experience that I was like, holy crap, like how important technology is just to our day to day existence and how we connect as humans is like went off the charts for how important it was. So it was that experience around the importance of technology to our.
Being human, coupled with, I got lucky and I met some really good mentors in my, uh, Oregon MBA program, which University of Oregon for my MBA. And it was, that's when I did the Haiti volunteer. And then I met Gene Kim through another mentor, who's my co size on F size, Paul Love, who are both in cybersecurity, became my mentors, that coupled with that drive to do it.
And then I got lucky and found a job that I could do both IT and security.
[00:19:43] Blake: I'm glad you mentioned your work, assisting with disaster recovery. It's funny. Oh, well, not funny. I actually hail from a barrier Island that got absolutely hammered by a hurricane in 2022, which is a Sanibel Island in Southwest Florida. And I noticed that you, uh, in the past have done some volunteer work, uh, responding to hurricane Harvey in Texas, which was one of the costliest storms in us history, as well as other disasters.
I'd be curious to hear a bit more. As to what drove you to that kind of volunteer work?
[00:20:11] Jason Loomis: it was, uh, Hurricane Katrina was my first real volunteer work was Katrina in Biloxi, Mississippi. I wanted to give back in some way and I didn't want to do it in front of my desk because I'm literally here on zoom with your, hi Blake. You know, I'm here like all the time I was a very hands on kid growing up.
I rebuilt cars with my dad. I had a 68 Mustang was my first car. I did woodworking. We'd build furniture, carpentry. I was very hands on. I was a bartender for years. And so now that I have this desk. Jockey job. I wanted something that I could go, just get my hands dirty. So I, you know, lucky again, a buddy of mine went through his company, introduced me to an organization called Hands On Disaster Response at the time.
you know, it's all about boots on the ground. And getting your hands dirty immediately after a disaster for doing things as simple as cleaning out houses or, you know, in Haiti we also built schools for some of the children.
[00:21:02] Blake: Oh, that's really important work. And to pivot back to cyber for a second, I just, sorry, I have to, are there any parallels to cyber incident response? I, I've seen, for instance, a lot of inks spilled on this concept of, uh, like a cyber hurricane or cybersecurity disaster that, taxes the insurance industry based on its severity. what do you make of, uh, Any parallels you see between real world disasters that obviously can cause a lot of physical harm that perhaps a cyber incident doesn't reflect and a damaging cyber incident that nevertheless could cost a similar dollar figure
when it's all said and done.
[00:21:37] Jason Loomis: Wow. is great. At first, I was like, I didn't see it in my mind. And now I suddenly thought to know like, so there's a new movie out about this with Julia Roberts, where the how the world ends or something. And it's exactly about a cyber attack that has more of a natural disaster phenomenon to it, where they use cyber for some things.
So with that context, if it's public utilities, Or some of the, you know, programs that, either electricity, sewer, water, gas, nuclear, crazy, military, uh, social infrastructure attacks. Absolutely, there's complete parallels to responding to something like that, to responding to a disaster. So I see a lot of parallels.
For private industry, I don't see parallels between the, personally, between the What I was doing for disaster response for people versus, you know, a company has an incident
[00:22:26] Blake: That makes sense.
[00:22:27] Jason Loomis: just because, you know, what to me, the motivation and the drivers and, and, and the, the scope of it, you know, is much smaller.
It's one company that may have faced a problem to give a disclaimer to that. That doesn't count hospitals. I would count hospital breaches and hospital cyber attacks is something that there's probably some parallels there.
[00:22:41] Blake: Yeah, which we've seen a lot of lately, that seems to be, uh, the ransomware actors have the gloves off and are just not really, uh, withholding anything when it comes to going after critical infrastructure. I'm also always a little reticent to draw too many of those comparisons, you know, in my past life as a journalist, with, Politico and this publication E& E News covered a lot of the kind of worst case scenarios, this, you know, cyber enabled blackouts, what happens if your water systems go offline and, you know, we've seen inklings in that direction.
But. Yet to be the big left of boom disaster that I think some of the movies like to dramatize sometimes. So, uh, not to say that necessarily we should rest on our laurels, but, you know, compared to clearing out the mud in Haiti, like you were describing, not the same. So I
I hear you there.
[00:23:24] Jason Loomis: can I give a shout out for the use of left a boom and right a boom, by the way? Thank you very much for, that's a concept that I use all the time and when I'm explaining things, it's awesome.
[00:23:32] Blake: Absolutely. Absolutely. No, that's, uh, I'm sure you've, uh, had to use that in some more high stakes context perhaps than I have, uh, hopefully not too high stakes though. No, you're on the, uh, the board of the University of Oregon Executive MBA, uh, Alumni Group, and you mentioned some of your connections there before.
Go Ducks! Uh, I guess, uh, uh, Go
Ducks!
[00:23:52] Jason Loomis: a bridesmaid, never a bride, man. And I'm kind of, you know, to be honest, keep it on the west coast. I'm bummed Washington lost, you
[00:23:59] Blake: Oh, fair. Yes. That's, that's, that's fair. I didn't really have a horse in that race, even though I guess technically went to school at Northwestern, a Big Ten conference, but not really, you know, not exactly a big sports school, to be fair. So, would be curious to hear how you communicate You know, what it is you do as a CISO to other business leaders who might not speak the technical language of cybersecurity.
We touched on this a little bit earlier, but in the context of that MBA group, I would want to hear your thoughts.
[00:24:28] Jason Loomis: For me, it's all about analogy. You know, that's the storytelling. Like we did it a little bit back and forth. We're talking about what are, you, you're pulling similarities between a natural disaster and cybersecurity. I was using, working on cars compared to, you know, so analogy is absolutely your powerhouse of storytelling.
