Securing the Future - Jason Torres - Guardians of the Data - Episode # 46
GOTD - Jason Torres
===
[00:00:00] Welcome to Guardians of the Data. I'm your host, Ward Balzerzak. Each episode will explore the passions, expertise, and real-world experiences of security leaders who are helping the future of data security and governance. Guardians of the Data is made possible by support from Sentro. To learn more about our AI-powered data security platform, please visit sentro.io.
Let's dive in.
Ward Balcerzak: Welcome back to another episode of Guardians of the Data. My guest today is an accomplished leader with over 20 years of experience in cybersecurity. Co-Founder of Chicago IIA and ISACA Hacking and Cybersecurity Conference, currently Associate Director of Security Threat and Incident Management in the healthcare industry.
Jason Torres, welcome to the show
Jason Torres: Thanks, brother. It's good to be here
Ward Balcerzak: Glad we finally made this happen. And, uh, you know, it was good meeting you a few weeks ago at the Innovate Conference
Jason Torres: It was, it was. I mean, yeah, it was, you know, phenomenal conference in a, in a beautiful [00:01:00] location. It brought us both from, uh, you know, the, the gloomy Midwest down to, uh, the, uh, the sunny beach and sunny, uh, shore of, of Florida there. So yeah, it's
Ward Balcerzak: Yeah. Yeah. Fantastic conference, fantastic location. So Jason, you, you heard, you know, some, some of these questions at Innovate, right? A lot of conversation around it. So in your professional opinion, what's the biggest data security challenge organizations are facing?
Jason Torres: Oh, data security. I think that, uh, that comes up probably just as much as AI in, uh, in most conversations. But yeah, I mean, data is, uh, data is still the thing that runs every business, um, literally every business. And, you know, when you look at it, the, uh, still the number one data security, um, issue I would say is...
Well, there's probably two, but I'm gonna go with the first one. One, knowing what all your data is and where it resides. Um, I think that, [00:02:00] uh, that is still a, a number one indicator for, uh, for most organizations. You know, not, uh, not talking directly about mine, it's just, you know, my, uh, my knowledge and insights and talking to all kinds of security and, you know, non-security professionals all throughout the world. Um, knowing where that, uh, that data is and then, you know, who's attached to that data. You know, I think that's still, uh, two things still run, uh, in my mind, you know, neck and neck, hand in hand, you know, overall.
Ward Balcerzak: Yeah. I mean, that's been an issue for years, right? And,
Jason Torres: Yep. Yep
Ward Balcerzak: you know, e- every industry struggles. I would, I would say, you know, probably the two biggest industries, n- not that I'm, I'm saying these are the only ones, right, is likely financial, obviously, right? They're highly regulated. And I think a close second, also no surprise, highly regulated, is healthcare, right?
Where, where you're at. Surprise. Surprise.
Jason Torres: Absolutely, dude.
So
Ward Balcerzak: how are you seeing or how are you thinking folks should be solving for this in [00:03:00] those high, highly regulated industries? Because data sprawl, uh, you know, data size, data sprawl is a real thing. Um, healthcare, right? Like creation of new data is not gonna stop.
That's happening on a, a minute by minute basis, I'm assuming. So
Yep.
How should people get their hands around this?
Jason Torres: think it, it comes back to the basics. I mean, we gotta be honest, you know, wherever you're at from a, a security posture understanding perspective, it's, you know, getting back to, to knowing where your data is. You know, having that, uh, that full visibility however you get there. Um, you know, from a lot of organizations it, it could be, you know, a very difficult path to, to go through and identify, classify, and understand where it's at.
But, you know, getting back to the basics, I mean, just like i-in your life of understanding, hey, where is all my data, you know, within my, um, within my home network or in my, uh, you know, my home financial situation? I mean, y-you gotta start with identifying [00:04:00] where it's at, um, categorizing, and then shifting to understanding who has access to all of it.
I mean, you know, way back when, you know, 20 years ago when I, uh, when I first landed in, in my first, uh, real healthcare gig, you know, looking at it from a, you know, IT risk, IT compliance perspective, it was, we need to look at, you know, overall IT, you know, risks and data and understanding, all right, how is, how is data traversing through all of our systems?
Where is, you know, where is data being, uh, outputted to, uh, at that time, you know, paper medical records and, you know, faxing things and all that. Man, it was a, it was a struggle and we said, "Yeah, all we need is technology to advance and we can secure it and figure that out."
Ward Balcerzak: That's all we need, more technology.
Jason Torres: yeah, yeah, yeah.
Just more technology to, to wrap around it, to understand it. But yeah, I mean, from there, you know, the technology itself, it, it grew, it advanced, it developed, and yeah. So I mean, it's still the [00:05:00] point of it may not be in a filing cabinet, but, you know, the data resides somewhere on some device in some way, shape, or form. Gotta get your hands around it,
Ward Balcerzak: You know, I got, I gotta say from a personal perspective, I feel seen by, by that, uh, by, by what you said, like even in your home network. I'm, I'm actually looking around my office right now, right? Like, I've got paper, sensitive paper everywhere, like physical paper. And then just the other day I was looking for something, like we always do, right?
