Ep. 42 Hero S2 Ep42 Jay Kaplan

Decoding Cybersecurity: Jay Kaplan on How to Protect Your Business from Cyberattacks

UNITING TECHNOLOGY AND HUMAN INTELLIGENCE TO FIGHT CYBERATTACKS

29 min

Ep. 42 Hero S2 Ep42 Jay Kaplan

29 min

Jay Kaplan is a renowned security expert and entrepreneur who has served in many high-profile cybersecurity roles—including at the Department of Defense and the National Security Agency. He was also selected as Forbes 30 Under 30 in Enterprise Technology. After seeing a gap in the cybersecurity space, in 2013, Jay co-founded Synack, a company that’s developed a premier security testing platform. Today the Synack platform protects federal agencies, DoD classified assets, and a growing list of Global 2000 customers. In today’s episode, Jay talks about the rise of ransomware and crime syndicates, and he offers simple yet effective security strategies organizations, and individuals can apply right now. What are some of his biggest tips? Focus on your people, sensitive data, and endpoints.

Read transcript

"My hope obviously is that most companies are waking up to the fact that they're not doing the basics and they're enabling these attackers to get a foothold inside of their networks... We are in a really solid place, which is why cybersecurity companies will continue to thrive."

Quick takes on...

How people started working in cybersecurity


"People that transitioned into the cybersecurity field generally were doing something else. They were handling infrastructure, they were system administrators, they were software developers, etc., and they just became fascinated in this subject."


The complicated nature of cybersecurity


"I think there really is no manual to have a comprehensive security strategy. It's not like you go read the Security for Dummies book and go through the pages and you're good. So it makes things very complicated.”

Meet your guest, Jay Kaplan

CEO and Co-Founder at Synack

Spotlight S2 Ep42 Jay Kaplan

Jay is a world-renowned cybersecurity expert who has held various technical security positions at the Department of Defense and the National Security Agency. In 2013, he co-founded his business Synack which is backed by top-tier venture capital firms including Microsoft, Google, Intel, and Kleiner Perkins. The company’s mission is to leverage a crowdsourced network of highly vetted security researchers coupled with advanced technology to help enterprises discover security vulnerabilities before they become exploited.

Listen to the next episode

Ep. 43 Home S2 Ep43 Tim Prendergast

Decoding Digital Security: Tim Prendergast on Cloud Security and Infrastructure Access

MASTERING CLOUD SECURITY AND THE POWER OF TEAMWORK

27 min

“No one ever gained a lot by risking next to nothing.” This is why Tim Prendergast has been so successful in everything he’s done, because without risk, there is no reward. Prior to his work at StrongDM, Tim was the principal architect for Adobe's Cloud Team and then became a seed investor in technologies that he truly believes in. Tim is an expert in all things cloud security, cloud infrastructure, building and scaling SaaS businesses, and legit barbeque. Today, Tim is CEO of StrongDM, a startup solving the problem of how to get people to access infrastructure in a safe and sane way. In today’s episode, Tim talks about how all great innovation starts with pushing the envelope of what’s possible, the transformation of the security industry over the past few years, and the power of teamwork within a tech startup.

Episode transcript

[00:00:00] Jay Kaplan: People that transitioned…

[00:00:00] Jay Kaplan: People that transitioned into the cybersecurity field generally were doing something else. They were handling infrastructure, they were system administrators, they were software developers, et cetera, and they just became fascinated in this subject. Anyone could get their hands on cybersecurity training programs and understand like, is this something that actually interests me and something that I would want to potentially pursue?

[00:00:31] Dan Saks: That was Jay Kaplan. Before Jay got his start at Synack, he served in many different cybersecurity capacities, including roles at the Department of Defense and the National Security Agency. Jay was also selected as Forbes 30 under 30 in Enterprise Technology. Today, Jay is the CEO of Synack, a premier security testing platform.

[00:00:55] In today's episode, Jay talks about the rise of ransomware and how to protect yourself and your company against it. He also discusses the evolution of cybersecurity over the last decade and how consumers can secure their accounts. This is Daniel Saks, president and co-founder of AppDirect, and it's time to decode cybersecurity and best practices when it comes to securing your information.

