3월 15, 2023
EP 23 – From Delivering Mail to Delivering Zero Trust: A CSO’s Cyber Journey
Today’s guest is Den Jones, who’s Chief Security Officer (CSO) at Banyan Security, a startup Zero Trust network access solution (and a CyberArk technology partner). Jones spent almost 19 years at Adobe, followed by a stop at Cisco, before landing at Banyan in 2021. As his Twitter bio tells it, he’s a “Large Scale Zero Trust Deliverer,” which is part of his multifaceted CSO charge.
In this episode, host David Puner talks with Jones about his singular cybersecurity career path – beginning with a formative stint as a Royal Mail postman in Scotland – and how he worked his way up the ladder to become a Zero Trust-delivering CSO. Jones explains how his role at Banyan encompasses all aspects of security, including product (putting the security around the security, as it were), enterprise and physical security. He also discusses the challenges he faces in his current role, including evangelizing the company’s security strategy.
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in Identity Security.
[00:00:23.760] – David Puner
Hello and welcome to another episode of Trust Issues. Today’s guest is Den Jones, who’s the CSO, Chief Security Officer, at Banyan Security. As his Twitter bio tells it, among other things, he’s a large scale Zero Trust deliverer, which is part of his multifaceted charge at Banyan, a startup Zero Trust network access solution, and a CyberArk technology partner.
[00:00:49.760] – David Puner
Den’s journey isn’t what you call traditional. In addition to a stint as a postman in Scotland, which he’ll dive into in just a bit, Den used to work in restaurants, and this work lit him up in a good way. In fact, once he showed up to a dishwasher job interview as a teenager wearing a suit. He was that guy.
[00:01:08.790] – David Puner
As he progressed to a variety of roles on the kitchen staff over time, he learned things that would eventually inform his CSO leadership approach from how to put a menu together to the core of restaurant work, which is problem solving.
[00:01:23.420] – David Puner
Although there’s plenty of preparation involved, it often comes down to reacting in real time to infinite twists and turns, putting out fires, real ones, being prepared for the unexpected, life lessons that, as you’ll hear, have served him well in a career that’s included a remarkable almost two decades stop at Adobe, followed by a couple of years at Cisco before landing in his current CSO role with Banyan Security.
[00:01:49.200] – David Puner
It’s this background that frames my conversation with Den and his perch on the cyber front lines, because as you may have heard somewhere, if you can’t stand the heat, get out of the kitchen.
[00:02:03.760] – David Puner
Den Jones, Chief Security Officer at Banyan Security. Thank you very much for joining us here on Trust Issues. Appreciate it.
[00:02:11.760] – Den Jones
Hey, David. Thanks for having me. Pleasure to be here.
[00:02:14.990] – David Puner
Absolutely. To get right into it, you’ve been in your chief security officer CSO role since November 2021. Give us a snapshot of how you’ve gotten to where you are today. We’d love to hear it.
[00:02:29.660] – Den Jones
Look, I was this little kid in Scotland that grew up with not a lot of finances behind me. I had a job as a postman walking around the streets of Scotland. My buddy, he had lots of great music gear in his house. I was around there visiting him and I asked him, “How can you afford all this stuff?” He said, “Hey, I’m an IT guy. I’m at Sun Microsystems. Go to college and get these qualifications and then you’re set.”
[00:02:59.720] – Den Jones
I instantly applied for college. Done some years there. I left, got a job, and then just really worked my way up. Eventually, I found myself contracting with Adobe. Then they moved me out to the US in 2001. I stayed with Adobe for about 19 years. I was doing all sorts of jobs, infrastructure operations and then security. Then eventually, I ran enterprise security for maybe my last six years at Adobe.
[00:03:28.960] – Den Jones
Then in 2020, went to Cisco, ran enterprise security there, reported to the CIO. Late 2021, I bumped into the Banyan guys. I had done some Zero Trust implementations both at Adobe and Cisco, and they asked if I wanted to join.
