Short Answer: It’s my calling.
Nearly a year ago, I let go.
I let go of my stress, my fears, the life-long belief that I HAD to be a CISO, and most importantly, I let go of my excessive aversion to risk.
I was baptized by security at age twelve, attending DEFCON and 2600 meetups through my teenage years. I dropped out of high school at 15 (don’t worry, I got my degrees at a more mature age), and began my professional career managing security operations for the world's first B2C data-privacy company.
A decade later, I was working for a conglomerate running DevOps and Security, quickly becoming a global CISO. Later I would move into CSO+ positions in the education technology industry, pursuing something more rewarding.
This intense, fast-paced, stressful life gave me plenty of amazing stories, and a uniquely broad–and deep–experience in both information security and technical operations.
But it also affected my health. I was working 20 hours a day, living without sunlight, and then one day started having severe physical pain. At that point I realized I needed to prioritize my mental and physical health. I needed to unplug.
I took a three-day vacation to Cabo, Mexico… which turned into three months. After much reflection, I decided I had completed my work as a full-time CISO. I met amazing friends wandering around Sinaloa, and found a new love for life. I returned to the Bay Area three months later. I hit the grindstone immediately, but this time with a new focus: building my own consulting business, JCR Security.
I was asked to speak at a series of events across the United States–a great way to discover new startups and network with people whom I could work with to build my consulting business. I spent a lot of time in hotels, typing away, taking risks, and interacting with the world's most intelligent, innovative people. Things were going very well. But then...
Enter Elias Terman - The most creative force in technology marketing
When the phone rang, I was happy to hear Elias’ voice. We’ve worked together in the past, and he motivates me like no other.
"Are you interested in a new position?" he asked--but my retort was blunt: "No way man, I'm not working anymore." But Elias pressed on, seemingly undaunted, and told me about his recent move to Uptycs.
"Hey, I know Uptycs!" I exclaimed--realizing in the same breath I knew it in name only.
A little convincing from Elias later, I decided to give Uptycs a look... Why not? There was no way I was going to take a job. But there’s something everyone should know about me. My obsession.
My Personal Obsession - HIDS XDR CDR CxDR CWPP CNAPP
Some people are really into sports, some like to golf, and I have a group of friends that collect cars–that’s a cool one.
My obsession? I’m obsessed with security and IT telemetry at-scale.
It has been a bit of a journey. Over the years there have been quite a few vendor-contenders in my quest for the perfect security solution...
I started getting a taste of what I was looking for when I built my first HIDS. Decades ago, I managed a large farm of servers. We needed something to manage OS/hardware/security telemetry. I thought long and hard about the silliest and worst possible way to implement this. I chose SNMP, traps, and beautiful BASH scripts. It worked! Somehow…
Later, it turns out I wasn’t enjoying retirement as much as I’d thought, so I was lucky when I stumbled upon Turnitin, an edtech company looking for a security leader. They had a data lake filled with over a billion submissions of written works. And around fifty million active customers. And tens of thousands of endpoints. To defend it all, I tried out some HIDS–we’ll call it Contender A. Neat. I liked the almost-free CSPM. But Contender A sold out and that was the end of them.
When we scrapped Contender A at Turnitin, we brought in Contender B. But Contender B was expensive. So I ran a partial deployment. I BECAME OMNISCIENT. Not only did this software allow me to search just about everything in the runtime state of my covered attack surface, but it also allowed me to spy on what everyone was doing.
- I made myself known by providing better alternatives to my coworkers.
- I was able to satisfy control compliance mandates for almost half of our SOC audit.
- I even used it to minimize AWS costs by finding wasted resources - it was a Swiss Army Knife.
- OK, well, turns out it costs a lot of data to store all your kernel calls in a relational database. Who knew? In their attempt to fix it, Contender B hobbled the software into an unusable pile of junk.
After Contender C was exposed, I decided it was TIME TO STEP UP MY GAME. I shouted cockily (naively), in my never-quiet internal monologue that if it doesn’t exist, let’s get someone to build it. My team found Contender D, a company with a group of very sharp founders. Founders who knew how to process and analyze data at scale, and how to hire a team. I adored their CEO, being blessed enough to do a fireside chat with John Thompson and him. But it fizzled. And to this day, no one knows why they chose a lowercase “x.”
There were others along the way. Contenders. PoCs. Companies swooped up by other companies before they performed their “big reveal.”
Uptycs? ARE YOU KIDDING ME?!
Amidst all the melodrama, my bizarre obsession, the countless PoCs… where were you, Uptycs? Why had you not yet shown me the light?
No one says Uptycs works in mysterious ways; quite the contrary–it’s very straightforward. But long story short, it does it ALL. It was, and is, the panacea. The tool I never noticed. Me, The Man Obsessed With Security Telemetry at Scale, had never noticed it. I searched through my chats for “Uptycs.” I had even recommended it based on their reputation, prior to fully realizing it was what I had always yearned for.
If you're just hearing about Uptycs, what you need to know is it's the first Unified CNAPP and XDR platform. It’s an all-in-one, a revolution… in a digital landscape where finding comprehensive and coherent solutions is an ongoing challenge.
Uptycs reduces risk by helping you prioritize and respond to threats, vulnerabilities, misconfigurations, sensitive data exposure, and compliance mandates across your modern attack surface—all from a single platform, UI, and data model. This includes the ability to tie together threat activity as it traverses on-prem and cloud boundaries, thus delivering a more cohesive enterprise-wide security posture.
Pretty cool, right?
After taking some time to digest what you just read above, I realized I had one more phone call to make.
“Hey, Elias. Yeah, it’s Jack. So… yeah, turns out I’m your technology evangelist.”
Jack has been passionate about (obsessed with) information security and privacy since he was a child. Attending 2600 meetings before reaching his teenage years, and DEF CON conferences shortly after, he quickly turned an obsession into a career. He began his first professional, full-time information-security role at...
Other posts you might be interested in
9 min read | August 30, 2018
How osquery will change the fragmented security marketRead More
7 min read | September 6, 2018
How osquery helps secure your cloud with these two critical CIS benchmark controlsRead More
4 min read | March 1, 2022