[00:01:23] Welcome to Decoding Digital, a podcast for innovators looking to thrive in the digital economy. I'm your host Daniel Saks, and I'll sit down with other founders, CEOs, and changemakers to decode the trends that are transforming the way we work. Let's decode.

[00:01:47] I'm Dan Saks, co-founder of AppDirect, and what we really wanted to do is kind of step back from the tactics of the security space and really look at an industry thought leader who can help position some of the more complex and real elements of security that really kind of penetrate the psyche of businesses and governments.

[00:02:06] And I was really grateful that my good friend Jake Kaplan, accepted to speak with us here, as he's one of the most foremost experts on security, and definitely from many that I've spoke to behind the scenes conversations that we've had really insightful and exciting tidbits. So by way of background, Jay who's joining us is the CEO and co-founder of Synack, a premier security testing platform.

[00:02:28] Just a note, while Synack is not currently available for reselling a catalog, I'm really grateful that Jay spoke to us as a thought leader and can give you some real insights on government and business. And I couldn't be more happy to welcome Jay to our State of the Union webinar. So welcome Jay.

[00:02:43] Jay Kaplan: Thanks, Dan.

[00:02:44] What an intro. I really appreciate it.

[00:02:45] Dan Saks: So let's jump right in. So what got you started in the security space in the first place, and how did you end up working at the NSA?

[00:02:54] Jay Kaplan: Yeah, so I guess my introduction to security started at a pretty young age. When I was a teenager, I started a shared web hosting company, and these are the days before Amazon AWF and Squarespace and Wix.

[00:03:05] And if you wanted to get your website online, you basically rented. Space from a company who co-located that server space. And then you would go, you know, upload some raw html documents like old school. And one of the most fascinating parts of that business to me was locking down our customer's websites.

[00:03:21] We actually had one customer's website get to and breached. And I think it was that moment that I'm like, how is that possible? And then I started going down a rabbit hole and getting more and more interested in the field. And one thing led to another and fast forward to college. The NSA DOD runs a program called Cyber Core, where basically they fund you through university and then you go work for the National Security Agency after kind of scholarship for service.

[00:03:46] And so it was really the most of the foundational knowledge that I have today is from my experience at the NSA. But I think the fascination started at a pretty young age. Well before that.

[00:03:56] Dan Saks: Got it. So most of us have watched 24, Homeland, and all these different shows that talk about the NSA and the CIA and the DOD.

[00:04:04] But other than kind of fantasy, it's really hard to see what manifests in real life. And you've kind of had that behind the scenes experience, but what was it like, you know, starting with your experience at the DOD and what perspective did it give you on the reality of security as a threat to businesses and government?

[00:04:20] Jay Kaplan: Yeah, so interestingly I had an opportunity to kind of work on both sides of the fence. So DOD, an agency called the Defense Information Systems Agency. It's a combat command agency, which helps stand up the backbone of the Department of Defense and all of the Navy, Air Force, Marines, et cetera, just to make sure they're online, they're secure, they're running.

[00:04:37] It was also an agency that's responsible for setting up the networks for the president when the president travels around the world so that he has secure communications and. He wants to speak to his advisors, et cetera. He has a very easy way to do that wherever he goes. So it was at that agency that I actually got more exposure to the defense side.

[00:04:56] So being an incident responder basically means that when something happens, you're the one that's going in and doing the forensic investigation, figuring out, okay, how do we make sure that this doesn't happen again? How did the person get in? What information was leaked? And then red teaming is more, kind of hacking for defense.

[00:05:13] So basically taking more of an adversarial view of a specific environment and figuring out if an adversary was going to try to break into this environment, how would they do it? So I kind of straddled both, but it was much more defensive oriented. And then as I transitioned to the NSA when I graduated college, That was on the complete opposite side.

[00:05:32] So that was basically on the attack side as a state-sponsored computer hacker, which arguably is the coolest job you can ever have in the federal government, in the cybersecurity space, in my opinion. But it gives you a very unique perspective, right? You take the best capabilities around the world, best people, and you have a very important mission.

[00:05:49] But I think it makes you realize pretty quickly that the incumbent solutions on the market that help these foreign networks and companies, et cetera, try to lock them down. They're not working. They haven't scaled with the times, and I think that was the aha moment for me, you know, five years into NSA when we decided my co-founder to leave and try to do something about it.