[00:03:47.120] – Den Jones
My time is really spent… About 30% of my time is on the internal IT and security in our customer Zero program, and then the rest of it is evangelism. I do stuff like this, talking to other CISOs and executives and stuff about their strategy. It’s a really fun gig and the Banyan team is really cool. I’ve dealt with so many really stressful situations when I ran Adobe’s server team once. We had thousands of servers and every day one goes down, so you’re in these emergency outreach response calls almost every day. I didn’t have a life for probably two years. There’s times like that. Now I’m hoping I’m reaping the rewards a little bit. I can chill for a minute.
[00:04:40.040] – David Puner
Before we go back to present day, you mentioned that you were a postman at one point prior to all this. Did that prepare you for anything in your world now?
[00:04:51.160] – Den Jones
A postman in Scotland, you’re four o’clock in the morning and it rains almost every day. For four months of the year, it’s freezing cold and the snow or the rains hitting you in the face. What it did do is it really prepared me for… You know when you’ve got something good when you’ve had something bad. I think we’re all blessed in the tech industry because there are people that do jobs that are really gnarly and nasty, and our hardship is really how do we communicate and get along well and collaborate with others.
[00:05:25.190] – David Puner
You’re a CSO, chief security officer. For those who aren’t super familiar with your world or our world, and maybe for some who are, what’s the difference between a CSO and a CISO?
[00:05:39.480] – Den Jones
Yeah, a great one. I wanted to be a CISO, a C-I-S-O because in my career path, growing up through the IT and identity and all that, that’s the path you think you’re on. When I was at Adobe, my old boss, Brad Arkin, he was CSO, chief security officer. In his role, he’s responsible for the product security as well as the enterprise security, as well as the governance risk and compliance. There’s a whole host of other things.
[00:06:11.100] – Den Jones
When you’re a CISO, traditionally you report to the CIO and you’re really focused on IT security. When I was at Adobe and Cisco, I was responsible for enterprise security, which is really IT security. I didn’t have the CISO title. I was really chasing the title, but I was also chasing my desire to run the whole thing myself. I want to be in charge of the security program at the company.
[00:06:42.080] – Den Jones
When I joined Banyan, the agreement with the co-founders was I’ll be CSO, so anything security related, product security, enterprise security, physical security, I have that as well, so all the security stuff. I think that is the bigger difference. One is really focused on IT security or enterprise security, and the other one is focused on that plus product and services and everything else.
[00:07:13.120] – David Puner
In your time with Banyan now, what have your biggest challenges been and what are your biggest challenges that you’re looking at in 2023?
[00:07:21.300] – Den Jones
I think the biggest challenge has really been scraping budget together in a really small company that has a huge market, but we’re not very well known in the market. From a sales perspective, it’s a really hard fight. I don’t want to be spending money on programs and things that I don’t think really reduce the risk.
[00:07:47.680] – Den Jones
A company like Adobe or Cisco, you would go through all these frameworks and go, “Right, what are we doing in vulnerability management? What are we doing here? What are we doing there?” And you’d almost create these big behemoth programs to fight these areas.
[00:08:05.420] – Den Jones
Well, a small company like Banyan, I’ve got a really small team. I’ve got a small audience. The company employee size is less than 100. It’s not a stressful or big challenge. I think the biggest thing is just money. Most CISOs I know, or most executives, are always under pressure to reduce spend. The pressure I’m under here is still way less than the pressure I was under at Cisco and Adobe. For me, none of it’s a stress, really.
[00:08:43.280] – Den Jones
I worked for two companies where nation states were on our backs all the time. You’re always having them trying to attack you. We’re a really small company. We’re not really that much of a target, but our customers are a target. I’ve got to make sure, my team has to make sure, that we don’t get used to attack our customers. From my perspective, that’s the biggest thing.
[00:09:17.900] – Den Jones
But it’s a heck of a lot easier to educate 50-100 people directly and work with them and look at their posture and be really squeaky on that stuff. I’ve got less people to worry about. Adobe 40,000 plus, Cisco 110,000 plus, Banyan 75. It’s easier.
[00:09:41.330] – Den Jones
I’ve been trained over the years and I’ve had the experience over the years that I can step into this company and it’s not a hardship. There’s nothing that anybody’s been doing in Banyan that I haven’t seen or experienced or dealt with before.
