Leading a team takes a lot of skill. Imagine what it takes to lead a team of 12,000! Find out how first-time CISO and Vice President for Insight and Microsoft’s 2022 Security Changemaker of the Year, Jason Rader, powers through his day as he talks about the vital role his team plays in his or any organization. With more than 25 years of providing security solutions, he shares how he leverages his experience in ensuring that everyone is educated and made to understand how they can affect the overall cybersecurity system of the company. If you think IT is just another department in your organization, tune in to this insightful conversation and learn how you can contribute to mitigating intentional or unintentional InfoSec risks from your own desk.
Listen to the podcast here
Insight CISO Jason Rader: He Doesn’t Have 50 People On His Security Team… He Has 12,000
We are bringing you the top experts in the industry for a chat about everything interesting in keeping our world secure. Speaking of keeping the world secure, we are excited and very pleased to welcome Jason Rader to the show. He is the VP and CISO at Insight. He’s also the Microsoft Security Change Maker of the Year For 2022.
In his previous lives, he was the National Practice Director of Security Services at Datalink, Director of Cyber Threat Intelligence, and Head of RSA Research in a little company called RSA, where he was also the Chief Security Strategist. He’s been in cybersecurity for over 25 years. Not to be overlooked, he has been known to play a little guitar and fronts a pretty good band. This is something that we’re going to talk about, but I got to get it up front in the open. He doesn’t have 50 people on his security team. He has 12,000 and that is notable. Jason Rader, welcome to the show.
Thank you very much. I’m super stoked to be here. Thanks for that marvelous introduction. I’m humbled. As you can probably tell, I’m blushing.
It’s your life. All I’m doing is reading back what you’ve done back to you. The easiest part of the job is like, “We got this guy. Let’s go.” When we first started talking, you said something to me that blew my mind and I love this. I’m going to pass you the ball and clear it out. You said, “There is so much fronting from CISOs right now.” Maybe this is a high-pressure way to start the show, but what does that mean?
You’re trying to get me going right at the beginning here. No disrespect to my fellow CISOs in the universe, but I do feel almost by requirement that we can’t talk about the work that exists in every organization. That creates this false sense to other folks. We’re doing a disservice by not explaining that there’s this giant mess in most organizations. When I say most, I mean all, but I’ll be general here.
You’ve heard the term technical debt. There are a lot of technical aspects to the security role that has to be cleaned up. It’s not just technical. There are a lot of procedural and administrative things, and also financial, to be quite honest. Things that mean we can’t put this nice coat of paint on everything and expect the house to have firm foundations.
It’s a brutal role to be in. We’ve all heard, “The average lifespan is eighteen months.” As a CISO, you have to play a very political role, but there’s also an expectation of technicality of team leadership and all that kind of thing. How do you do it? How hard is it to be a CISO, especially at a place like Insight? Not only because it’s so big but because it is so woven into the tapestry of everything that is involved in our industry.
It’s marvelously hard if that’s a good answer because I’m super passionate about what I do. I don’t want to do the easy thing. I want to do the thing that nobody has ever done before. I literally think we’re doing that at Insight. We’re customer-facing, consultants, innovators, partner of the year award, or winners from everywhere. We’ve got to provide these innovative solutions to everyone. Guess what? We got to be the innovators as well at home. The cobbler’s kids can’t have the worst shoes in this particular case. It’s super exciting and demanding. Back to what I led with, there’s a lot of stuff to do at an organization that’s 30 years old.
When you’re in security, you have to be right every single time, a hundred percent of the time. The bad guys only have to be right once.
We’ve got to deal with a lot of aspects of compartmentalization between the business-facing side and the corp side. To be able to do that complete security program, it has got to involve everybody. There are not 50 people on my security team, there are 12,000. Every person at Insight got to play this game with me or we’re not going to win. We’re not going to be successful. I got to be right every single time 100% of the time. The bad guys only have to be right once to be able to make my day miserable, or maybe my month or quarter. It’s a big deal.
The eighteen months, the clock is ticking for sure. I’ve been in the role for almost a year. I want to be here for a long time. I think we got a multi-year project to be able to make this transformation. It’s bigger than a new CISO. We’ve got all great new leadership. Legacy folks are jazzed about the transformation as well. It’s going to take some time. Anything that is going to be a cultural change, which that’s the key, is going to take some time. You can’t drop a whole bunch of culture on somebody and then all of a sudden, expect them to love it and to make the real change.