[00:06:08] Dan Saks: It seems like even as technology in the security space is. There's still people who are ahead and people who are behind. And you know, you gave the example of working in counter-terrorism and how you could probably outsmart many other terrorist networks and groups. But when we think about day-to-day vulnerabilities that could hit a business, what really defines the sophistication or sophisticated people versus people who are laggards?

[00:06:31] And how do people and the industry really stay on top of that evolution?

[00:06:35] Jay Kaplan: Yeah, I mean, it's a great question. You know, obviously the threat gets more and more sophisticated over time and it changes. You know, I think if you asked me five, 10 years ago, what is our greatest threat to businesses and government agencies? I'd probably tell you state-sponsored attacks.

[00:06:50] So you know, whether that's Russia, China, North Korea, et cetera. Most sophisticated attacks. They have a lot of resources and money dedicated to stealing intelligence, stealing sensitive information from any corporate network to help advance their strategy. And it really has shifted though. And I think if you look in the past just two to three years, I think our greatest threat right now is much more tied to crime syndicates.

[00:07:16] So people are recognizing that they can actually make money by hacking into foreign network. Ransomware is well on the rise. I'm sure you guys read about it all the time. Reality is this. If you put down a piece of ransomware inside of a network and you say like, the only way you're gonna unlock this machine or this network, or this data is by paying some sum of money.

[00:07:37] Honestly, most companies are just paying and it's the result of the insurers, cyber reliability insurers are just saying it's a lot easier for us to just pay this money rather than try to remediate and claw back from backups. And so what this has done, it's kind of created this new market where crime syndicates are probably the most prevalent attackers.

[00:07:57] Whereas before there was no real easy way to make money. And obviously with cryptocurrency, that has only made it more easy, where you can't track the actual funds that are being sent to these syndicates.

[00:08:07] Dan Saks: Yeah. Fascinating to see that evolution. I think with state sponsored issues, it's really hard to address, especially if you're in the US and across our network and community and my peers.

[00:08:15] I've seen a lot of incidents in tech companies. Where foreign state sponsored attacks come, and there's really no one to disclose it to. It's hard to cooperate, it's hard to track it down. So there's almost incentive to not talk about it because you really don't know who to go to for help. But on the crime syndicate side, I assume that the ransomware and the impact on businesses is more prevalent and there are kind of people out there.

[00:08:39] You do want to address some of these issues and you wanna safeguard your business. So maybe this is kind of leading into Synack a bit. Talk to me about how companies can help really protect against some of these modern threats, particularly ones that have such strong financial impact.

[00:08:54] Jay Kaplan: I mean, I'd say most of these attacks, quite frankly, they're not that sophisticated.

[00:08:58] Generally speaking, these attackers are successful because most companies are not doing the basics. They're not properly handling patch management. You know, they're servers that are not updated with exploits available. They're not doing a certain level of code review from a security perspective. And then in our business it's, we're in the pen testing space.

[00:09:17] So it's really about how do you kind of take best in class security researchers, point them at your environment and try to understand if someone was malicious trying to break in, how would they do it? Similar to my work on the red team at DOD, and this is all table stakes, right? This is all basic stuff that every company should be doing, and then it extends to the people as well.

[00:09:36] I mean, you probably hear that fishing attacks are probably the most successful type of attack right now. Just because people are the least common denominator. So having, you know, appropriate levels of education within your organization to make sure that people understand what does a malicious link look like and what is something that looks safe?

[00:09:54] You know, what should you look for? What does a suspicious email look for? How do you report it? You even see CFOs sending wire transfers out, based on emails coming from random sources, which blows my mind that it still happens, but it happens all the time. It's crazy. So there are tons of factors, but I think people really need to think as much as possible like the adversary.

[00:10:13] And that's kind of how we approach things.

[00:10:16] Dan Saks: So as you're selling to your business customers or as you're looking at businesses that are adopting security solutions, what are some of the key vectors in how to position to a business and to have them really both understand the urgency and the importance to safeguard themselves in the right way?