[00:10:00.020] – David Puner
When you’re looking at internal threats, the difference between 100 people and 40,000 people, how does that change the way that you go about that internal security?
[00:10:11.740] – Den Jones
We just launched DNS neural filtering. If it’s not a site that’s on our threat feed list, then obviously you might still end up at that site and you might end up downloading some malware. A lot of people in our company are really aware of things like phishing attacks, and we jump on Slack and we’ll tell people and we’ll share with people as things like that come in. Check the box compliance. That’s the stuff that I always think traditionally no one gives a crap and nobody listens to.
[00:10:43.440] – Den Jones
My belief, and I learned this at DEF CON a number of years ago, at the Social Engineering Village. They said, “Train people on your personal stuff, how to protect yourself and your family and your kids, and those principles you will bring back to work.” If I talk about data, I’m actually saying, “Hey, would you like to protect your money in your bank account? Would you like to protect your credit score?” The reality is you can translate these things. It’s always the basics. 80% of the attacks are focused on users and devices predominantly phishing and social engineering or credential theft.
[00:11:23.620] – David Puner
You had mentioned identity a bit earlier, and you’d also written a blog post for the Banyan Security blog where you mentioned that the vast majority of breaches tie back to identity and that it makes sense to double down on the basics of identity and device hygiene. Why is Identity Security so important right now?
[00:11:45.370] – Den Jones
I’ll break it down into a couple of areas. There’s human identity and then there’s other accounts like service accounts and genetics. There’s device identity like our endpoints, but then also servers. There’s apps and identity related to apps. There’s APIs, there’s IoT. When I say identity, I’m like all of that stuff. When you really look at all these breaches, the 80% of it is tied to social users clicking stuff. The biggest problem for the industry is the device and the user and all those identities.
[00:12:24.630] – Den Jones
Traditionally, enterprises would apply controls at the network level, firewalls, VPNs, stuff like that. Well, the problem is if more people are remote and more people are accessing cloud services than they are on-prem services, every application service we were bringing in, it was almost like cloud first, cloud first, cloud first.
[00:12:47.460] – Den Jones
Our Zero Trust enterprise network project in Adobe 2017 was on the principle that rather than giving you VPN access, we’re just going to give you app layer access, no network level access, and only access the application you need based on your directory group membership. You’re just doing the directory stuff, which you had to do anyway.
[00:13:09.840] – David Puner
That all ties back to Identity Security where a dissolved perimeter mandates a modern Zero Trust approach. How do you personally deliver large scale Zero Trust?
[00:13:21.600] – Den Jones
There’s a lot of great people out there that are doing a lot of great work on this Zero Trust thing. There’s a lot of people quantificating and writing a lot of documents and not necessarily actually deployed or done a Zero Trust deployment. I wanted a cloud-based architecture that I could deliver Zero Trust against and you’re only coming into the network if you’re accessing apps and services inside our network.
[00:13:46.920] – Den Jones
What we had done before in our first run was you had to, as part of the off workflow, come in and go via some on-premise infrastructure even just before you go to a cloud app. Then the next run was a little bit more expensive, but it was all cloud architecture, all scalable.
[00:14:06.220] – Den Jones
Then when I got to Cisco, we deployed Duo in their technology, and that was 110,000 people. The scale and the speed of the deployment is literally your tolerance for pushing something out to people like an agent in minutes or days, if you want, versus I want to go a little slower and just get feedback and take my time. You can do either or. I’m a little bit of a high risk taker sometimes, calculated risk, but I don’t have patience for something that takes very long.
[00:14:47.540] – David Puner
How have you found the pros outweigh the cons when it comes to having a tolerance for risk?
[00:14:53.480] – Den Jones
Adobe, as you can imagine, these guys are all about user experience. Adobe’s HR team and employee experience team had got together and they’d done a survey of all the employees and then determined that happy employees actually improve profit. What do we need to do to make our employees happy or happier?
[00:15:16.040] – Den Jones
In the top 10 of things that they did not like, logging in experience was one and VPNing was the other. We already were hatching our Zen plan that will take care of those two things. The speed of doing it, if you can improve the employee experience and do that fast, and improve security, and reduce friction, and you’re not asking users to change their workflow, their behavior, or whatever they’re doing, and you’re not asking application teams to make changes to their apps.
