Freshworks CISO Jason Loomis embraces the ‘shift left’ amid surging supply chain threats

Close-up photo of Jason Loomis, CISO at Freshworks

It’s been just over eight weeks since Jason Loomis took the reins as Freshworks CISO, and the seasoned security veteran is relishing the opportunity to lead one of the most dynamic cyber security teams in the software industry.

Arriving at the firm in late November, Jason joined after serving as CISO at California-based SaaS company Mindbody for nearly four and a half years, where he played a key role in building a robust security programme and scaling the security function.

While Loomis notes he was sad to leave a company with which he’d established a long-term emotional connection, he says the time was right to embark on a new challenge. “It’s almost heart-breaking leaving when you’ve built something so great with a team so strong,” he tells IT Pro. “ I will always love the team that I built at Mindbody. But I did what I wanted to do, and so, I was looking for a new opportunity.”

The first 100 days is like ‘drinking from the fire hose’

Jason boasts a wealth of experience in the cyber security industry. Prior to his time at Mindbody, he served as CISO at TechStyle Fashion Group, the company behind notable brands such as Fabletics, Savage X Fenty and Kate Hudson’s yoga wear line.

This breadth of experience appears to have embedded a deep appreciation for continuous learning and understanding the varied and acute requirements of security teams. Since joining Freshworks, he says he‘s continued in this vein.

RELATED RESOURCE

Building intelligent, resilient and sustainable supply chains

The new engines of transformation

FREE DOWNLOAD

Still within his first 100 days as CISO, a period often described as a ‘drinking from the fire hose’ experience by security professionals, Jason says he’s relished the opportunity to take a step back. He’s learing how the Freshworks security apparatus operates and is gaining a deeper understanding of the unique challenges the company faces.

Thus far, he seems impressed. Freshworks boasts a mature security function, which he admits is quite a contrast to his previous role building a team and scaling operations. “At my previous company, I partially had to build a team. But here I’ve got a fully functioning team,” he explains.

“For me to come in and make changes would be like coming into the Avengers and telling them ‘hey, why don’t you try things this way’ – I literally inherited a bunch of superheroes and there’s not a single person out of a team of close to 70 that isn’t a rock star.”

“For the first 100 days, it’s a lot of shut up and listen, learn and absorb. I try not to even make decisions in the first 100 days,” he adds.

This initial bedding in period has also given Jason room to breathe, observe how his teams function, and to embed his own leadership style, which he describes as being highly collaborative and democratised.

“Every single decision that’s made is a team decision,” he says. “How my teams make decisions are more important that the decisions themselves. I never make a decision on my own, so it’s a group effort. And while I’m ultimately the quarterback and I’ve sometimes got to make a call; I’m always asking everyone on the team for their input. Everyone has a say.”

Getting the basics right

In leading a sizeable security function, Jason says this role gives him the opportunity to focus on getting the basics right. He’s keen to ensure customers are in safe hands amidst heightened security risks and concerning developments across the global threat landscape.

“One of the approaches I really like to focus on is the basics. There are basic controls that reduce 85% of cyber security risks,” he explains. “If you do those things well, the majority of your risk is reduced.”

The data-driven mindset Jason has adopted as part of his leadership style means he “doesn’t care about certifications”. "I’m a data-driven CISO,” he adds. “So, I want really well-defined metrics and I want to be able to measure the efficacy of what we are doing. Because, and to quote Peter Drucker, “if you can’t measure it, you can’t manage it.”

This is not to suggest that he doesn’t acknowledge the value in SOC 2 or ISO certification, but to Jason these are business requirements and often don’t truly reflect how effectively a team or organisation handles its security obligations. Simply put, by getting the basics right, these regulatory and compliance obligations should be something of an afterthought.

“For me it’s about asking, are we doing what we say we’re doing in our policies and standards? I could care less when SOC 2 comes in and says what we’re doing. I want to know that we’re doing our job effectively and covering this,” he explains. “I don’t want someone to tell me we’re doing a good job; I want the data to show it.”

