Security sits down with Jason Lee, Chief Information Security Officer (CISO) at Zoom, to discuss his top four cybersecurity predictions for 2022.


Security: What is your background? What are your current roles and responsibilities?


Lee: I have 20 years of experience in technology and specialize in information security and operating mission-critical services. In college, I started out pursuing a degree in finance, but I also enjoyed hacking as a hobby. After taking several computer science courses in college, I double majored in finance and computer science, combining my passions for both areas of study. Looking back at my career, I consider the path I took to be fairly “traditional.”


I started my career at Microsoft, and that’s where my interest and passion for security ignited. My next role was at Salesforce, where I was SVP of Security, where I headed up a team of more than 300 security professionals who delivered critical end-to-end security operations to customers and employees. These solutions included company-wide network and system security, incident response, threat intel, data protection, vulnerability management, intrusion detection and identity and access management. 


Then in June of 2020, I joined Zoom as CISO. Zoom was experiencing rapid growth at the time, and most of my new colleagues were working remotely. As a result, my primary focus has been to protect critical information, including customer data, employee data, and source code. I’m also responsible for educating and arming employees with security best practices to ensure they’re prepared for and protected against security threats. 

 

Security: How has cybersecurity evolved during your career?


Lee: Since my first security role, I’ve realized that the most important aspect of cybersecurity, in general, is thinking about the bigger picture. In security, you always need to be thinking ahead about what might come down the pipeline. This includes looking at third parties related to the business, assessing how to best manage any risks and making sure vendors are also secure. 


In 2021, the world experienced new cyberattacks and lessons learned when it comes to cyber vulnerabilities. Remote work has made people and organizations more susceptible to attacks, which has exponentially increased the importance of thorough cybersecurity program assessments and business continuity and disaster recovery plans. Experts are continuously working to make educated guesses based on the market in order to help businesses be proactive, not reactive, when building their cybersecurity plans.


Cybersecurity used to be a nice-to-have, but now, companies recognize that it’s a must-have. They can’t rest on their laurels when it comes to security. Threats have become more advanced and attackers more experienced, so a proactive security strategy, not reactive, is necessary. 

 

Security: What are the most significant cybersecurity trends you expect to see in 2022? 


Lee: 1. To adapt to hybrid working environments, more companies will drive to adopt the Zero Trust security model. Conversations around protecting the hybrid workforce from risk will lead security professionals to adopt modern tools and technologies, like multi-factor authentication and the Zero Trust approach to security. I believe that companies need these tools to make sure their employees can get work done as safely as possible from wherever they are — commuting, traveling, or working from home — and that all of their endpoints are secured with continual checks in place.

 

2. Security leaders will step up their protections against third-party risks. In security, you always need to be thinking ahead about what might come down the pipeline. From SolarWinds in December 2020 to Colonial Pipeline and Kaseya in 2021, our industry saw a distinct increase in supply chain attacks. CISOs and CSOs will need to make sure their vendors are also secure. This includes looking at third parties related to the business and assessing how to best manage any risks.

 

3. More public technology companies will create dedicated cybersecurity committees on their boards of directors. One of the most impactful things we did at Zoom this past year was to institute a three-person committee on our board dedicated to cybersecurity matters. Having security industry experience at this level is incredibly valuable, allowing us to readily address concerns and issues in industry shorthand. While this approach is still relatively new, it has been incredibly beneficial, and I wish we had done it sooner. And I’ve heard peers express strong interest in recreating this approach at their own companies, which leads me to expect this will be a priority for organizations in the new year.


4. The security hiring boom will continue. We know that cybersecurity professionals are a hot commodity across industries due to more available jobs than trained applicants. In fact, the U.S. Bureau of Labor Statistics reported that employment for information security analysts is projected to grow 33% from 2020 to 2030. At Zoom, we expect to continue to hire highly-qualified security professionals throughout 2022. I believe we’ll see the cybersecurity talent pool grow as more professionals choose to enter the field due to increased demand and, in many cases, the ability to work from anywhere.

 

Security: How should organizations prepare for these trends/threats?


Lee: As the distributed workforce continues to be the norm, it is increasingly challenging for IT to keep up with every employee as they share information around the globe on both personal and company-issued devices. This is where an effective endpoint data protection strategy is critical. This begins with the deployment of comprehensive mobile device management (MDM) strategy, which allows IT to manage and secure all employee mobile devices. 


Also, with the increase in ransomware attacks, more organizations are putting an emphasis on both external initiatives such as third party risk management programs to help assess a vendor’s risk profile, and internal initiatives like multi-factor authentication and a zero-trust architecture with Just-in-Time (JIT) access to help minimize an organization’s attack surface.


Another critical element to an organization’s comprehensive security strategy is its employees. Investing in employee education is one of the most effective ways to increase an organization’s security by arming teams with up-to-date training and education on any phishing or ransomware attacks that are circulating. Regular training sessions and refreshers have to be put in place so that all employees recognize their responsibility for keeping the business secure. 


Lastly, organizations should automate where they can.