August 23rd, 2022
Cybersecurity Expert Interview: Jonathan Haas
Introduce yourself and tell us what you and your company does.
My name's Jonathan Haas, I'm the CEO and co-founder of ThreatKey. ThreatKey is a security posture management platform. Essentially, what that means is we help businesses secure themselves and identify which things they should be prioritizing amongst their various business tools.
Things like AWS, GCP, or SaaS product like Google workspace, Microsoft 365 65, etc.
You've had quite the cyber security career. You've done security at Lockheed Martin, Apple, Snap of Snapchat fame, DoorDash and Carta. Without giving away any secret sauce. What changes have you seen in the cyber security landscape at these larger companies?
Over the years, obviously, security has become more important as the threat scape has grown. How has that translated operationally?
I think we're seeing much more of a turn to automation for various security teams. The sort of thing where security teams have to protect companies doing business around the clock and around the globe.
It's every business now. You have to be global. You have to have a presence. You have to be online. And that means that a nine-to-five security presence is not going to cut it. A security presence that's not on when you go to sleep is not going to cut it.
Quicker resolution and quicker detection. Things are going from, attacks happening over a matter of days to attackers now scripting things to happen in a matter of seconds. So you need to be able to get in to respond very quickly and be able to immediately take the actions you need to take. Be that, getting them out of the system, or changing some configuration of the system to lock it down.
Across the board though, we're seeing a change to automation, especially for these teams that are very rapidly growing or maybe the security team hasn't scaled at the same pace of the business.
What needs to change in cybersecurity? Where are we still stuck? What's preventing us from getting there?
I think we need to shift to enabling the business. Maybe this is just the vendor in me but I think a lot of security teams lose sight of making the business move faster safely. That should be the goal.
How do we help them sell more? How do we help them do more? How do we help the rest of the business be more secure in doing what they want to do, not this idea of being secure and then slapping on the business later. I think until we make that shift, we're gonna be stuck looking at how do we secure all the things, which is a great task and really important, but it has to be enabling the business at the same time.
If something's a concrete block, is it secure? Maybe. Can you actually do anything with it though? There is a difference.
Exactly. Without the business, there's no need for security because nobody can pay for anything.
I think we're seeing more and more vendors get the idea. How do we enable security to adapt to the business?
A no-code flow, I think is a really good example of where you are really given that flexibility of connecting to existing business tools or processes. So I think that's a direction that we're going to see the space shift. I think frankly, that's a direction we have to see the space shift if we're looking for security to really continue to grow as much as it has.
Do you think that need is related to the talent ? Are we moving towards these low or no-code tools and automations to help combat the lack of qualified security professionals? When anybody asks me about the talent shortage, I often just respond that I think it’s a skill shortage.
I think there are a couple of explanations to what's gone wrong. We need to provide the right resources and training to folks. We just simply don't.
Training as a budget tends to get slashed, especially when we're going into more sort of recessionary periods.
That's where, frankly, we need the most training. We're just not getting adequate tooling and guidance, right? Dropping a new security engineer into an environment where they have no visibility into what's going on and they have no idea of how to secure it. That's just not the right way to start off these folks' careers.
So I think it, it really boils down to skills. We need to have platforms like Tines. We need to have platforms like ThreatKey and LimaCharlie to be able to enable folks to go in quickly, and be able to surface security risk, but do so in a way where they don't necessarily need to know every detail of how the primitive works in order to achieve that.
That is a really interesting take.
What do you think of cybersecurity marketing and how it relates to like the tooling and stuff that you're speaking to?
I think marketing, especially in the cybersecurity space is a tricky thing. What we've seen is there is just a plethora of buzzwords and that's a good thing and a bad thing. On one end, we're explaining complex really meaty topics and breaking them down into the smallest components that are bite-size and consumable for various audiences.
So you do have to be generic with what you're talking about. At the same time, when this marketing kind of goes into the realm of which it's maybe no longer as applicable, for instance, everyone right now going and saying we're doing something with a software bill of materials, cause that's the new hotness.
When we start seeing stuff like that, I think marketing maybe crosses the boundary and why people have sometimes a negative or less positive reaction to cybersecurity marketing.
Yeah, I think that's a pretty good analysis of it. I always think of Zero Trust and XDR and some of these terms, they pop out of nowhere, and then they're everywhere. After a while, they hit a saturation point where people stop talking about them because it becomes meaningless in all of the noise.
And the thing with those terms as well is it's not that they don't actually have meaning like Zero Trust is an important thing. It is just when it is a field of buzzwords I don’t actually know what the product does.
Do you have any hobbies outside of tech?
Yeah, we're an early-stage startup so I spend most of my days working on the startup, but a lot of what I've been doing outside recently has been kayaking and going outside to spend time in nature.
I actually think we can find a lot of really interesting parallels between looking at nature and how security forms. Even just looking at a tree formation you can see some interesting trends pop up. And that's what we've been looking at. Just seeing where in nature, we can see little bits and pieces we can take advantage of and learn how we can improve our approach.
So you're saying that you're looking to biomimicry to inform information security?
There's a lot of it. I look at how we approach security in general. I think a lot of people went and immediately said, defense in depth is something that just makes a lot of sense. Defense in depth is something that animals as species have been doing for millennia.
It's interesting just to see those parallels and crossovers. I think a lot of times at the end of the day, the things that we're looking for from a security tooling perspective, it's visibility, it's the ability to respond very quickly. That's no different than a snake or a bird or any other animal that just needs to be able to figure out if there's a predator and then be able to act quickly.
Is there anything that keeps you up at night?
I'm not getting paged at 3:00 AM anymore.
But there's definitely a lot that keeps me up at night, especially cuz we're focusing on SaaS security. A lot of what we look at is, how are there flaws with SaaS infrastructure, are there things that we are encountering and adding to our repertoire of alerts that we can detect to be able to help the various people who use our product.
So there are things that keep me up at night. Yeah. But it's just the same as anything else, we're looking to build out this product, and we're looking to deliver value to people. That means a 24/7 process. That means being able to, quickly ship out that new research and be able to respond to those new threats.
Do you have any advice for people early in their careers or people that are considering going into cybersecurity?
I'd say really learn the primitives. I think LimaCharlie does a really good job at this cause you can actually play around with the primitives of the various building blocks of information security, but at the same time really learn those and learn why they're important. I think this is so critical.
I think oftentimes people jump a bit too early into a vendor solution to solve a problem without really understanding how that vendor is solving that problem. And I think that's led to some of the skills gaps we're seeing. People feel a bit more comfortable connecting a tool and kind of just letting it do its thing, as opposed to really understanding what it's doing and how it's helping them.
Back to first principles. That was my trick for mathematics in university. Starting at the beginning and building on top of it. It's the same idea.
There are just so many common threads. Defense in depth is another one you can go back to, regardless if you're looking at application security, infrastructure security doesn't really matter.
The same concepts do largely apply across security domains.
Any predictions for the future?
I personally think we're going to see more of a focus on cybersecurity at a board level. I think that will be something that continues to be more common as businesses are going more and more online, as we talked about at the beginning. You are just going to see more people care.
The reality of it is right now is, that conducting business means you are interlacing with various companies and various technologies. That's just how business works now. It's not some distant future, it's here today. That's how it works. So I think we're gonna see more people care about information security.
We're already seeing this at a public level, but I think private companies are doing this as well. We're gonna see more of a focus, probably more of a regulatory restriction pushing companies, to really focus on security, Hey, these are your assets. You're collecting this information from consumers. You're collecting this information from businesses. You have a responsibility to secure it, and it is your responsibility to be able to, steward their data.
The future is now.