And I'm like, "Hmm, is it in my Google Drive? Is it in my OneDrive? Is it on my desktop? Is it on a flash drive?" Like, finally I found it, right, after checking three locations. Um,
Jason Torres: Sure, sure
Ward Balcerzak: it's funny, right? If I can't even keep track of my own stuff, that's, that's my fault for sure. Um, definitely difficult in organizations like all of ours, right?
Where it's multiple people doing the same darn thing, right? Creating something, plopping it somewhere. [00:06:00] Maybe it's appropriate there, maybe not. So, you know, Jason, you've been in, you know, healthcare specifically for about 20 years.
Jason Torres: Yeah
Ward Balcerzak: am, I am curious, how, how have you seen kind of the growth of data security in, in that industry?
Uh, you know, going from a lot of paper, there's still a lot of paper, right? I know you deal with a lot of paper. But probably more so dealing with a lot of folks that have super critical jobs, and certainly being IT folks and being security folks is not top of mind for their jobs.
Jason Torres: It is not. It is not. I mean, yeah, I mean, i-in the beginning, I mean, you, you know, you hit the nail on the head. I mean, as you're, as you're trying to understand and get your arms wrapped around, you know, overall data security and where it's at. I mean, yeah, HIPAA comes into play in what? 2004. So that starts
like it
around, "Hey, you gotta, you gotta start [00:07:00] securing stuff.
You gotta understand where it's at. You've gotta, you know, do risk assessments around it." And I think it, it slowly grew, um, and developed mostly because of, hey, from a, a technology perspective, more stuff being introduced, more, more connectivity, um, amongst systems a-and everything with it. So again, it, it, it's, it slowly started to, to grow and morph.
And yeah, I mean, from a, from an overall, you know, security perspective, at first it's, "Hey, you know, i-if they're bringing in technology, we'll bring in technology." So, you know, a-and, and it turned into the, "Hey, they're gonna bring in that? Okay, we'll bring in that." Well, you know, it- it's only feasible to, to so many levels to throw, you know, another tool at something, you know, and then you, you move into consolidation or whatnot.
But that's a, that's another caveat. But it, it moved into the, "Hey, we need to, we need a partner. We need to understand, hey, that this is, you know, this is a growing situation," [00:08:00] um, in terms of one, need-needing to understand and get the, the buy-in at the tone at the top. Because, hey, as you saw more, you know, um, data leakage, data breaches, you know, things like that going on, there's dollars attached to it.
Hey, if we wanna keep growing, we wanna keep building, wanna keep researching, we wanna keep, you know, improving ca- you know, patient care, are we doing to, to minimize those, you know, incidences from a, a breach perspective, but also the overall, you know, patient trust and, uh, and integrity around it. So it flips to the, you know, the buy-in at the tone of the top, and then trying to weave in the overall security awareness and understanding into the day-to-day operations.
Hey, yeah, you know, if you think something looks funny or, you know, I'm uploading a file to, to XYZ site. If s- if you're getting a gut feeling of, "Eh, maybe I shouldn't be doing that," totally reach out to [00:09:00] us. I mean, that, that's part of it, the education of, hey, we're, we're trying to educate you to be more aware of what sites are you going to, where are you throwing data, et cetera.
So weaving in that, that overall security awareness and education, think that's, you know, the best thing that we can be doing going forward once we identify where all the data is, the processes and all that. It's building in the, you know, the, the internal, um, mental and, you know, overall activity controls of, hey, how should I be handling this data?
Ward Balcerzak: And, and has that been successful for you? I mean, I, I've had a few conversations with, with other friends out there in, in healthcare, and, uh, it's been about a 50/50 o- on that when, when I ask the same question. They're like, "Oh yeah, you know, some people, like super successful, no problem. We've got it baked into the culture."
Others are like, "You know, these doctors, like they, they're super smart, right, in their thing, but they simply do not care and they don't want to [00:10:00] be bothered." Um, how about, how about you?
Jason Torres: is it 100%? No. It, it really isn't 100%. I wish to say that it was, uh, hey, we've got, you know, full compliance and full understanding. But, you know, it, it's ultimately one of those we have to keep, say pushing, but we have to keep partnering because, you know, there's always gonna be pushback.
You know, you got the thirds principle. You got, you know, one third is gonna be totally on board, let's do this, you know. Another th- another third that's gonna be like, "Yeah, we're, uh, yeah, we're, we're just gonna ignore you." And you got the, the other third of, they're kind of in between. They could go on the, the positive side or the, hey, we need to work on side.
So it's, you know, it's a continuous battle, but ultimately, you know, these people have access to the data. These people are trusted to be responsible with it. You know, you have to keep working with them to, to make sure we can minimize the, the overall insider risk, you know, [00:11:00] that, that arise and the, and the data security issues,
Ward Balcerzak: I like it. And good to hear, right? Good to hear as, uh, someone who goes to the doctor every now and then, not nearly as much as I should, but, uh, every now and then.