[00:10:31] Jay Kaplan: Yeah, I think one of the challenging elements of cybersecurity is that there's so many disparate solutions focused on different parts of the problem. So it sometimes becomes daunting to take a look at every company that's out there and try to sift through, okay, like, what do I actually need to do? Like, what should I focus on?

[00:10:48] And I think depending on the size of business, the type of data, the type of technology that will. But you know, I think there really is no like manual to have a comprehensive security strategy. It's not like you go read the Security for Dummies book and like, you know, go through the pages and you're good.

[00:11:05] So it makes things very complicated and there are more and more startups coming out of the incubators. It is insane how many companies there are in this space right now. Not to mention like Synack takes a very different approach to neural pen testing problems. So we have a worldwide network of freelance ethical hackers now in over 90 countries, and the goal for us is to create a much higher efficacy version of security assessments that most companies are engaged with.

[00:11:28] You know, previously usually you'd use a consulting firm like a PWC or Deloitte. For us, it's “Let's deploy a hundred of the top hackers in the world, obviously ethical hackers, to your environment so that we can understand what are they successful at penetrating and what data are they able to expose?”

[00:11:45] So it's a very different model, and that's just one example of the layer of the security stack that you can bite off, but there's a lot more you need to be doing.

[00:11:53] Dan Saks: Got it. Super fascinating. And for your customers in particular, when you're positioning your product alongside, like you said, the kind of diverse amounts of groups, is it typically someone who's had an incident that then says, okay, we need to bring you in cause we realize the gravity of the problem?

[00:12:07] Or are you often able to position effectively just kind of knowing that people are looking for extra protection?

[00:12:13] Jay Kaplan: Yeah, it's definitely a little of both, right? I mean, I think a lot of big enterprises are very proactive. They have security teams, Chief Security Officer that typically reports to the CIO, and then there's board level interest now, which we've never really seen before.

[00:12:26] That's really only started over the past several years where boards are asking what are we doing from a cybersecurity perspective? And CSOs are sitting at those meetings. So it's really interesting to kind of see the level of awareness happening at the highest levels of the largest enterprises in the world.

[00:12:40] So yeah, I. Whether you have a security team or not. Smaller companies obviously don't have the ability to hire talent. So what else can I turn to? And for us, obviously we can augment some of those resources, but it's all about layering on services on top of best in breed products and enabling those companies to kind of do the services for them, which is more their core competency than most of these companies.

[00:13:04] So we're in a very interesting time as it relates to cybersecurity talent. It's definitely one of the biggest challenges of our time, in my opinion.

[00:13:11] Dan Saks: Jay, I wanna dig deeper on this evolution from foreign sponsored threats to crime syndicates. But tell me about how you've seen the evolution of cybersecurity threats over the last decade, and where do you think things are going into the future

[00:13:23] Jay Kaplan: Historically, you know, if you asked me 10 years ago, probably when I was still back at NSA, What should we be most worried about? Certainly there are hackers on the internet that were not state sponsored or tied to any specific governments, but they weren't doing it for monetary reasons. They were kind of just doing it to kind of prove a point to, you know, to face a website that they didn't believe in or whatever.

[00:13:48] And so it was basically that. And then it was like Russia, China, North Korea, other parts of even Eastern Europe that were using the internet as a way to enhance their intelligence capabilities, recognizing that they knew they could never win a war on the battlefield. But when you have very advanced, sophisticated attackers that are online, it actually, you can probably win in the cyber sphere, which is kind of actually fascinating and I think a lot of people are really worried about it.

[00:14:21] I don't think we've ever seen an attack that's been so detrimental from a state-sponsored perspective, but it definitely is still an issue.

[00:14:30] Dan Saks: And from a state-sponsored perspective, do you think that they're just holding onto the data that they can use in the future as dirt or they're leveraging IP theft to get ahead on technology?

[00:14:38] Or are most of the actions kind of real-time where they are looking to gain real-time access to something to then expose an incident?

[00:14:47] Jay Kaplan: I think it's a little of everything. I mean, certainly a lot of state actors are doing this for intelligence. It's no secret that the US government does this, you know, hacks into foreign intelligence targets to better inform our decision makers than policy makers.

