Zoom CISO’s Lessons in Scaling With Simplicity

I joined Zoom in July 2020 — a time when everything about the company had fundamentally changed. The expectations for service delivery were higher than ever, growth reached an unprecedented scale and the role of security had never been more important. 

While I stepped in during this momentous time, I was determined to bring simplicity to the organization. Let me explain why and how I did it.

Looking Back

Life as we know it changed last year, and our company was one of the many that followed suit.

People around the globe joined our platform practically overnight, as millions of users adopted our solutions amid the COVID-19 pandemic. As our customer base broadened, so did the use cases for our platform, with enterprises, educational institutions, health care organizations and more adapting and modernizing their services via our technology.

But with new use cases came new security requirements, and we had to find new ways to keep pace. Our security strategy had to remain nimble, with teams working quickly to churn out easy-to-deploy yet effective updates and features to protect a growing customer base with ever-evolving needs.

That’s when I came into the picture.

Simplicity and Structure 

Joining a company with such rapid demands for scale posed a unique challenge. We were innovating at the pace of a startup because we had to; because our complex challenges existed on a global scale.

So I decided to keep things simple. That didn’t mean slowing down or reducing effort but, rather, stripping out the unnecessary to create a sustainable approach to security. Simple is often harder to achieve than complex — it meant we had to identify a structure that could future-proof our operations while still keeping teams agile, productive and effective in the face of constant change.

To me, a simple security strategy is standardization augmented by innovation. Here’s what that looked like for us: 

  • Consistency with industry best practices: We aim to follow the NIST public cybersecurity framework, which is based on existing standards, guidelines and practices. It provides guidance and customizable activities on how both internal and external stakeholders of organizations can manage and reduce cybersecurity risk. Adhering to NIST, as well as other regulatory and compliance requirements, can help organizations make more confident decisions and deliver improved solutions to customers from the start.
  • Standardized design processes: While engineering should always design with security in mind, disjointed processes can sometimes lead to oversight, which can cause design errors or even bugs. By standardizing your internal processes, you help reduce bottlenecks and miscommunication, enabling your teams to work quickly and effectively on projects and creating more time and space to test for security issues. 
  • A real-time feedback loop: When you’re innovating for evolving use cases, it’s vital to listen to customer feedback, especially when it comes to security features. Discover the key pain points and/or requirements for users in different industries and make that feedback your starting point for your next security decision. 
  • Persistent employee education: Researchers from Stanford University and Tessian found that approximately 88% of all data breaches are caused by an employee mistake. Employees are the backbone of any security strategy — without proper training, your organization’s scale won’t be sustainable. Create an annual security training program complemented by regular security awareness communications and ongoing employee education. Training should also expand to a company’s developer teams, which can undergo continuous learning via secure code training. 

Trust as a North Star

While these strategies worked for us, there’s no one-size-fits-all approach to security during a time of massive growth. As a security leader, you cannot control how rapidly your organization changes, but it’s your responsibility to instill a sense of trust in your product.

For me, simplicity was the way to build a sense of trust that lasts. Streamlining our internal processes helped us strengthen our customers’ experience and work to build a security strategy optimized for scale. No matter which direction your company heads next, trust should always be treated as your north star, guiding you along the way.

Avatar photo

Jason Lee

Jason Lee is the Chief Information Security Officer at Zoom with 20 years of experience in technology, with a specialization in information security and operating mission-critical services. He was recently the Senior Vice President of Security Operations at Salesforce where he was accountable for the global organization delivering critical end-to-end security operations to customers and employees including company-wide network and system security, incident response, threat intel, data protection, vulnerability management, intrusion detection, identity and access management, and the offensive security team. Prior to Salesforce, he held the position of Principal Director of Security Engineering for the Windows and Devices division in Microsoft with the charter of protecting the online services of Windows Update, XBOX Live, and the Microsoft online store. He was also the Senior Director of Developer Services where he was responsible for the design and management of the mission-critical PKI for all products across Microsoft. This included cryptographic services in products such as Windows and SQL Server, and cloud services such as Azure and Office 365. Additionally, Jason was responsible for the codesigning and anti-malware services supporting Microsoft in that role.

jason-lee has 1 posts and counting.See all posts by jason-lee