Jason Torres: Yeah
Ward Balcerzak: so go-going back to what you said earlier, you really said two, two facets, and it's gonna tie into what you just said about, you know, you know, these, these doctors and, and medical folks are, are trusted to have access.
So you mentioned, you know, knowing who is attached to the data. Um, you know, that's probably ownership, but also access. So I would imagine in-- I was gonna pick on healthcare, but it's really every industry, right? This, this is the case where you've got the owner and you've got probably a group that's easily identifiable, right?
These people should have access, but then you certainly have the nth degree folks that, you know, should have access to aspects of that. So how, um, how have you really tried wrapping your, your hands around some of [00:12:00] that, or how would you recommend other folks in, in your similar position do that?
Jason Torres: Hmm.
Ward Balcerzak: ' Cause it's not easy, right?
It's not easy for anybody. A lot of organizations say, "Oh, I'm gonna go after the data owner. I'm gonna go talk to that data owner." And in, in some industries, some organizations, you could be super successful at that, right? Because it is small, it's more intimate, there's that culture. But in others where you have the data owner, they created something, they don't necessarily know who's gonna touch it or why.
It's, it's kinda out of their hands and, and maybe they don't even care or so- I'm curious how, how you're battling that
Jason Torres: Yeah. I mean, a lot of it is, is partnership. You know, understanding, you know, doing what from a development perspective, from an integration perspective. Um, I wish to say that, hey, we, we have a hand and a, and a pulse, you know, on the day-to-day operations for, for every application, for every type of data, for every vendor that's involved.
It's just not, not feasible. So, [00:13:00] you know, setting the guardrails in place from a, uh, you know, from a policy, from a standards, from an overall, you know, operations viability, um, perspective. It, it lays the groundwork for understanding of, hey, here's the normal course of operation of how we should be, you know, going about with utilizing this data, from developing this, from then sharing it. Um, yeah, it, it, it can, break into so many other facets. I mean, not just, you know, from a first-party perspective, but then from a, a third-party perspective. Like, okay, yeah, you know, the data used to be in a filing cabinet, then it used to be, you know, on a, on maybe a desktop somewhere. Then it used to be on a, on a server in the data center. it is, yeah, uh, you know, on servers in multiple data centers, you know,
all throughout the world. So it's, yeah, keeping track of, all right, where are we, where are we putting it? You know, where are the expectations of, of the, uh, you know, where the data resides and the security [00:14:00] around it? I mean, that's, uh, you know... A-again, it comes back to partnership, relationship and, you know, continuous education,
Ward Balcerzak: You, you teased it, and certainly you can't go anywhere without hearing these two letters, right? You can't go to any conference without there being a talk about these two letters. Good old, good old AI, right? Good old AI
Jason Torres: AI.
Ward Balcerzak: in all the shapes and forms. And when, and when I say AI,
it on
I'm, I'm including co-pilots and all of that good stuff.
So, how do you recommend folks combat that? 'Cause I think you laid out some good things, right? You know, ha- have a pulse, have the guardrails, keep track, and I think that's still valid, right? Even, even with AI. But I personally feel like AI just made it worse, right? Like it's accelerated the pace at which this, this randomness happens and, and data decides to fly around.
So h- how are [00:15:00] you, um, how are you keeping up?
Jason Torres: I'm a, a positive person, so, you know, I, I'm always, you know... It's, uh, it, it's kinda one of those things I, I go back to within my team, um, that I have currently. I like to do icebreakers and, hey, try to understand people more and more in a, in a remote world. And, you know, one of the questions I had this week was, uh, you know, "What's your, your favorite movie quote?"
And, you know, it goes back to, uh, to Star Wars, to, you know, Return of the Jedi, when Luke's talking to, to Vader, and, uh, you know, basically tells him, "Hey, there's, there's good in you. There's still good in you." And, you know, I like to look for the good in, in all situations. I mean, yeah, of course, there's always the bad, the crazy, the ugly, whatever you wanna, to tag it.
But, you know, AI, I look at it as a way to, to help. Uh, know, i- is it easy? You know, is it making things, uh, extremely, uh, you know, satisfying and, and easy processes? No. I mean, there's, [00:16:00] there's complexities around it, but when you look at AI from a, you know, from any asset, from a, you know, data security, you know, perspective, yeah, I mean, data is being created through it, but again, it goes back to setting up the foundational guardrails, um, to keep things going to where, you know, InfoSec is not a, is not a place of a, of no, it's a place of go.
And go in terms of, hey, we can, we can build it, we can grow it, um, and we can, uh, you know, support it. But yeah, we've gotta have the foundations in place, you know. AI governance committees are a phenomenal way to, to start and set up that baseline. What are the expectations from a, from a top-level leadership perspective in terms of utilizing AI, what data's going to the A- that AI, and then what are the expected outcomes to help the business, um, utilizing that AI?