[00:15:02] I think beyond that though, what you're seeing are state-sponsored attackers now prepositioning themselves in critical infrastructure, and I give a talk about this several years ago. This is definitely on the rise. So OT environments, basically these are environments that shouldn't necessarily be online, but we're finding more and more they have been connected as foreign actors are prepositioning malware in these, you know, water, utilities, energy grid, et cetera, so that if they ever need to use that piece of malware, they're already there.

[00:15:36] And that's probably one of the scariest things for me, just knowing that they could, you know, wreak havoc to our financial sector, they can actually cause real harm and, and lost lives by affecting, you know, how water is being processed. And it's scary. I think we're just getting a handle on it now. I think the government is starting to invest a lot more solutions in trying to shore up these utilities.

[00:16:01] But the reality is they're so small, right? These are local utilities that have no resources for cybersecurity. They never even thought about that before. And so there's been this kind of dramatic shift where the federal government is starting to play a role in helping shore up the cybersecurity of local municipalities, which is a big change.

[00:16:19] Dan Saks: So where we've seen this shift that you highlighted from foreign state sponsored attacks, now crime syndicate attacks really for financial gain. Is there a future evolution of next gen category that could emerge? Or do you see that there's still gonna be a clarification of different crime syndicates for financial gain?

[00:16:36] Jay Kaplan: Yeah, today they're still very, very successful, so I don't think the crime syndicates are going away anytime soon. We'll see. My hope, obviously, is that most companies are waking up to the fact. They're not doing the basics and they're enabling these attackers to get a foothold inside of their networks, and they're enabling them to, to even put down the round somewhere in the first place.

[00:17:01] But I think we're a ways away, though. We are in a really, you know, solid place, which is why cybersecurity companies will continue to thrive and cybersecurity services to help, you know, smaller businesses understand what they should be doing from a strategy.

[00:17:16] Dan Saks: And you know, as you mentioned, there's just such a broad landscape of cybersecurity companies and it's hard to see through the noise.

[00:17:21] You know, big business that has dedicated resources for, with a chief security officer. Even for them, it's hard to navigate the proliferation of tools, but if you're a small business, it's that much harder. What do you think the average business or even consumer needs to use as kind of basics to protect themselves and how do they get the right information without, you know, overload to the point where they kind of give up?

[00:17:44] Jay Kaplan: I mean, if you think about the consumer, people always ask me, they go, Jay, you know, what should I be doing from a cybersecurity perspective? Like me personally? And the basics are two-factor authentication on everything. Use a password manager and don't reuse passwords on any of the websites that you use.

[00:17:59] So create randomized passwords, monitor all of your kind of credit reports, and make sure you're getting alerts. If anyone tries to open up something under your name and just keep updating your computer, updating your. Reality is that you know, no one's really targeting you. Like the government doesn't care about you unless you're doing something you really shouldn't be doing.

[00:18:22] Beyond that, you know, when you're a small business, I think you need to think about the people. I think you need to think about your most sensitive data, and I think you need to think about your endpoints. So endpoints can be the machines that your employees are using, and so people, you need to educate them on phishing attacks.

[00:18:37] They need to understand what a bad website or link looks like. Make sure that they're not giving up their password information to someone malicious. And if you're using, you know, Google for email. If you're using Microsoft 365 for email, they have a lot of things built in that will help identify a suspicious email from a not.

[00:18:58] So that obviously helps as well. Then you think about your endpoints, so any laptop that an employee is using, Any mobile device, you gotta keep them updated. There's a reason why updates come out all the time. It's because they have security vulnerabilities associated with old versions of software. And so by keeping that stuff shored up and updated on a regular basis, that actually really, really helps.

[00:19:18] And then I think finally you have to think about the most sensitive data and where that data is housed. So whether that's inside your own networks, inside your own applications that you're building home. Or third party, you know, cloud software solutions. You wanna make sure those solutions are locked down.

[00:19:33] So you should be doing constant, you know, vulnerability assessments on those environments. And you should make sure that you practice kind of least privileged access. So you wanna make sure that people don't have access to the databases and the data unless they absolutely need to. So you should have, you know, multiple layers of authentication, et cetera, built into these environments.

[00:19:56] But yeah, there's a lot more, you can be doing more sophisticated solutions, but hopefully that covers some of the basics.