It’s a challenging job. I live, eat and breathe this stuff so it’s an exciting change. The political aspect that you mentioned is hugely important. I consider myself the ambassador of security. I’ve got to promote and sell it in a positive way because security can either be the department of no, or it can be this thing where we enable the business. “How about security helping you do the thing that you want to do the way you want to go to market?” That’s the security that it needs to be.
Imagine not getting in the way and making your life easier instead of harder. I got twelve topics to unpack from that. Let’s go with this. As you have come into this position, you are a relatively new CISO, but you have used the word team. It has become the business cliché and it has been for a long time. Do you want to be on the court? Do you want to be the head coach? Do you want to be the offensive coordinator, defensive coordinator, point guard or quarterback? In your role as CISO for an organization, not just as big as Insight is, but as important as they are to the industry, where do you want to play?
I told our CEO that I’m trying to work myself out of a job. She tilted her head a little bit, “What are you getting at?” Back to that 12,000 people on my security team, I can’t do it all. We had a meeting and they’re like, “How come there isn’t security called out?” I’m like, “Because security is in it all. We don’t need a separate column for security. It’s built into all this. It’s not a bolt-on at the end. We’ve got to consider the security part of what we do. It’s in all of your budgets. It’s not a separate budget. It’s everybody’s thing.”
I love to be a player. I am a technical guy, but I can talk business and I’m a business person. I’ve owned a few companies. I get where we’re coming from. You also mentioned I’m a new CISO and I’m a first-time CISO so I could have no idea what I’m talking about. We’re already enjoying a lot of success. We’ve already got a lot of momentum so I’m going to ride this thing out. How about that? I want to be the guide on the side. I don’t need to be in the middle of all of this stuff. I get gratification from teaching this thing and letting it roll. That’s how it should be.
There’s probably some bad thing associated with somebody who was trying to instantiate and entrench themselves into everything to be everything to everybody. That’s maybe how consultants work, but I don’t want to do that for any company. Certainly, not for this one. I want to always be there to add that value and to go to the next level. This transformation is why I’m here. We’re doing something at an organization that is making a transformation itself. We’re transforming security as a part of that transformation and that’s cool.
I want to see what happens on the back end of that. I love the challenge. People said, “You’re doing something that has never been done.” I’m like, “Right on. Let’s do this.” I think we’re going to do it right. We’re going to learn some stuff and we’re going to screw up. Back to that original point, we’re going to do it wrong too, but once you get that culture change, it’s okay. We’re going to get it wrong a lot. We’re probably not going to admit it so much, but we’ll learn and keep going.
I’m changing up my metaphors from sports to music. You play the guitar for Theater of the Mind. You have multiple guitars in the background. This is not a fake background. These are actual guitars. You are also the frontman of a band. You have chosen to not play the guitar. As a CISO, as you have moved into this position, let’s think of it like that, how a band is built. There is a lead singer, rhythm guitar, lead guitar, bass and drums, but then there’s also a producer and record company. For a CISO, what is your role in your opinion to be the most effective when you have 12,000 members of your band? This is like Chicago in 1972 playing Saturday in the Park.
I love the way you framed that up. There’s a great point to the reason I don’t play guitar in the band. I’ve played the guitar for 30 years. I love to play the guitar. I’m good at guitar, but my guitar player is the best. He’s the guy who should be in that role. That’s the thing that you’ve got to figure out. As the progression of the band, metaphorically meaning my security team or the organization that I’m with, I don’t need to be the lead singer if somebody else is going to sound better or is appropriate for this song.
Eventually, I would like to evolve back to be that producer. You get a lot of people who are great individual musicians, but it is special to be able to get a group together and make that work. From a mixing perspective, getting the mix just right is a special thing. That’s the thing about security. Security is hard. If you had an unlimited budget and/or unlimited people, it’s still hard. There’s an organizational aspect. It’s the same from a music producer’s perspective. These guys have budgets where they could do anything. What makes some better than others? It’s their ear, their love and a certain amount of art to be able to accomplish this thing.
Security is exactly that. It’s the same vertical and technology, but different implementation across the board in companies that I’ve worked with from a consulting perspective. That’s what makes it hard. There is no playbook. You got to have a perimeter and those kinds of things. Nobody has ever gotten fired for buying this brand and those kinds of things, but it’s way more than that. That’s the transformational and cultural aspect. We can’t keep teams isolated.