Again, I mean, you gotta have the, that in place, along with policies, overall [00:17:00] understanding, education around it. That's where you're, you're gonna get the most foundational and, you know, thought-provoking discussions to guide things going forward. By just throwing AI out there and saying, "Yeah, we're using it," it's, uh, it's the Wild Wild West.
Eh, that's, uh, that's a recipe for disaster,
Ward Balcerzak: Just check the box, right? I think, uh, you know, three or four years ago, a lot of organizations were doing that, right? Because it was the shiny object. It wasn't new, but it was becoming more
Yeah
right? Like even in your personal life, you could have one of the first iterations of, you know, OpenAI back then.
So executives were like, "Make it, make it happen," right? And, uh,
Jason Torres: Yep.
Ward Balcerzak: when they say make it happen, you jump, right? You, you jump as high as you can and, and make it happen.
Jason Torres: Of course.
Ward Balcerzak: I do like, though, you know, obviously this recording is, is not gonna go live this week, but you, uh, you brought up a "Star Wars" quote on "Star Wars" week.
I love it, man. I love it. It's awesome. Oh, [00:18:00] man. so we're talking about AI. I wanna pivot slightly. This isn't necessarily data security centric, but I am curious your thoughts. Again, you go to a lot of conferences as, as do I, and, and we see then here at the AI for good, right? Seeing the, the good in you, if you will.
Back, back to your quote there. Um, th- there's a lot of, a lot of vendors, right, bringing AI into their solutions. Now, wh- whether, you know, h- how, how fully baked they are, who knows? I'm, I'm curious your thoughts there, right? Using AI for blue teaming, essentially
Jason Torres: I mean, that's, you know, that's where we're looking next, at least from, you know, from our team and talking to a lot of other, um, folks that are leading blue teams across all industries, you know, whether it's in the Chicagoland area or throughout the rest of the US and world. But yeah, I mean, how can we utilize AI to, to bring our overall defensive game up?
How can we mature it in terms of what we're trying to do? We've got... have [00:19:00] great technology, um, that's in place. We have phenomenal people that are literally working their butts off day in and day out to, to make things better. Um, we've got processes that a lot are manual in nature still. So where I see AI flowing into that is, hey, how can we, how can we accelerate, you know, the overall investigations, you know, bring things down from, you know, whether it's hours or, or minutes down to, you know, even, even seconds or, you know, a minute or two.
What does it mean to, leverage that AI in that, uh, in that aspect? And that's what we're trying to do, and that's what a lot of people are trying to do. So again, at it from a, a blue team perspective, I, I'm hopeful that it's gonna help us to be, um, better defenders, you know, for our organization.
And, you know, it does get back to the, the costing element of it. Yeah, I mean, we try to, to bring in a solution that does, you know, whether it's a, an [00:20:00] AI, you know, SecOps analyst or engineer, et cetera. I mean, yeah, there's cost to it. All right, how can we quantify those costs from a metrics perspective? How can we lay out the, the associated business case for it?
I mean, that's, that's what import... That's important, um, because one, it, it speaks to the, the business, um, perspective of, hey, when we bring this in, here's how it's gonna help us, you know, whether from a costing or a acceleration, you know, method. But then it, it helps us to lay out, hey, these are expectations not just for us, but for the vendor themselves too.
So, hey, you know, as we're going through RFPs and RFIs and, and all that fun stuff and activate some POCs, like are the tangible outcomes that we need to see out of it. I mean, it's not just, hey, InfoSec's buying another tool, you know, because it's, it's flashy and bright and has AI attached to it. But hey, it's gonna be a game changer for us because of X, Y, and Z [00:21:00] supported by one, two, three.
Ward Balcerzak: I love that. And that's why I, I brought it up, 'cause I- I'm really excited. Um, I'm really excited to see it. So I've, like yourself, been in the industry, you know, tw-20 years, and like yourself, right? We've seen a lot of these manual processes. You know, think about the SOC, right? The L-L1 analyst, I gotta do this, do that.
Like, investigations would take minutes to hours. I mean, minutes if you're lucky, right? Doing all the required lookups and all that, again, manually. Go look at my threat intel feeds. Go and do a Whois. Go do that, go do that. And then I remember when UEBA... Actually, even before that, when SIEM really became kind of the big splash, like, "Oh, we're gonna do all this."
And that never really lived up, right? It was, it was a necessary evil. It still is, right? We still have to have SIEM solutions. Like, they, they are important. Um, before anyone gets the pitchforks out, they are important. They are valuable. Um, and then I saw UEBA, you know, kinda hit the market. You know, some of it was baked into the SIEM, some of it were new solutions.
And, [00:22:00] you know, UEBA never lived up, really. Like, they touted, "Hey, we're gonna help you start to understand behaviors," kind of AI-ish, if you will. Um, you know, at least, you know, initial iterations. And, you know, those deployments would take, you know, 12 to 18 months to really see value, if you ever did. Um, and then finally, I hate to say it 'cause I love this industry, SOAR, right?
SOAR was kind of promised to be the initial, um, level up, right, to the analyst, where, "Hey, we're gonna automate, orchestrate and automate these particular monotonous activities." And they did,
Yeah
right? If you had the proper experience and, and proper, uh, you know, services. Um, and then finally do the response. And, and now, finally, we have AI doing some of that.