[00:20:03] Dan Saks: Yeah. One of the things that I've found is that like once you have an incident or once you catch something, that's when you really stop and say, okay, what are all the ways we can protect ourselves?

[00:20:11] But it takes a while for companies to kind of get to the point where they're gonna have those threats of attacks. And one of the things that I've found, and I think you alluded to this earlier, is. The cost of an investigation can be very costly. It can impact your customers, and oftentimes you don't really know what's happening at the beginning.

[00:20:29] So you know there's an incident. Is it actually a hacker or is it an issue with your database, or what is the issue? And then really to get the right people in to do that investigation is costly, timely, and sometimes it can send mixed signals where you think you're being hacked, but you're actually not.

[00:20:44] So yeah. How do you feel? Is there a best practice that companies should take when something happens on how to understand how deep they go in terms of an investigation, but at the same time be transparent to their customers or their stakeholders or groups when necessary?

[00:20:58] Jay Kaplan: Yeah, it's a great question. You know, I think most companies don't have any sort of incident response plan.

[00:21:04] So when they get breached, it's kind of like a hair on fire events. Like, okay, what do we do now? But that shouldn't be the case. Every single company in the world should. Basically an SOP that says, you know, should we ever get compromised or breached, or even if we don't know, but you know, we're trying to figure that out.

[00:21:21] They have a plan. They know what company they're gonna go to to call for an incident response. They have a communication plan drafted. They have an easy way to reach out to customers at least, you know, keep them in the know what's going on. I think transparency is absolutely one of the most important things you can do.

[00:21:36] The government even forces now notification to certain federal agencies depending on the type of data that's exposed. So you should be aware of what those regulations are and what those reporting paths look like. And then beyond that, you know, I think, you know, there should be people in the organization that are just well versed on.

[00:21:55] It's probably gonna be part of your IT organization unless you have a security team. But they should be well versed on the tooling that would be used to do. Obviously they're not running the tooling themselves, but to do the investigation so they can at least try to figure out like on the surface, is this actually like legitimate or like, do we need to call in an incident responder?

[00:22:14] I can tell you they just had a recent event with a customer that they received nothing more than an email saying, you know, you've been. We have ransomware down on your machines, but unless you pay us 50 million, we're gonna lock all your systems. Like how do you know if that's real? It turned out to just be someone just submitted a contact inquiry on their website and they thought like, how do you know for sure?

[00:22:39] Luckily, they had a security team and they were able to do some investigation and figure it out that it was purely just an email. But you should have a way at least doing some of the basic legwork to understand, have you actually been compromised or not.

[00:22:53] Dan Saks: And then you mentioned the surveillance of cybersecurity insurance.

[00:22:55] Are you finding that a lot of companies are getting that coverage and that's helpful?

[00:22:58] Jay Kaplan: Absolutely. Yeah. I think it's really important for every company to have liability insurance policy for even peace of mind. But most companies today won't even do business with you unless you have one of those policies in place.

[00:23:11] It's, you know, it's like DNO or ENO. It's become like table stakes for transacting. So I think it's really important that you have a policy and a policy that's big enough too that would cover, you know, ransomware, incident room cover, incident responders coming in. Cause it can be incredibly costly if you hire out the top incident response companies, you know you're talking about millions of dollars.

[00:23:32] So you want a policy that's going to make sure that you have those resources available to you when you need them.

[00:23:38] Dan Saks: I know it's Synack, you're really pioneering the combination of human intelligence with artificial intelligence. But as we've seen in many cases, AI is advancing at tremendous rates, and I assume that hackers and other bad actors can leverage artificial intelligence to penetrate new ways.

[00:23:55] Is that something you've seen to this point, and is that something that you'd be concerned about from a societal perspective?

[00:24:01] Jay Kaplan: I mean, from a security standpoint, what we're finding the reality is, is you can’t automate or use AI to solve everything. Like you have to have people as part of this equation. It's how we created the entire business, right?

[00:24:13] We recognize let's automate as much as we can, and then from a vulnerability identification standpoint, and then let's take kind of the remaining 40, 50% of the vulnerabilities you can spot using automation and utilize security researchers who have the talent. If you kind of think about like if you're trying to hack into a foreign banking website, and you're a piece of automation, all you see are a bunch of forms.