Why we were sitting in a spot or we’re sitting in most organizations in general from a digital transformation perspective is IT got relegated to maybe over here. The infrastructure guys, “We don’t need them. We can swipe our credit cards and go straight to the cloud. We don’t need those guys.” Those guys know how your business works way more than the people who are swiping credit cards and instantiating a bunch of infrastructure in the cloud. They’re good at acquiring it. They’re not good at operationalizing or maintaining it or dealing with the continuity or resilience aspects of it.
We’ve built our business around this thing and it has become critical to business. We’re hoping that it stays by not engaging these folks who could have given us some good advice and maybe saved millions of dollars if we had done it the way that they would have advised us to. Engaging those folks within your organization is the hotness moving forward from a cultural perspective. Let’s get these guys all in the same room.
It’s serious. I’ve consulted with organizations. I’m sitting in the boardroom with members and heads of all these departments that we’re instantiating what we called their security governance board in a very regulated industry. At the end of the meeting or it might have been during the meeting, somebody said, “We’ve never been all in the same room together.” It was crushing that it took the consultant to get all of these guys together.
I literally am face-palming right now the fact that this is happening. This is what the world is like. We should all realize that this is a real thing, but it’s so horrible to hear someone say it out loud.
You can have a lot of people who are really great individuals, but it is special to be able to get a group together and make that work.
Why is that the case? Everybody gets incentivized in a certain way in a lot of cases. You do the job that you’re told to do. There’s no way for me to do the job that I was told to do because nobody knew what this job was when I took it. We’ve got to make this transformation. There is no playbook. At a minimum, I came in and talked to legal, audit, compliance, and infosec. I was like, “Why aren’t we all working together on this thing?” They were like, “That’s a good idea.” I’m not joking. It was literally like, “We should.” Good things have happened since then.
These are marvelous people doing what they thought was and is an important aspect of the business, but it’s even more important to the business that we do it together. Is it my superpower or the kumbaya experience? I don’t know, but that is key. What the CISOs need to think about now is how they can be that ambassador and bring teams together. Is it the security guy or girl that’s going to bring everybody together? Maybe. I think the opportunity exists. Somebody has got to do it.
Tell me if this is a terrible question. I may need to talk myself through this to get to the actual question. You came up through the ranks and earned your way into this position to become the CISO of a very large, very important and relevant company. You get to that spot and as we’ve talked about, “Do you want to be the coach? Do you want to be a player? Do you want to be the GM, lead singer, guitarist,” or whatever. Pick your metaphor. You look around and have a lot of talented people, but how do you communicate to people that while they may be doing their best, what they’re doing is not great?
I was asked a similar question. We talk about inspiring people. If we want people to get better, how do you get somebody to do that? I can’t motivate somebody beyond what they’re capable of, but I can inspire them. I’m this guy that’s got a book of these things that I like to throw out, cliches if you will.
That’s some positive energy. I feel like people are going to walk out of meetings with you feeling pretty good about what your ideas are.
You can empower these guys with training and those kinds of things, but I think you’ve got to inspire people. Somebody who was in a very regulated old type of industry was saying, “Jason, I liked the way you talk but you’re talking about transforming an organization that is transforming the leaderships on board. Everybody is making bets on you and they think it’s great. What do I do with the manufacturing organization? How do I inspire these guys? How do I inspire my people?”
That question hit me hard. I do think they got to know what the role that they’re doing is as part of the overall thing. Two people doing the exact same job are quarrying rock in a rock quarry. You go up to the first one and you say, “What are you doing?” “I’m quarrying rock. I’m cutting big pieces of rock out of the side of a mountain.” You go to the second person who’s doing the exact same job, “What are you doing?” “I’m building a church.” You got to know, what is that thing that you’re doing? That is so important.
The way that finance works in most organizations these days, nobody is not essential. Everybody has got a role to play. Back to the whole 12,000 people on the security team thing, how is what you’re doing important to what I’m trying to do? I’ve got to help them understand that. Every single person has the capability to affect security in a positive way.
We were talking about USB drives and I got this report that shook me because, for the last five weekends in a row, we’ve had people dealing with people putting thumb drives and now had malware on different people. It was one of those things where it never caused an issue. We got the right controls in place and those things, but the fact that the alerts went off was something that we had to deal with. I’m happy the controls are in place, but it’s one of those things that everybody is responsible for security. Everybody can have a positive effect on it but obviously, anybody can have a negative effect on it.