And
Yeah
br-bringing that whole story to, to back to data security here, um, [00:23:00] I'm excited to see some of the new data security platforms coming out that are gonna walk you through, "Hey, we see this data, we see this thing. Based on what we see, based on what we know, based on the context, here's what it actually means for you," instead of an analyst having to do all of that work, 'cause data security's tough.
Jason Torres: holistically, yeah. I mean, just adding on to what you're saying. Yeah, I mean, it started as, "Hey, we've got this tool that's gonna, you know, output this, uh, this report." Okay, what, what can I do with this report? Well, this report can then go into this system to then go... You know, it, it's growing from, from tables and, and spreadsheets and reports to more interactive diagrams that can really map out and say, "Hey, you know, this threat actor went into here, pivoted to here, grabbed this file here, went over..."
Like it's, it's another level. I mean, we couldn't really visualize it before. I mean, yeah, we can, try and, you know, have [00:24:00] somebody flow chart it out. Hey, how
Ward Balcerzak: A postmortem, yeah.
Jason Torres: Yeah, there you go. There you go. Yeah. You could visualize it postmortem, but seeing it real time and now and, and being able to stitch it all together and even, I'll say even putting some, uh, some judgment around it.
Like, hey, based on all these, you know, correlation threat vectors, like here's, you know, here's a snapshot from a, you know, a computer just saying, "Hey, here's what we think the risk is and why." Man, stuff like that, I mean, would be hours put into an after action report
to really summarize what happened.
So I'm seeing that quite a bit where I, I talk to some of these vendors, I see their solutions, and then I get the flashback, right, the PTSD of like, "Oh my God, I used to do that. It would take me far too long, and now you basically automated my, my job for a couple years." Like, first boo, like that was valuable that I did it, but then it's like, yay at the same time, like finally some- [00:25:00] someone did it.
Ward Balcerzak: Um, so you mentioned RFIs. I, I think that's gonna resonate with a lot of the listeners, so wanna pick your brain real quick. So for the organizations that are starting to do, continuing to do whatever, evaluations of products out there, in particular products touting AI, I'm, I'm really locking it to blue team at this point, you know, not, not anything else.
Um, do you have any recommendations for them to quantify value, but also take that quantified value and actually be able to speak to the executives on, "We're gonna do this thing, and here's what it's gonna result in from both an OpEx and a CapEx perspective," i.e. personnel, processes, all that?
Jason Torres: Loaded question.
Ward Balcerzak: Of course.
Jason Torres: I mean, you know, uh, but it's crazy. I think about, you know, let's say ten, know, ten years ago, like something like that, like, all right, you know, I want an [00:26:00] RFI, you know, RFP document for, let's say, a new, uh, new MSSP trying to bring in or maybe even your first one. It's like, all right, you know, go to, go to SANS, go to Gartner, go to, you know, IANS, go to whoever and, you know, try and piece through a, you know, a spreadsheet to then all right, use this as my baseline template. And then you try and utilize that and say, "All right, how can I break down all of this data and, and knowledge and things I'm trying to understand and speak that, um, over all of the business?" Yeah. But it was hard. It was really hard to really, you know, consolidate multiple spreadsheets into a, into a couple slides. Now, I mean, you know, look at it from an AI perspective. Try and understand what, what am I trying to get out of this? What am I, what am I trying to improve in my environment? So as I'm putting together my, you know, RFI, RFP, okay, what are the, you know, what are the top five, top ten, know, [00:27:00] challenges I'm trying to address, you know, related to my business?
And then building upon that to say, okay, you know, what are the metrics I'm using now to, to track that? And then taking that and saying, okay, you know, whatever flavor of AI you wanna use, help me to explain this to a, to a CFO perspective, to a COO perspective, to a, you know, to a audit committee, you know, perspective. Those things you're able to translate in a faster
time, in a more, you know, targeted manner to say, okay, you know, I can take what I'm trying to put forth for the next, you know, one to one to three years for bringing in this new, you know, these new solutions, technologies, et cetera, and here's the translation of why. So, you know, before it used to be a, all right, let's throw it in a spreadsheet. Let's put in a few slides. Let's, let's practice, you know, what our, what our delivery is. Now it's, "Hey, let's, let's piece it together." I mean, is it gonna be [00:28:00] one hundred percent accurate and complete? No, I mean, there's gonna be a few iterations of it, but if you can automate, you know, let's say eighty percent of the work in a targeted manner, and then even, you know, take it and, just socialize it internally, but take the concept of what you're trying to do and go into the infosec community.
So, you know, I love, you know, some of the great things, at least in the Chicagoland area. There's a, you know, CISO dinner group with, of security leaders that has, you know, probably two to f- you know, two, three, four thousand people in the listserv of where, "Hey, I'm trying to do this. Here's what I'm thinking. You know, can you offer some thoughts or insights?" You'll have people raising their hand, sending emails, you know, text messaging you. Yeah know, let's, let's talk for 30 minutes and hash through what you're trying to do and what I've done before, or I can offer some thoughts and guidance on it. You know, I think that's where, that's where you translate from, you know, [00:29:00] keeping it internally within your organization and, and trying to, trying to, you know, butt heads to, "Hey, let's talk to...