[00:15:55.720] – Den Jones
We done a pilot on our first run where we enabled anybody in the company, provided their device had the authentication certificate that we pushed our Zen certificate, and they were IT managed devices, and they had their antivirus software, blah, blah, blah.
[00:16:16.480] – Den Jones
If they met our posture check, then they would automatically be routed and use our path and not require VPN to get to a lot of the internal apps, and they wouldn’t see a username and password prompt. I think we enabled it for the 40,000 people within the first four months. That was a really plus moment for the team. This whole Zero Trust principle, if done right, you can really accelerate your business.
[00:16:45.920] – David Puner
That’s really interesting. You’ve mentioned how big the team was at Adobe, and you’re in a different situation now, smaller company, scrappy startup. We’ve talked quite a bit about the cyber talent gap here on this podcast. What’s your perspective on the cyber talent gap? Do you have any advice for people considering entering the field? How do you handle building teams and what are you looking for in candidates?
[00:17:14.020] – Den Jones
Brilliant. There definitely is a gap. I think with all the layoffs recently, then that gap is probably not going to be felt as big this year. But there definitely has been a gap. I’ve being asked to build a lot of teams, consolidate teams, reorganize. First thing I always look for is someone who has initiative, willing to work, willing to learn, and hungry. That’s it.
[00:17:45.290] – Den Jones
Technically, I’m looking for someone that has some technical chops. But if you don’t have the technical chops that I’m looking for, and let’s say you’re a junior in your career and you want to learn, I’ll take that every day. When I think of the skills gap and the skills shortage, I’m a huge fan of finding interns. Give me some hungry interns. For me, the early in career people, hungry. I expect technical savvy with everybody that gets in the team anyway, but if you don’t have the hunger, if you don’t have the desire to learn and grow, then you’re pretty much useless.
[00:18:24.440] – David Puner
It almost ties back to what we were talking about at the beginning of the conversation about your time in kitchens and as a postman. Just all those life experiences, whether they’re directly applicable or not, it is in the end of the day about the candidate themselves and maybe not the actual skills or credentials in that moment.
[00:18:43.980] – Den Jones
When I left college, I was only one out of 30 people in my class that got a job in IT. That was scary because that was in the early ’90s when this whole thing was just taking off. My old boss and mentor, when he gave me the job, he basically said, “I have 100 people that applied for the job.” It came down to two candidates, and it was me and this other person. The other person was more qualified than I was. He basically said to me, he was like, “But you were just hungrier. You came across as just hungry, willing to do whatever it takes to make this job work.”
[00:19:27.300] – David Puner
It says it all.
[00:19:28.170] – Den Jones
In our skills gap today, talent, people that are trying to get jobs and stuff, best foot forward and show how hungry and passionate you are about the opportunity that you’re chasing.
[00:19:41.320] – David Puner
What’s the most important advice you’ve gotten in your career?
[00:19:44.240] – Den Jones
My old boss, [inaudible 00:19:45], he said to me for years and years and years, he was like, humility. I was not humble, I was arrogant, I was demanding and pretty aggressive. Because in my early years, that served me really well. I was like, “Hey, I know what I want. I know what I’m chasing.” When I became a parent, then you learn very quickly that life doesn’t revolve around you.
[00:20:11.540] – Den Jones
Humility, I think, is one really important piece. Empathy, again, I didn’t have much of that, if any. I learned, especially in my leadership career, how important those things are. Then ultimately, we are in a collaborative world where in order to get something done, it’s not usually you work on your own and get something done.
[00:20:34.910] – Den Jones
Generally, you need to partner with other people, so communication for me is really huge. I know I’m not the most technical in the world because my EQ and my communication and that side of my game is really good. Well, the most technical people I know, they’re not usually very good at that side. But for me, I’m a pretty balanced technical and the EQ and all that stuff.
[00:21:03.260] – Den Jones
If I was someone who was highly technical, I would understand where my gaps are and try and partner with people that can fill my gaps. Like any team, it’s not the I in team. For me, I know where my deficiencies are. I would always surround myself with people that had really great attention to detail because I don’t. It’s not my jam. If I have to, I can get detailed, but that’s not the thing that drives me. That thing for me has been really important over the years, finding other people that can be complementary to my deficiencies.