We got to help people understand and inspire them to do better with securities through easier conversation to have them do better at whatever their profession is. You learn from experiences. Am I going to put that under the rug and never talk about it? No, I might as well broadcast it to the world. It’s one of those things that we can talk about. It happens. It’s a tactic that adversaries use to get into an organization. Those things are going to happen and going to continue to happen. We got to make sure that we engage everybody and help them understand how it works. I do believe that’s key. You can’t just turn off USB drives and say, “How do you like that security?”
We bought 12,000 laptops and then we paid an extra $100 to shut off the USB functionality on all of them. Let me get into the Freudian aspect of “Tell me about your mother” therapy. In your position as a CISO and as you have grown into this role, you are less directly hands-on. When we talk about things like what happens when a single employee picks up a USB stick and puts it in their machine, you don’t necessarily have that direct impact on individual employees anymore. How do you evolve into this position in a way that influences the overall culture so people get this?
It’s part of my overall plan. A lot of my job is selling internally. The first order of business is to enlist a whole bunch of folks on my direct team to be part of this process as well. One of the big shifts that we did early on is I didn’t want my team or anybody that works in infosec in the organization to consider themselves these order takers or “We’ll wait for something to happen” kind of folks. We are now out there proactively engaging the business to help and be involved in their decisions and application platforms they want to go to and other things. It has been positively received because you could be like, “Why is this dude on this call?”
It’s one of those things where we wanted to show that, “Engaging with us makes things better. We can help you along,” because no matter what anybody’s doing in a corporation like mine, there’s a security implication to it. “We’re supposed to go do this.” Was it supposed to be secure? Yes. It’s harder to think about that after the fact. It’s way easier to think about it during or part of the process. That’s one of those things.
How I want to affect everybody is to be a part of the experience. What’s cool about this organization specifically for me is I’ve worked here for seven years. I did what a lot of these folks do so they can relate to that fact. I know what’s going to fly and what’s not going to fly from their perspective and I maintain that perspective. That’s key. Not all CISOs in the world are people who came up through the ranks. A lot of folks could have been great managers or great people and have risen to a leadership role. CISO is a role that a leader with an MBA can do just as good as a person who came up from a security engineer perspective.
It gives me an advantage in an organization full of a lot of smart people that I can at least talk to on their terms and do those kinds of things. “You can trust me. Let’s do some good stuff together.” It doesn’t hurt that I’ve also leveraged the inertia of the organization. Security changes by itself and the only thing that’s transforming, that’s another hard sell. Is everybody going to jump up and down? That’s great. If the organization’s like, “No, we want to cut costs and be super high speed, low drag,” that’s a harder sell.
To make this a part of the overall transformation, to have all of that momentum also helped me out. I’m leveraging every campaign marketing is doing. I’m doing all these things. What’s cool with that? Security. I’m making sure that lines up as well. Call it a guerrilla tactic or whatever you want to say, but I’ll do whatever it takes. That’s the other hackery side of me.
You can empower your team with training, but you also have to inspire people.
I came up as a pen tester and those kinds of things. I’m going to leverage this stuff for as much. You mentioned my title at RSA was Security Strategist. That’s what a strategy person will do. They’re going to figure out what’s the best way that I can genuinely help people do good stuff, but help them do it in a way that they don’t realize is me piggybacking on some other stuff that they were already doing. That’s the easiest way with the lowest resistance.
A great punk band in a van is always going to make a major record label better. You come up through the ranks as a security veteran, and now you have your seat at the C-suite table. You look around and you say that not everybody that is in the CISO position necessarily comes from that. We’re not casting aspersions. People are good at what they do. They get there for a reason. How much pressure is on you or your analogs across the industry if you’re the only one who came up in security when it’s time to have those conversations?
I’ve always been good. I’ve always wanted to teach people. It’s not like I need to keep this security smartness to myself and not share it. You also have to be careful. I taught a lot of courses in my life and I love teaching, but when somebody asks a question, you can either destroy them or empower them. You can either be like, “You should have known that.” You could be like, “That’s a great question. Let me help you there.” Maybe it’s fair or not, but a lot of people hear things like zero trust or buzzwordy things. They think because they watch that fifteen-minute webinar with a vendor or something along those lines that they’re in absolute command of this thing, and they can make good decisions based on that at this point. That is a fallacy, boys and girls, just to let you know.