Let me talk to somebody else that's been through this rodeo before, um, and just see how they succeeded with it."
So. important, all right? There's tons of really smart people out there, which is great. Um, you just got to reach out and, and ask for help every now and then.
Yep.
Ward Balcerzak: thing that I'm super interested in, you know, again, going back to the RFPs, RFIs, or really the, the proposal to bring in something new. So I, I know in my past when I'd bring in a new tool, I always had to account for what do I need from a personnel perspective to either run it, operationalize it, or both, right?
Like,
Jason Torres: Yeah
Ward Balcerzak: y- five years ago, you could not bring in something without accounting for that, or I, I guess you could, right? But maybe it was going to be slow, right? Slow rolling to get up to speed, get up and running. Um, AI being kind of the new equalizer, right? [00:30:00] AI being in a lot of these tools, I feel like there's an expectation in most organizations now that anything new, you're not going to bring in new headcount, and you're likely going to upskill your current headcounts to do something else.
So Yep how are you dealing with kind of that new reality that I'm assuming you're, you're having to deal with as, as you look to bring in new tools?
Jason Torres: I mean, great question. I mean, just reflecting back, you know, let's say 10, 12 years ago, looking at, at bringing a solution, it was, okay, need at least, you know, one or two engineers to support, you know, XYZ solution, and here's why. You know, it could be, you know, skill gaps or just, you know, not enough, uh, you know, power on the, on the team to support it.
So went from that to the, the mantra of, "Hey, we'll have professional services involved." You know, the vendor
Ward Balcerzak: You know?
Jason Torres: will, will [00:31:00] s- you know, implement it, help us support with implementation, and then maybe they'll have, you know, a, a consultant associated with it for, you know, maybe up to a year after, you know, go live.
You know, that was kind of the, the mantra then. Okay, that's a, you know, a cost we can bake into it and justification around it. Yeah, no, you bring up a great point. I mean, as I'm, you know, putting together justifications and business cases and things like that, back, it's like, yeah, we used to say, "Hey, we need, you know, we need more people with this."
But now it's, okay, what's gonna be the impact? Yeah. So we can take our, our current team, we can take our, our current processes, but then within the, you know, the RFI, the, the RFP process, it's okay, well, maybe we're repurposing, um, you know, people. Maybe we're taking from, from the same team to dedicate on this for, you know, let's say 10, 20 hours a week. Rather than 10 years ago, we needed two people assigned to this, you
Right
100 and... [00:32:00] 100, you know, percent, um, of their time each week. So we're able to scale it back based on the ability to, to implement more of this, you know, automation through AI really, you know, a lot of it is, is verification on the back end than active coding and, and overall, you know, process change stuff that used to take a lot more, you know, in-depth cultural change management.
Now it's, okay, we can, we can automate, we can go through it from that perspective. So kinda what I'm seeing. That's kinda what we're, you know, at least I'm seeing in, in my org, but also friends in other orgs is, hey, you know, we're going away from the, we need these people towards it to, okay, it's gonna be a, a, you know, operational impact, but hey, maybe we can leverage in our team or we can look at other teams to say, hey, you know, this, this effort is gonna be jointly across, you know, um, other pillars within IT.
How can we work together, [00:33:00] um, cohesively to say, hey, how can we build this without having to spend extra money?
Ward Balcerzak: Good stuff, and I'm sure exciting for a lot of folks, right? It takes a lot of that complexity. And you mentioned spreadsheets. Man, oh man, have I had so many spreadsheets over the years of, "Well, to implement it's gonna be this." You know, you had implementation, you had run, you had ongoing run rate, you had, "Okay, we're gonna do this particular implementation, then we're gonna do the next phase."
Like it was... I mean, I was proud of those spreadsheets, don't get me wrong, but I wouldn't want to do it ever again, that's for darn sure.
Jason Torres: There you go.
Ward Balcerzak: Well, Jason, we've mentioned it a few times throughout this episode. You and I, we've, we've both been in the industry for a while now. Um, curious, what was your journey to get where you are today?
Jason Torres: Oh, journey indeed. Yeah. I mean, I, uh, you know, out of school, so I, I studied accounting, so, you know, technology was not the, not the key indicator. You know, took a few programming classes, you know, [00:34:00] back in college, and I liked technology. Did a few things, you know, from a, you know, internship perspectives in college related to, you know, help desk and, and kind of field tech services and things like that.
But I, I first went towards the accounting, uh, angle and, you know, first job out of school was with a, a law firm in downtown Chicago, and I would say probably about seven months into it, I realized I am not an accountant. It was, uh, it was fun. It was, uh, okay. I mean, yeah. I mean, I understood numbers. I can, I can talk through it.