Adapting to the evolving threat landscape

It goes without saying that Jason joins Freshworks, a SaaS solutions provider, during a challenging period. Over the last two years, a series of deeply troubling attacks have rocked the global software supply chain, with the SolarWinds and Kaseya breaches arguably the standouts due to the scale and severity of their impact.

The Kaseya ransomware attack in July 2021 saw thousands of customers and managed service providers (MSPs) exposed. Similarly, the SolarWinds incident affected thousands of organisations worldwide, including several US Government departments. Noted as a landmark moment in the cyber security industry, Jason believes very few organisations would have seen the SolarWinds breach coming. He adds the situation is “only going to get worse”.

“With SolarWinds, probably one of the biggest and most famous supply chain issues, I guarantee you that 99% of companies with very mature third-party risk management programmes would not have seen that coming,” he says. “So even sometimes just having basic third-party risk management, you’re not going to be able to stop things like that.”

SolarWinds logo

(Image credit: Getty Images)

The SolarWinds attack of late 2020 was one of the most significant in recent cyber security history

Cloudbees research published last year found that C-suite executives are becoming increasingly concerned about software supply chain attacks in the two years since SolarWinds. While 40% were ‘somewhat more concerned’, 42% were ‘much more concerned’ of attacks, since 2019.

This growing issue has prompted a more robust approach from regulators and authorities. At present, there is a concerted focus on Software Bill of Materials (SBOM) – the equivalent of a food ingredients label outlining the various components found in software products. Jason welcomes this focus, noting that the move “is going to help incredibly” and enable organisations to mitigate growing risks.

Supply chain vulnerabilities aren’t the only issue that keeps Jason up at night, however. Across 2023 he believes one of the key threats that Freshworks and the broader industry will face is the increasing focus on APIs among cyber criminals.

Salt Security recently found 95% of companies reported some form of API-related security incident across 2021/22, while another study revealed API vulnerabilities cost businesses up to $75 billion each year. With a rapidly evolving threat landscape, Jason believes businesses will continue to face API-related risks and highlighted the issue as a “top concern coming into the next year or two”.

A key factor in this rising problem, he notes, is the proliferation of APIs and their critical role in supporting businesses to provide services. “It’s becoming core to anybody who’s a SaaS company and core to many products,” he says. “Because of that growth [in APIs] sometimes security might not have played a key role in its development. When you’re growing a new technology, as we know, security often takes a back seat.

“Are all these APIs out there being developed securely? Not as secure as in other code areas. APIs are often overlooked. And because API security is more on the business logic side, I think there’s a lot of ripe opportunity for hackers to go after due to the proliferation and the scale of it.”

Shifting left to combat key threats in 2023

Jason says Freshworks views API security as a key area of concern and, as such, he is placing a strong focus on mitigating risks. “My goal over the next year, and I know it’s one of the most overused marketing terms in security over the last few years – is to shift left,” he explains.

RELATED RESOURCE

IBM LinuxONE for dummies

Secure your data, build an open hybrid cloud environment, and realise the cost benefits of consolidation

FREE DOWNLOAD

Shifting left is a principle employed in software development which helps identify potentially troublesome flaws in products earlier on in the development process. In doing this, organisations can not only fine-tune products from a security standpoint earlier on, but deliver longer-term cost savings.

“This is a cost-saving thing,” Jason explains. “Because the further right you go before fixing bad code in production costs up to 700 times what it would have if you had caught it beforehand. There are a bunch of gates and chains in place within the lifecycle which mean you could spend $1 now to fix it, or $700 later on. This doesn’t include other factors such as breaches, or penalties and the costs associated with that bug exposing something bad.”

Despite contending with a challenging threat landscape and heightened security risks, Jason believes he joined Freshworks at an ideal time, and looks forward to the prospect of building on the company’s established security function and being part of the future growth journey. “I want to be there for the growth at Freshworks, and I want to scale with them and ensure that security is scalable.”

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.