Those are the kinds of things where people feel empowered to make choices based on a very limited amount. You’ve got to help them figure out what the right part is. Validate them and continue forward. What is good for CISOs right now is the new SEC requirements in the US, where the board has got to be more cognizant of security. The relationship between the CISO and the board needs to be more defined.
There are a lot of good opportunities for CISOs, the board, and the senior leadership to have conversations. It’s going to put more of a responsibility in that teacher role for CISOs to make sure that the board and them have a good back and forth. You can get a board member who thinks they know a lot about something and then pound an agenda and think that’s the solution, “Zero trust or nothing.” I’m not talking about my own board, by the way.
I’ve seen some interesting things in my career. I can’t knock any of them. These are all successful organizations that can pay my fees. It’s one of those things where I’m not going to knock it, but I do always want to suggest there could be a better way. That’s the solution. At the end of the day, the board and CEO get to make the choice. That’s another thing, “Is conflict okay?” Absolutely. “I’m going to say my part. You’re going to say your part,” and then at the end of the day, I’m going to do exactly what leadership tells me to. I’m going to try to do it in the best way that I can to accomplish what we both want to accomplish. That’s the other kind of trade-off.
It is a trade-off. It’s always a negotiation. If somebody tells you to do something and you think it’s wrong, you should say that, regardless of where they sit or the title. You don’t just go, “No, your baby is totally ugly.” You go, “You know what makes your baby cuter? Let’s put a big hat on them.” Anybody who is in leadership or at a board level is there because they know some stuff. Help them get smarter. You’re always going to have a way better day when you do that.
You mentioned teaching. Getting back to the role of the CISO, do you have the opportunity to teach? Is teaching different from leading? You need to lead a team, and especially with a company this size and impact at Insight, you have to lead. I’m the son of a teacher. For me, teaching feels a little more raw, where there can be dragons. Do you have that opportunity? Do you want that opportunity? Should CISOs be in a teaching position?
I seized that opportunity. It is my job, but leadership is on a timeline as well. When you talk about team development, it’s the early stages of that where you got to have more influence and set the strategy, and then the team starts to be able to perform well together, then I’m done. Not done, but I’m guiding them as opposed to teaching them.
In the teaching maturity model, there’s the awareness part, “I’m finally aware of something.” We joked during our call where I was like, “People who are incompetent don’t know they’re incompetent.” There’s this awareness aspect and there’s understanding. Once somebody does understand, then there’s a quest for more information. That’s not just me. That’s the world or the universe that’s helping them out at that point.
I am there to say that, “This is the way that we’ll march.” Let’s pick up a whole bunch of stuff and all doesn’t come from Jason, at that point. It comes from everywhere. That’s how innovation happens. That’s how good stuff happens. Everybody’s like, “You’re the thought leader?” I’m like, “No, we are the thought leaders,” because thought leadership is questioning stuff. It doesn’t mean you showed up with the answers. It means you’re going to take some stuff that everybody believes is right and test it. You then learn stuff. Everybody should consider themselves a thought leader. That doesn’t mean you’re the absolute expert on everything because that’s ridiculous. We have Google. Let’s question some stuff. It may work or it may not.
For the love of all that’s holy, consider yourself a thought leader but don’t ever call yourself a thought leader. You came into your current position at a transitional time for Insight. There was a new CEO, a new CIO, and a new president. What opportunities did that present? Depending on the context around it, it could be chaotic but it could also be utterly inspirational and a time for amazing creativity. What did you get to do rolling into that position at that time?
We’re still fresh. Some leadership is still new, but it was this spark of awesomeness that all happened at the same time. Our previous CEO is retiring and it was his vision that was the catalyst for this. He’d been here for a long time. Many senior leaders that weren’t at the C-level are still a part of this journey that are making it as well. You have a brand-new CEO who was under advisement from the previous CEO as the role transitioned. You have brand-new service leads, a new president, CIO, and CISO. We spoke together and it was cool that we got all these people. When they acquired all of these folks, they acquired a similar mindset. On purpose, they knew this transformation has to take place, the board and all those folks who did a smart thing.
The organization has been around for 30 years. How do you lead this transformation? It starts with a bunch of fresh ideas to leverage the legacy of what it is, and then move forward with it. We got here for a reason. We can’t discount that by any means if we’ve all got to make the turn. That means nothing is sacred at that point. You got to go forward and everybody gets to change and transform. I’ve been here for seven years. That doesn’t mean I’m right and never have to change. It means that we’re all going to have to change together.
Even years is a long time but it’s not that long.
