Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.
Jonathan Jaffe, CISO at Lemonade, Talks Privacy, AI, and Industry Trends
In this week's interview, we sit down with Jonathan Jaffe, Chief Information Security Officer at Lemonade, to talk trends shaping cybersecurity, the funding landscape, automation’s role, and how AI is reshaping the game. Read the full interview below 👇
Question 1 💭
Give us a quick overview of who you are and what it is you do. You’ve transitioned from being a privacy litigator to your current role as the CISO at Lemonade. How has your legal background influenced your approach to information security?
Answer 1 🎯
I’ve been in security since 1997, primarily doing IAM implementations for large enterprises. Mid-career, I went to law school (at night), something I had wanted to do since I was ten. I did this while working full-time and as a father of two young children. A year after admission to the Bar, I found and prosecuted some large privacy class actions, the biggest being against Facebook.
That experience was like no other, but I also realized that I enjoy building things, and working with new technologies, more than motions, discovery, or depositions.
I returned to security, as a security product manager for a while, and then back into technical development, taking on more responsibility along the way. Now, I’m the CISO at Lemonade.
My knowledge of the law, and how to approach problems in the structured, logical manner that the law teaches, gives me a powerful approach to dealing with security and technology. When I have two risks to prioritize against one another, I consider how legally defensible my choices will be, both from technical and regulatory perspectives.
Question 2 💭
What cybersecurity trends or emerging technologies have recently caught your attention? Are there any that you think will reshape the industry?
Answer 2 🎯
The trend is to automate as much as possible. The short-term trend is to provide on-point detection and response, and to automate both. The longer-term trend is to use AI, some GenAI but much of it deterministic AI, to support the automation of these things.
AI is already reshaping the industry. It’s just the dawn of AI, but I’m already seeing—and using—AI to enhance my team’s ability to do better work with less effort.
Question 3 💭
With your knowledge of the cybersecurity investment landscape, what shifts and patterns do you see in the funding and support ecosystem for security start-ups, and how does SVCI plan to navigate these changes in the years ahead?
Answer 3 🎯
The overall trend in terms of money is still upwards over time. I don’t see meaningful changes with regards to investment, in spite of short term responses to the economy.
In terms of security domains receiving investment, fads will always come and go. Last year, it was data security. This year, it’s AI-sec. Fads will always be fads. However, the long-term trend for security technology investments is to invest in technologies and companies which automate solutions. It’s primarily through automation that buyers can keep up with the evolving threat landscape at the scale of cloud services.
Question 4 💭
How can security start-ups adapt to the advancements in AI, cloud, and other emerging technologies? What impact do these technologies have on their ability to provide effective cybersecurity solutions?
Answer 4 🎯
Security start-ups can adapt to AI advancements by meaningfully integrating AI to solve real problems, not just adding cute features. Done well, they amplify the effectiveness of security teams and allow them to increase security with less effort. AI can do this when applied with sincere intent, and not just marketing value.
Question 5 💭
Having worked with smaller startups and large enterprises, how do you anticipate the role of CISOs evolving in the next five years? What challenges and opportunities do they face?
Answer 5 🎯
I’m not willing to predict anything out five years, but with regards to challenges, I think CISOs will take on more legal liability. Over the long run this should increase budgets, improve security, force maturation of processes, and, here is the good news, increase salaries to reflect the new personal risks. I don’t think this trend will happen quickly, though. It will be a gradual one over many years.
Question 6 💭
Lemonade operates in a highly regulated industry. How do you stay ahead of compliance requirements as they evolve? Do you see the industry going in any one particular direction? How can security companies react to changing regulations?
Answer 6 🎯
We have a good legal team that is always on top of relevant regulation. This informs many of our compliance obligations. Others are informed through non-regulatory pressures, like partner relations and non-regulatory audits, like SOC2.
Because regulation is in part a response to political processes, the degree of regulation can ebb and flow with political cycles, so I won’t opine about a directional trend.
Security companies should stay abreast of proposed laws that will increase demand for their specific resources, and then market to those industries and customers affected by those regulations.
Question 7 💭
AI and cybersecurity are becoming increasingly integrated. What ethical considerations do you think CISOs should prioritize as they leverage these technologies to enhance their organization's security posture?
Answer 7 🎯
There are different types of ethical considerations with AI. I don’t feel I have an informed opinion about ethical considerations with regards to AI. However, I do think the current moral panic that assumes AI, ipso facto, embeds human biases misunderstands AI and how it is developed and used, and that it is a red herring from the real ethical issues of job destruction, mis- and dis-information abuse, and the risks of super intelligence to our species. Those are the ethical issues I think will have significant global impact.
Question 8 💭
Considering the broader cybersecurity ecosystem, what role do you believe collaboration between industry players, government agencies, and security professionals will play in addressing global cyber threats?
Answer 8 🎯
I wish all companies could share security risk information freely without reasonable fear of liability or loss of competitive advantage. Having strong security benefits all, and should be treated as a shared commodity.
I would like to see a frictionless and fast way—ideally, an automated way—where all threat info is fed into a global system and from which all legitimate parties can draw.
Question 9 💭
Having worked across various sectors, what pain points do you see CISOs facing, regardless of their industry? Do you have any strategies in your toolkit that are industry-agnostic?
Answer 9 🎯
Getting appropriate and consistent attention from management. I have some strategies, but I’m not confident they are optimal, so I don’t feel confident sharing them.
Question 10 💭
Looking ahead, what cybersecurity trends, threats, or technologies do you expect to emerge in 2024? Are there specific areas where you foresee a need for heightened security measures?
Answer 10 🎯
Last year, I predicted that API security would finally have its day. I was wrong, so I’m not going to try to predict the future again.
Latest AWS and Azure Updates You Don’t Want to Miss
- Azure Red Hat OpenShift is now available in Italy North region
- Use your preferred Socket.IO APIs, while letting Azure handle messages and scaling for you
- The ability to encrypt health data in the cloud with customer-managed keys using Azure Health Data Services is generally available
- Announcing AWS IAM Identity Center APIs for visibility into workforce access to AWS
- AWS Amplify Hosting extends server-side rendering (SSR) support to additional frameworks
Top Articles and Resources of the Week
- Amazon Offers Free Courses on Generative AI
- The 10 Biggest Cyber Security Trends In 2024 Everyone Must Be Ready For Now
- Predator AI ChatGPT Integration Poses Risk to Cloud Services
- Illumio Delivers Zero-Trust Segmentation Platform With the Addition of CloudSecure
- VX-Underground Malware Collective Framed by Phobos Ransomware
- Major Cloud Security Events and Conferences: Opt-in to this resource to receive updates on events and conferences in cloud security. Meet like-minded cloud-security professionals from around the globe to learn, exchange ideas, network, and more.
- Top 50 InfoSec Networking Groups to Join: Join these top 50 associations, LinkedIn groups, and meetups to stay ahead of the curve on all things InfoSec.
- CIS Benchmarks: The Center for Internet Security (CIS) is a fantastic resource for initiating, implementing, and upholding a robust cloud security strategy. Access their detailed benchmarks tailored for AWS, GCP, Azure, and more. For a deeper understanding, explore the CIS Controls Cloud Companion Guide.
- SANS Practical Guide to Security in the AWS Cloud: In collaboration with AWS Marketplace, SANS introduces an in-depth guide tailored for AWS enthusiasts. Whether you're a novice or an expert, this extensive resource delves into the intricacies of AWS security.
- Security Best Practices for Azure Solutions: Learn key security practices tailored for Azure solutions and understand their significance. This comprehensive guide offers insights into developing and deploying a secure Azure environment.