[00:24:33] You see some text on a page, you can send some parameters, and you're looking for predictable patterns to come back. You know, from a form response. If you're a person, you understand? Okay, like. If there's this account and then there's other account if I'm able to actually transfer money from this account to this other account, but I shouldn't be able to do that, like that's a bad thing, a business logic issue.

[00:24:56] So no piece of automation will ever understand that, at least in our lifetime. And so that's why people are still so important as part of the security equation. Most of the top cybersecurity companies today have added services layered on top of their solutions because as I mentioned before, we have a massive talent crisis that currently exists in security and most companies can't hire their own cybersecurity talent.

[00:25:16] Instead of them trying to hire, they're using these additive services that sit on top of these products to run those products for them. And frankly, I believe that's how they should be doing it. Right. If you're a big enough company, you need people in-house to think through the strategy and implementation and you know, a Chief Security Officer has a very important role, but if you're a smaller business, I think it's really challenging.

[00:25:38] Dan Saks: Got it. And what advice would you give for. Someone who wants to kind of enter in the cybersecurity space. You mentioned that there's 3.5 million job openings for cybersecurity. There's probably a lot of talent that wants to enter. How do you kind of get the background? Is it education or some other means?

[00:25:53] Jay Kaplan: Security is an interesting space because it's still pretty nascent. People that transition into the cybersecurity field, generally were doing something else. Like they were handling infrastructure, they were system administrators. They were software developers, et cetera, and they just became fascinated in this subject.

[00:26:08] And so anyone can get their hands on cyber security training programs, whether they're courses or books or whatever, to just be more immersed in the field and to understand like, is this something that actually interests me and something that I would wanna potentially pursue? But we have such as you mentioned, like there is such a gap right now.

[00:26:28] So if someone's willing to learn, there will be a job for them. It's just one of those industries right now, and even with the economy the way it is, cyber security jobs are not going away anytime soon.

[00:26:39] Dan Saks: Well, I think we've covered the gamut. It's been really exciting. But I just wanted to kind of go back to some of your earlier experiences at the NSA and DOD.

[00:26:45] What's your current view of how ahead the NSA would be from other security agencies and you know and how do they stay on top of the new trends to protect ourselves, but also really gain foreign intelligence?

[00:26:57] Jay Kaplan: I still firmly believe that NSA is the most, you know, sophisticated, smartest organization in the world that deals with you know, cybersecurity, both offensive and defensive.

[00:27:07] Though a lot of the defensive mission has shifted to other parts of the government. I think there was always kind of this tug of war battle with nsa. You know, having them both have the mission on the offensive side and the defensive side. You can't have it both ways, which is kind of funny because the NSA takes advantage of zero day vulnerabilities that are out there.

[00:27:29] But if they are out there, and a zero day vulnerability basically means that we know that a specific flaw exists within a widely used piece of software. But that doesn't really make sense when they're also trying to defend corporations that are deploying that software. So I think that's an interesting kind of battle that we've been grappling with, but I think a big reason why a lot of defensive mission has shifted away from the NSA.

[00:27:50] You know, it has had interesting challenges over the years with, you know, I've heard Snowden and you know, I think after that incident that happened shortly after I left, I think there were some morale issues. But I think things are in a really good place, again, from what I'm hearing from people who are still back at the agency.

[00:28:03] So it continues to be an amazing place to work, incredible mission, the stuff that you can never do anywhere else. And for the time being, we'll always remain ahead. And I think the challenge is when you compete with China as an example, where they have just so many more people than the United States, the government can hire a lot more of this talent than we can.

[00:28:22] And so I think that's probably one of our greatest threats. But for the time being, I still think we are very well ahead of what the Chinese government can do.

[00:28:29] Dan Saks: Well, on that note, Jay, thank you so much for joining us.

[00:28:34] Jay Kaplan: It was great to be here, Dan. Thanks for inviting me.

[00:28:41] Dan Saks: Thanks for listening to Decoding Digital. Make sure you never miss an episode by subscribing to the show in your favorite podcast player. To learn more, visit decodingdigital.com. Until next time.