I hope I’ll be here for seven more. I’m expecting to write my book and other people are as well. There’s a cool thing that’s going to happen here. We’re on the other side of it and it’s going to be cool. That’s a minimum requirement. “Can we do it cool?” Yes.
Every single person has the capability to affect security in a positive way.
On that particular point, hard segue, can we talk about guitars? You have been playing the guitar for over 30 years. You are the lead singer of a band of some repute in the Southeastern United States, but you also know a lot of people in this business. It feels like there are a lot of musicians involved in our thing. I do not play an instrument, but you do. I’m curious, from your experience, where’s the connection? I’ve had the good fortune to talk to a lot of people who play the guitar and piano. Those seem to be the ones more than anything else when it comes to hacking and security and that sort of thing. In your experience, do you find an intersection between being a musician and being a technically awesome person, and how the brain works?
I play a lot of different instruments. It was MIDI that got me into music, in general, because I was a computer nerd. This was before general MIDI was a thing. I was like, “I can make these things talk and I can do all this stuff myself because I’m a freak and keep weird hours.” I’m trying to get a bunch of people together to be in a band. I was able to hook all that stuff up before the windows could overlap.
I do find tons. Every time somebody finds out I do anything musical, we’re passing stuff along. It’s the greatest thing because now even in the pandemic or remote, we can totally collaborate on a legit level. Part of my job as a CISO is performance. Performance is a thing. For people who do a performing arts perspective, this is another performance. I’ve said it before. How you do one thing is how you do all things. As much of a freak as you are in one area of your life, you’re usually a freak in it.
I don’t typically get folks who dabble. They’re like, “I know how to play Smoke on the Water. I have this super intricate setup and I make my own guitars.” These guys go to the nth degree and that’s what’s brilliant. I always joke, “Tell me the thing you’re a freak about.” When new people come and see me, I was like, “What’s your freak?” A lot of the time, it’s some type of technology-meets-performance to a degree. I think that’s cool.
For the record, everybody out there looking to work on your LinkedIn thing, my man just said, “What’s your freak?” This is a place you want to go.
What’s cool about musicians is they usually have this comradery. That’s also a big thing in the security world. Security people love to talk to security people. The salespeople, if you can talk to their CISO, they want to talk to me. I guarantee you because CISOs like to talk to CISOs. If you need a way in, tell them that their CISO will talk to them. I will talk to them and we’ll have a good time. Whether you do anything after that is not my problem. That’s your deal.
Security people like to talk and there’s a big community. That’s probably the thing I miss the most about the good old glory startup days. Everybody’s in a pit, hanging out, and doing our thing. I miss that a lot because it’s a brilliant time full of half-life and craziness. We could do anything in the world and I still think we got that. It’s cool. We sit at these round tables on two separate occasions. We’re like, “He plays the drums. He plays bass. We could have a band.” I’m like, “Yes, let’s do that next year.”
Also, all these Fortune 1000 companies. It’ll be amazing.
It’s good stuff. It’s this jam. That’s the other thing about guitars. It’s like, “I got this link that I use to practice. Do you play that?” “I can play this thing.” That’s interlocking those things too. It’s a true collaborative thing. Security is one of those things where we don’t try to keep the special sauce to ourselves. We try to share it with everybody. That makes it the best part unless you’re a nation-state hacker. That’s a different story though.
Unless you’re a bunch of dudes who just sit there, doodle, and play 28 minutes long songs like fish.
It’s completely okay.
Says the guitarist to the guy who doesn’t play the guitar.
Music is one of those things that got me in the business. It drove me more into the computer side of the house doing the MIDI stuff. Breaking news, I had a recording contract back in the early days, right before I met my wife. It was a single act. I did all my own stuff because I did use MIDI, so everything was me. It never got released.
Did you have long hair and questionable facial hair?
No. I wish. I’m going to share the headshot at some point, but we won’t post it. I was pretty much a boy band-ish kind of thing. I did the music. I was a computer nerd my whole life. What can a computer nerd do to improve his chances of having any communication with anyone of the opposite sex? I was like, “I need to get a guitar,” and my mom approved that. She’s like, “You definitely need a guitar.” We did that. Having to record, computers helped me out and facilitated some of those things, and then I got into the MIDI controlling keyboards and stuff because I wanted to do the poppy stuff. That’s where the boy band kind of thing. I needed people chasing me through the mall.
Rick Astley became Rick Astley for a reason.
No matter what anybody in your company is doing, there’s a security implication to it.