When you're trying to explain complex technical concepts to people that don't understand the tech. So you break it down to some people get mad. I use this term. You should explain it to a fifth grader. If a fifth grader can understand it, great. And they're like, wait, don't tell the, you're telling the audience you're a fifth grader.
No, I'm not. I'm just making it the lowest common denominator of a concept. Because you really understand something if you can explain it to a fifth grader.
[00:25:06] Blake: I really like that approach. Actually, it's funny, you know, as a communicator myself, I like to say, if you're using, you know, super simple language to describe something. You're not going to make anybody mad. You're not going to, if you're speaking even to another CISO and you're explaining something in really simple terms, they're not going to get upset with you for spelling out the acronyms and saying, you know, you know, what PCI compliance means and whatnot, it's just an added benefit for anybody who might have trouble following along.
So I, really appreciate that perspective and yeah. Explain it to me like I'm in kindergarten. I don't care. I might learn something new in the process, you know, taking that humility and, in the comms is, is just a, a really. Effective approach.
[00:25:45] Jason Loomis: so for example, I like studying some science stuff that's off my base and I, I recently took a course in, uh, Einstein's special relativity and theory of general relativity. Zero math. Because I haven't taken calc since high school, pre calc since high school. But all through that analogy, you can explain very complex topics like quantum mechanics and general relativity and special relativity.
And I guarantee you can learn it because he does, you know, this great professor does it all through analogy. And
cybersecurity, same thing.
[00:26:14] Blake: Bending light around suns and weighing gravity, tearing through space time continuum. More power to you for diving into that stuff.
[00:26:24] Jason Loomis: Okay, on another podcast maybe.
[00:26:26] Blake: On another podcast, we'll get to the space podcast next. Actually, uh, that's not a bad idea. No, we digress. Finally, really appreciate your time here. And this is something that we ask of all of our guests on the We're In podcast here.
What's something that we wouldn't know about you just by looking at your LinkedIn profile? And I must say, Jason, you have one of the more interesting LinkedIn profiles of our guests, including the fact that you are SCUBA certified. So I guess. Even though that's pretty darn interesting. You can't use that as your, as your fun fact here.
[00:26:55] Jason Loomis: And I should point out, thank you for that, for the compliment or something like that. The scuba is a little self deprecating move of all the certifications that we CISOs tend to have, and they list them like it's something to be proud of.
I'm like, look dude, everybody has these, I've even got scuba. You know, I would say something I'm, this isn't really an accomplishment, so I kind of actually like pointing this out because everything else is talking about me, me, me, me, me, but I am the child of a World War II veteran. I think that's awesome. At my age, and he had me really late, my dad, um, you know, served in World War II, and you just don't find that anymore that people have a story.
And I just had, so I also, another thing I'll share, I just had my first child, and he's one month old, and now I think about him, and he's got, He's one generation away from the greatest generation. Like how can a kid nowadays say, my granddad, you know, most people's grandfathers, great grandfathers were in Vietnam war.
My kid's going to be able to say my grandfather served in World War II. So I think that's kind of cool.
[00:27:47] Blake: That's really cool. And congratulations, by the way, as the, uh, as a, as a new parent, myself of a three and a half month old, uh, I know
just how
special
[00:27:54] Jason Loomis: Oh, wow. I'm, I'm right behind
[00:27:56] Blake: yeah.
yeah.
[00:27:57] Jason Loomis: any, got any tips?
[00:27:59] Blake: I wish I did. You know, it's funny because got a lot of unsolicited advice with, uh, with the on,
[00:28:04] Jason Loomis: Oh
[00:28:05] Blake: with the addition of a, of a new family member and just enjoy it.
I mean, that's my tip. You know, it's, it's, I can see why everybody talks about this being such a special time and congratulations. And thanks for taking some time out against that backdrop to join me on the podcast. That makes it doubly. Doubly appreciated because I know how much you probably have your hands full over there.
[00:28:23] Jason Loomis: Uh, congrats. Well, I have a wife that's, that's taken six months and we haven't, we have help. We have a lot of family help. So big support, you know, the supporting structure, it makes it a lot easier. Congrats on the three and a half month, man. That's awesome.
[00:28:33] Blake: Thank you. Thank you.
no, I really appreciate your time. Is there anything that we didn't get a chance to cover that you wanted to be sure to mention?
[00:28:40] Jason Loomis:
I mean, no, I, I, I'd be remiss of saying, you know, again, I want to, I want to hit on Freshworks, you know, how great of a company it is that I work for. Honestly, I've been, I've been in multiple companies. This is the first, first one that I have just such support from the executive level on down. And they just, they make a mad product, you know, I mean, we're serving the fortune 5 million instead of the fortune 50 or fortune 500.
It's just stupid, easy to use. Software that, so that really aligns with kind of what I've been talking about, about how I want to make cybersecurity easy and approachable for the everyman. Freshworks kind of has that same mission. So, man, I'm just really happy where I work and I'm happy with my team. And you know, I got lucky.
[00:29:15] Blake: Well, yeah, it's great to hear some of your takeaways from that. I think, I think our listeners will get a lot out of it. And, and also, yeah, I'll have to tune in to, uh, to more Fsides episodes. Uh, so when's the next, when's the next,
[00:29:27] Jason Loomis: Coming soon. My cohost and I are actually meeting tomorrow to kind of map out season three and we got some exciting stuff to talk about.
So
[00:29:34] Blake: excellent. Well, I'll stay tuned and, uh, and thanks again.
[00:29:36] Jason Loomis: thanks.