I can, you know, prepare balance sheets, income statements, things like that, but I'm like, "This is not really my thing." And found myself over to a, you know, hospital system in, in Chicago in their internal audit department. So, you know, it was kinda one of those like, all right, I took some audit classes, you know, in college, you know, yeah, it is financial operational related, but, you know, after I was there for a year and working with, uh, you know, IT teams on some stuff, you know, my, my boss is [00:35:00] like, "Hey, I, I need somebody to focus on IT risk management, like
holistically, like twenty-four seven."
I said, "Yeah, absolutely. You know, I'd love to do that." it led to me, you know, changing from that, you know, that guy from finance that's always in IT to, hey, here's a, here's a guy that's trying to help us understand what are the risks related to, you know, projects as we're, we're activating them in IT or, you know, it got to a point where, you know, incidences and such were, were coming about and, you know, back then didn't really have infosec teams,
Ward Balcerzak: Right
Jason Torres: infrastructure as a whole, and it, it, it goes from there. It led to, uh, an initiative and a drive to say, hey, you know, our, you know, the CFO, which we reported up to from a, you know, audit compliance perspective, brought in, you know, one of the big four accounting firms and said, "Hey, we're just gonna do a, a cybersecurity gap assessment
to say, 'All right, you know, where are we at?' [00:36:00] 'Cause we know that we're gonna, we're gonna continually see data security things, um, going on, especially with a electronic medical records system, you know, in play. do we stand? Where do we benchmark? What are we looking at?" And, you know, they went through, did their assessment and saw, hey, you know, audit compliance perspective, you know, IT risk management, looking pretty good.
But everything else is, man, you, you, you've got, you've got this process and this team and that... You know, it was very despair. And they're like, "You really need something to bring it all together." And that's, that was the initiative which led to, hey, bringing on our, our first CISO and being involved with, uh, you know, helping set up those interview panels, being on those. You know, me as a, as a IT risk, IT compliance guy being involved with that. You know, it led to bringing on our, our first CISO and then, know, a month into the job, he's like, need some help. You know, you wanna come over from, you know, audit compliance over to [00:37:00] here?" I said, "Absolutely." So it, it led to a, from my career perspective, all right, I've, I've officially switched over from the, the accounting guy to the audit guy, you know, over to the, the cybersecurity guy. And, uh, you know, it was pretty cool to, to build out, um, a cybersecurity team at a, at a healthcare, um, organization over, you know, I would say seven years. It was a, you know, it was a large, a large growth and development and, you know, we went from two or three people to over 30 people in
Wow
InfoSec team.
And, uh, you know- Got to, got to be involved with a lot of stuff. I mean, especially once, you know, COVID hit and trying to, to maintain a, you know, a healthy working remote environment. I mean, yeah, clinicians and, uh, you know, healthcare professionals were, were on site. I mean, saving the, you know, the all the lives that they could and, and keeping patient care going.
But then all of us in the [00:38:00] support areas, okay, how can we, how can we keep making the organization secure? What are those things we need to pivot from? From, hey, you know, we used to get around a conference table and talk through it. Now how can we whiteboard things in a, in a virtual manner and work through that?
So, um, learned a lot, did a lot. I mean, had my hands in everything from, you know, IAM to GRC and then, you know, moving over to my current organization now it's, it's holistically SecOps. So now it's, you know, hey, what are we, what are we doing to protect the organization in a holistic manner? But not just today.
Let's keep that eye on, you know, what does it look like, you know, a year from now of where our org is, is trying to be from a, a maturity perspective. Bringing together teams that used to be separate into one combined blue team, you know, has kind of been, uh, you know, things I've been working on over the last year and a half at my, my cur- current organization, but also what we're trying to do in the future.
It's, uh, [00:39:00] it's pretty exciting.
Ward Balcerzak: quite the journey and, and I'm not gonna say atypical, but I, I, I feel like there's a lot of folks in, in cyber that don't necessarily come up through an audit background, right? I think a lot of folks assume that to get into security, "Oh, I gotta go and do either red teaming," 'cause red teaming's sexy, right?
"I'm gonna go, I'm gonna go be a hacker," right? "I'm gonna go learn that." Um, or they think they have to be a, a security analyst, right? And sit in a SOC, you know, 24 by whatever, essentially five, seven, what have you, to, uh, to get to that next level. So h- how do you feel that's, that's really helped you in, in your current role, maybe more so than, than a different background?
Jason Torres: I think it gives a different vantage point. So I mean, if you g- if you take everyone from the same, same background, same mindset, same mold, um, you know, I think, I'm not gonna say it's gonna hold back security teams, but I think you need to bring people in from, from different backgrounds, [00:40:00] um, just to bring through and, and help see like, "Hey, let's assess the situation from, from this vantage point versus, you know, this vantage point, and here's why." you know, I've seen in, in different, uh, you know, organizations we had where people, people come up, uh, you know, undergrad was maybe in English
Right
in IT security?" Like, you know. But it's you take those different, uh, those different mindsets, those different methodologies, and I think that's what, what when you bring together in a security team, gives it the most well-rounded feel that you can ever get to. Um, 'cause again, you don't want everyone thinking the same thing, acting the same thing. you want people to bring in new ideas, new perspectives, um, and try and mold a, an overall, you know, culture of security that can be seen from different angles.