That was literally it. I did all this stuff. When I finally got the record deal, I got lost. I was like, “I did all this stuff to meet girls.” My first track was approved and our rep says, “Let’s finish this thing out.” We’re recording the second and third tracks. I took a break, met my wife, asked her to marry me two weeks later, and then called my management. I was like, “I found the girl I was looking for,” and we’ll celebrate 30 years next month. Boys and girls, when you find what you want, you go for it.
Here is the route to happiness. Try to become a musician, get good at it, meet the woman of your dreams, and then become the CISO of one of the most important companies in the entire industry. We’ve already got the Netflix series booked. Ryan Gosling will be playing you. I will be played by Peter Dinklage or Idris Elba. We’ll see how that works out. We could go forever on this, but let’s move to the leadership corner. What do you do when you’re not doing this? We’ve talked about how you play the guitar, but what’s on your playlist? Are you reading anything? Do you cook? Do you garden? What operates the other three hours of your life that you were awake?
That wonderful woman that I talked about. She and I love to binge-watch stuff these days. We’re empty nesters. That’s also quite awesome. Have kids early.
It’s awesome that they’re grown-up adults. Not that you don’t have to deal with them anymore.
They didn’t write a book, by the way. There is not a how to raise adult kid books if anybody out there wants to do that. We’re super uber-nerds. Another funny thing, my wife and I went to rival high schools. We hadn’t met until after high school. She was the captain of the cheerleaders at the other high school and I was the nerd. Remember, I’m the computer guy that hooked the keyboards up and was trying to meet girls.
You play the guitar, come on.
Yes, that’s a game-changer. It was funny because I’ve totally turned her into a nerd. She loves all of my nerd stuff now and my boys are nerds. We got her to watch anime every now and then, and different things like that. We’re having a fun journey through some of the things that give us plenty of things to watch on Netflix. She is a willing participant and that is awesome.
I also do a lot of youth program stuff via my church and different organizations. It’s important to give back and mentor folks. One of the guys that I’m mentoring right now graduated high school and passed his first Microsoft security exam. That was super awesome. We got to share this stuff. What’s cool about the security community is all the sharing stuff that goes on. I love to speak on cybersecurity and do those kinds of things.
That’s the best possible segue into shameless plugs. Please tell us about what you’re doing with the volunteering. Call out your boy. Give him a shout-out. If people are looking for someone who apparently is pretty awesome, he might be a pretty interesting addition to your thing. Shameless plugs, plug it away.
I’m hiring this guy. You can’t have him. I’m not saying his name. He’s mine. That’s my pipeline.
Name the church. Tell them what you’re doing with these things unless you don’t want to.
Boy Scouts of America is where I do a huge amount of stuff. You can’t see this but I’m the widest possible Floridian that you could imagine. I didn’t want my boys to not go outside ever in their lives. Boy Scouts was one of those things. I was like, “We got to do the Boy Scout thing.” I became a leader in Boy Scouts and that was a cool journey because of the well-defined programs and those kinds of things. My boys are both Eagle Scouts. That’s super awesome.
“Both of my boys are Eagle Scouts,” let that sit for a minute so people can brew on that.
What I found out is that there was a cool leadership course in scouting and it was for the leaders, but I became a part of that. It’s called Wood Badge. You can Wikipedia that. It’s a pretty interesting thing. It’s a leadership course that I was part of in that program. I became a staff member and a director of that course. That’s quite an esteemed thing to be a Director of a Wood Badge course. There’s a plaque with my name on it somewhere.
When you’re not running security for Insight, you’re only doing that. No pressure on the rest of us. Thanks.
It’s like a cubby course or Carnegie. There are different types of things that are out there. I did a thing at West Point with a fair group a few weeks ago. That was super cool, and a lot of the same principles in it.
This is the first time I ever wished that we had a video of this. He’s like, “I did a thing at West Point,” My eyes are rolling out of my head because why did we not mention that in the intro for this thing? What I’m saying is you do some things. You’re a cool dude.
When somebody asks a question, you can either destroy them or empower them with your answer.
My motto back when I was younger was, “I’ll sleep when I’m dead.” Now, I found out that if I don’t want to be incredibly wrinkly, I’ve got to get a decent sleep. I got to plan all that stuff out. Back to that, how you do one thing is how you do all things, when something is on my calendar, whether it’s a church thing, scout thing or a family event, it’s as committed as anything else on my calendar. I’ve got to live that way. I’ve got to be the same person at work, at home, and at any other event that I go to. That also makes it easy for me.