[00:21:47.100] – David Puner
Two more questions for you. We were talking in the pre-interview and we hit a nerve with the term sophisticated attack. What do you love or hate about that particular term?
[00:21:57.740] – Den Jones
At the end of the day as a practitioner, we are paid to solve problems. The problems generally is reduce the cyber risk or reduce the risk for the company. Now, sophisticated cyber attacks. I don’t know about you, but when it starts off with, John clicked a link because John got a phishing email, that’s not sophisticated.
[00:22:19.350] – David Puner
Ransomware is an outcome of an attack. The attack itself is usually a social engineering event to which I end up with malware on my box. It’s not sophisticated if you send me a link and I click the link. The problem for me is so many companies, and again, this just goes back to their marketing thing, you want to tell people in the press it was sophisticated. It wasn’t.
[00:22:45.380] – David Puner
If you’re going to rely on training your employees to prevent that, then you’ve lost the plot because that’s never going to always save you because it’s not that they’re sophisticated. They’re just more realistic than your human ability to decipher that it’s an attack.
[00:23:06.320] – David Puner
For me, as you can tell, I get a little animated on this one because… I’m animated because our company have made products and services for over four years that directly attack and prevent some of these attacks. My team in Adobe in 2017, we deployed stuff that would directly go after some of these attacks.
[00:23:29.360] – David Puner
The reality is, you can say it’s sophisticated all you want. I could contact 20 companies tomorrow that got breached because of these type of attacks and tell them, “Hey, we could have stopped that.”
[00:23:45.180] – Den Jones
You don’t really know who we are. Granted, you got to know who we are first. But if you did know who we were and you wanted to spend some money, you would not have went through that breach because our stuff would have saved it.
[00:24:00.330] – Den Jones
I’ve written blogs. I actually done a blog a couple of weeks ago. I try and avoid talking about the Banyan Kool-Aid stuff, but I decided… Again, going back to the whole notion of what’s sophisticated, I decided, well, I want to write a blog about just how and where do we protect you? Get away from the buzzword bingo and stuff. Just let’s talk about how and where would we protect? What attacks? Then obviously, which ones do we not protect?
[00:24:30.820] – Den Jones
I think some of that stuff is important for vendors to move away from buzzword bingo, stop worrying about what the analysts say because half the analysts are paid anyway. It’s a pay-to-play. A lot of these analysts think there’s criteria before you’ll even appear in a magic quadrant. How many employees? What’s your revenue? It’s nonsense. I look at the problems we’re solving, not the buzzword bingo.
[00:25:02.580] – David Puner
Den, you have a lot to say, and you also are the podcast host of the Banyan Security podcast called Get IT Started, Get IT Done. That podcast is available wherever you get your podcasts. What’s the significance of the name and how’s the podcast going?
[00:25:20.080] – Den Jones
I’ve got a reputation in the valley of getting shit done. For me, that’s a really important trait as a practitioner. Getting IT started, get IT done means you have to come up with strategies on how to get started and how to sell the vision, and then you actually have to make progress and you have to deliver the thing. You have to deliver that in a context of business value.
[00:25:43.740] – Den Jones
But I’ve been blessed over the years to have met a lot of really great people. For me, it was like, get that roller decks out, start pulling some of my contacts of people I’ve met before that I think are cool people, they’re going to be interesting, they’ve got great stories, but then also some of our customers. It’s fun to talk to people, hear their stories, and just talk about the industry and stuff. Ideally, people take away some value from it. Every now and again, there may be a little nugget, a little gem.
[00:26:18.250] – David Puner
Absolutely. Those are the exciting moments. Thank you so much for all your time. You’ve been super generous with it. Really fun speaking with you and good luck with everything.
[00:26:29.720] – Den Jones
Awesome. Thanks, David.
[00:26:40.900] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment, constructive comment, preferably, but it’s up to you, or an episode suggestion, please drop us an email at [email protected]. Make sure you’re following us wherever you listen to podcasts.