Ward Balcerzak: Last question for you here. You, uh, you had a pretty [00:41:00] great background, so maybe it's nothing, but if you can go back in time, would you have made any changes along the road? A- a- any other fork in the road you might have taken
Jason Torres: a good question. I mean, I, I do reflect sometimes, you know, as moving from my last org to my, my current one and going through the, you know, the job searching time. You know, it did, it did cause, you know, some self-reflection, um, in terms of all of it. You know, it's like, hey, if I, uh, you know, I, I did a, a tangent, you know, actually when I was, uh, when I moved over to cybersecurity, I was part-time pastor, um, and trying to help out my local church, and that was a, it was a different dynamic.
I was taking classes and doing things like that, and I, and I think back like, man, how, how different would it be if I didn't go that way and maybe I went towards, you know, uh, a master's program in cybersecurity or something like that for those, you know, five years I was, I was going down that route. But then I [00:42:00] f- I think about it, I'm like, okay, for me, learning about that, but then also getting in front of people, that helped me to, to be a better presenter, I think, uh, be a better communicator.
Because, you know, getting in front of people on, on Sunday mornings, you know, a, a few times a month, I mean, helps you to, to grow as a communicator, as somebody who can understand, know, situations, be able to convey, convey knowledge to, to people of all types. Um, yeah, but I mean, ultimately, I mean, I- it's, it's been a solid career.
It's been great stuff. I mean, I've got a, a loving family behind me. I mean, I got a phenomenal wife. We've been married, you know, just celebrated 20 years.
Ward Balcerzak: Wow
Jason Torres: got two great kids that are, that are in high school. A, a daughter who's a sophomore, a son who's a, a freshman. So, know, I look at that through, through all the times of, you know, um, them supporting me up when, "Hey, you know, gotta be gone on, you know, Mother's Day [00:43:00] of, of COVID because there's a security incident situation going on, and the FBI's on the phone."
Like, you know, those are things they reflect on, like, "Oh, Dad gets to talk to FBI." Not everyone wants to talk to the FBI. I mean, unless it's a, a courteous phone call or maybe they're, they're sitting in on a tabletop, like that's, that's great. But yeah, it's not something... Yeah, first few times I'm like, "Oh, this is cool."
But then it's like, all right, this is, yeah, it's getting to be a little much.
Ward Balcerzak: Yeah. Yeah.
To, to someone outside the industry, it sounds super simple and super cool. It's like, no, it's, it's really not. Please no.
Jason Torres: But overall, I mean, you know, it's i- an interesting path. I mean, I think everyone has their own path and, you know, every, uh, every journey begins with the first step. So, you know, for people that are trying to get into, to InfoSec, it's, it's not gonna be the same for everyone. There's no blueprint, um, of, hey, here's how I, you know, become a CISO or become a security leader.
Um, know, it all depends on the, the time you put in, the, the knowledge [00:44:00] you develop, the action you put forth, and then ultimately the relationships you build along the way. I think that's
what defines you,
Ward Balcerzak: Great tips. So Jason, if, if folks wanna connect with you, what's the best way to do so?
Jason Torres: LinkedIn, dude. LinkedIn, I mean, yeah, I, I'd love to say yeah, send me a text message or whatnot, but, you know, I try to be active on LinkedIn supporting people. You know, I, I probably have at least a, a dozen people I'm trying to find, you know, help find, uh, you know, new jobs or move to a different role or just, you know, offer some people some, some guidance and mentoring. Um, I'll do what I can. You know, it's, uh, it's great that we have a, a platform like LinkedIn that allows you to, to share, to, to grow and develop. Yeah, there's, you know, some negatives to the platform as there is with anything social media,
but, uh, yeah, reach out to me on LinkedIn. Yeah, we'll see what we can do
Ward Balcerzak: Awesome. And, and hey recruiters, if you didn't hear that, reach out to Jason. He's got some folks looking for jobs. [00:45:00] I d- I don't know the, I don't know the expertise, but sounds like, uh, Jason's got some folks.
Jason Torres: It's all levels.
Ward Balcerzak: Yeah. Love it. Love it.
Jason Torres: Yep thank you so much for joining me. This has been a great episode
Absolutely, brother. Appreciate it, man. Thank
Ward Balcerzak: course.
Of course. And big thank you to the audience. Really hope you enjoyed the episode and learned something today. Please tell others in your network to follow and listen. This has been another exciting episode of Guardians of the Data. See you next time
That's a wrap on another episode of Guardians of the Data. Thanks for tuning in. For show notes and more, visit guardiansofthedata.show. Guardians of the Data is made possible by support from Sentro. To see how we help organizations discover and classify all of their data accurately and automatically while quickly achieving petabyte scale data protection without the fuss, please visit sentro.io.
Catch you next time
Creators and Guests