That integrity play that I play, it’s got to be the same across the board. I don’t want to have to do something different at work that I do at home. I don’t want to have to watch my mouth or the things I talk about. That was an important thing for me as well. I made that commitment. That’s why I’m not an evil hacker. I’m a good guy. I want to be that thing across the board. That’s my overarching theme. We got to do good and make things good.
That’s another cool thing. In security, there’s no particular affiliation from a political perspective. It’s universal from a country’s perspective. Everybody respects it. Whenever I play video games or those kinds of things, I always want to be a good person or use the good path through it. That is the underlying thread of my life. Maybe, it’s hero syndrome or something.
I’m humbled just by hearing this. I have said shameless plugs and you still don’t want to plug anything. I am ordering you to tell people where to find cool stuff, whether it’s what you’re up to, whether it’s what’s happening with the Boy Scouts or your church, with Insight, or any of the things, Twitter, LinkedIn, websites, or any of those things. You have to let somebody know how cool what you are doing is.
Hit my LinkedIn Profile, it’s JRad3r. I proudly proclaim all of these things on my LinkedIn profile. You can hit me up there. I’m spending a load of time with programs. Shameless plug here, but not so shameless considering they gave me that award you mentioned earlier. Microsoft Security Program is an organization that not so very long ago was the butt of security jokes to have a platform the way that they’ve got it. Microsoft has always been fantastic at it from an educational perspective. They’ve got tons of programs. I’m turning on loads of folks who are in high school to get into these programs. The training and testing are free. That’s the pipeline that I want to build. That program is fantastic.
As I mentioned, I’m pointing folks there. Loads of people say, “How do I get to where you get?” I’m like, “You don’t want to go the way that I went.” It’s a lot easier to start off here and it’s free, and then figure out whether you want to go to work or go to school. I do believe that there’s maybe a smidge of reorg that higher education needs to do to address at least from a cybersecurity perspective.
Would you say it’s smidge or skosh?
A schmear. I’m a nice guy but if nothing is sacred in transformation, we need to transform the way that we do cybersecurity to a higher level.
Save that for the next episode because we addressed exactly 12% of the questions we were going to talk about because everything you said was too awesome. I had to keep asking follow-up questions for that. I’ve said this in previous episodes, “Forget about considering this your official invitation for the return. This is building the mini-series.” Ryan Gosling might play you. We may have already made that joke, but we’re going to get there. Dude, it’s so great. Thank you for coming on for sharing. This is great stuff and we have so much more to talk about. Will you come back?
I will. We could be roommates as far as I’m concerned. It’s awesome to have met you. When you find like-minded folks who want to do cool stuff, that’s always exciting. It was a pleasure being here and I’m happy to come back anytime.
We gotta get loud and rowdy. We have had a list of guests so far that are incredible. Here’s the weird thing, none of you know each other. That is the best part about what I get to do. At some point, whether it’s RSA or Black Hat or DevCon, you’re all going to be there. I am going to bring you all into a room and stand off to the side and say, “Go.” Until then, I got to tie this one up. Thank you for joining us.
For more information on all that is good in the world of cybersecurity, make sure you check us out at @hello_Elevate on Twitter, also on LinkedIn and Facebook, and ElevateSecurity.com. You can find me at @PackMatt73 across all of the socials. All we ask is you subscribe, rate and review. You’re not going to miss any of the cool things in this. You got to give us five stars. I’m still ripping off my guy, Bomani Jones. If you don’t give us five, I am inclined to think you are a hater. It just keeps getting better and better.
Not that the previous guests weren’t awesome, but I am so jazzed right now, Jason, from talking with you. Straight up, I’m going to go to the gym. I’m going to go throw plates around for three hours to listen to Slipknot because I’m in too good of a mood to not do something like that. Everybody else, we will see you next time.
- LinkedIn – Elevate Security
- @Hello_Elevate – Twitter
- Facebook – Elevate Security
- LinkedIn – Jason Rader
- @PackMatt73 – Matt Stephenson’s LinkedIn
About Jason Rader
Named 2022 Security Changemaker of the Year by Microsoft, Jason is a seasoned security thought leader with more than 25 years of experience helping businesses operationalize security solutions to drive measurable results. As VP and CISO for Insight, he leads the cybersecurity consulting team, helping clients build strategic solutions spanning people, process, and technology.