Going from Hacker to CISO with Jason Haddix

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 Access Denied Podcast. I'm the host of the show, Joe Carson, and it is a pleasure to be here with you. We're always looking to bring exciting topics and amazing guests. Today, we have the awesome Jason Haddix with us. So Jason, over to you to give the guests a bit of introduction, who you are and what you get up to.

Jason Haddix:

Yeah, absolutely. Thanks for having me on, Joe. So my name is Jason Haddix. I am currently a CISO and hacker-in-charge at a company called BuddoBot. We do adversary emulation, simulation and red team as a service, so a lot of hacking stuff. Formerly, I was the CISO of Ubisoft, which is a multinational video game company. They make games like Assassin's Creed and Just Dance and The Division and all that kinds of stuff. Before that, I had been in offensive security in different sections of the world, different sections of the community for about 12 years, I would say. So a little bit of leadership, mostly a lot of hacking, and trying to marry the two together these days.

Joseph Carson:

Absolutely. It's really important to be able to bring those both together because for organizations today, you really need to be defensive and be able to be resilient. You need to understand the techniques that attackers use, and the more you understand those techniques, the better you can actually implement the right controls. So tell me a bit about how did you get into the industry and what were some of the interesting things and passion and things that got you excited. Where did it all start for you?

Jason Haddix:

So I've always been a hustler, I guess you could say, and very nerdy and into computers. When I was in my early or late grade school years, I taught myself HTML because I found a book because my library and it was like, "You can make web pages." So I started there and then really did a whole bunch of stuff. I hacked DirecTV satellites for a while. I did a whole bunch of stuff and then eventually I hacked Xboxes, and then eventually when I was in my early 20s, all my friends were older than me and so they wanted to go out to the bars and you have to be 21 here in the states. I was 19, about to hit 20, and so I couldn't go out with them and it was a point of frustration for me. So I found one of my friends in college and he was like, "Hey, I can get you a fake ID," so I was like, "Okay."

So I paid back then, which was an exorbitant amount of money for a college student, $110 for an ID. When it came back a month later, it was the worst fake ID I'd ever seen in my life. So there's no returning a fake ID, and I tried to use it and it got confiscated at one of the bars. I didn't get in trouble or anything like that, but it did make me a little angry and I was like, "I think I could probably do better."

So I went searching for communities or tutorials on how to do that. Back then, the internet was a different place. So there was only a few communities that even offered anything like that. One of them was Counterfeit Library and the other one was ShadowCrew and some of the other precursor to what the dark web is today, forums. So I fell into that forum ecosystem and it definitely makes you feel like you have a community of people supporting you. I got really into it and started making really good IDs, things like printing on Tesla and laminating, building holograms using Pro X, hacking printer cartridges to make small DPI UV holograms look the right colors so that they pass into the black light, encoding three track mag strips, all that stuff. So I had all the gear and-

Joseph Carson:

You got into the real professionals.

Jason Haddix:

I got in, yeah. I don't do anything halfway. So I got into it, but really, I was only making a couple of fake IDs for my friends. Then a year and a half into that, ShadowCrew, the main forum that was the first ecosystem that was more mainstream, got busted by the Secret Service, and the Secret Service and a whole bunch of law enforcement agencies across the world came and swooped in and basically took down ShadowCrew, arrested a whole bunch of the administrators. It was a big, big bust, and it was the first of its kind. It was the first that they had busted a forum ecosystem like that.

So that was the precursor to the dark web, but it scared the crap out of me. I remember the day that it happened, they put up on the front page of the forum a picture of a dude behind bars, and the front page of the forum said, "We're coming for you all." So I threw all my printers, my laminates, everything into my back my sea green Civic and threw it in a black trash bag in the back of my car. I don't know why I didn't put it in my trunk because that would've been smarter, but put it in the back seat of my car, drove a few towns away and put it in a dumpster and burned it all. So it really scared the crap out of me.

So things went on for a little while. I remember calling my girlfriend and saying, "Hey, it was a good run if I don't see you." Then things went on and I was in community college, so junior college, and I was in the Cisco Networking Program, and there was a new elective that was offered that year called Ethical Hacking and Network Defense and I was like, "I had hung out."

Joseph Carson:

That's impressive to be ... That's ahead of its time.

Jason Haddix:

Way ahead of its time. Not many colleges were offering that, honestly. So I had hung out with a lot of the hackers on the forums because the ecosystem of those forums is the hackers who provide the dumps and the hacked credit card numbers. There is the ID makers and then there is the fake credit card makers. So they each have a role to play. The ID makers make the IDs so that the credit card people can encode them and dump them, and they have to load the credit card numbers from the hackers. So it's a three-way cyclical ecosystem, at least for carding it is.

So I knew a lot of the hackers and they had showed me some stuff, mostly early web hacking, SQL injection, cross-site scripting. This was when that stuff was first coming out. A lot of local file includes RCE and PHP apps and stuff like that. So when I took this course at my college, I told my instructor, Angel, I'm like, "Hey, man, the stuff you're teaching is already really old. It's not current. Even the stuff in the book is back orifice, and that was a while ago."

Joseph Carson:

That's a long time ago.

Jason Haddix:

It was a long time ago. So I talked with him for a little while and, obviously, I was doing really well on the course, and I did, I think I did a guest lecture too on modern web app hacking, which nobody was talking about. He was like, "You know you can do this for a living, right?" and I was like, "Not really," and he's like, "Our next module talks about the career of penetration testing," and I was like, "What do you mean?" and he's like, "Yeah, you get paid a lot of money for breaking into companies and then showing them how you did it so that they can secure their websites and their networks," and I was like, "That sounds awesome. I want to do that."

So from that moment, I finally found my purpose and that basically drove me for the next 12, 13 years. I taught myself. I was doing help desk work at the time part-time, and it was a night gig. So I had time to teach myself, and I begged, borrowed, and stole every training I could get my hands on, every tutorial, every blog I read, and was just teaching myself how to test, how to do vulnerability analysis, vulnerability scanning, and then exploitation, and then moved on to more web hacking and then mobile hacking. So that was the very beginning of it. I definitely landed my first security job later and then moved on from company to company, but yeah, I've been at HP, I've been at ... Redspin was the first small one I was at.

Joseph Carson:

I think you started at HP not long after I left.

Jason Haddix:

Yes, it was after you left. Yeah, for sure. It's been a great career. I can't imagine being anywhere else, honestly.

Joseph Carson:

It's impressive though. One of the things that was interesting, I've had a couple of moments in my career as well that you find something that the light bulb comes on and you get really excited about it and you realize that it's your calling. It's the one thing that gets you so excited because even I remember two moments in my career where it was deciding what to study at university, in college, and I was like, "Okay, I was good at a few things," but it was my passion and love of gaming then that drove me into computer science, and that was the thing. It was the decision making.

So when you're talking about IDs, one of the things ... I just always get this funny memory. I remember going back to ... because I didn't have a lot of money when I was younger and always had to try save and try to get things where I possibly could. At that time, it was cassette tapes where games were delivered. It was cassette tapes and cartridges and floppy disks. So cassette tapes, I used to remember sitting having to cut the ... because they came and they had the protected magic bits of the part at the beginning, and in order to play, you had to get your scissors out, you had to cut the tape, you had to basically tape it on in order to make it at the right moment so that game would play. That was some of the things. That's how I got the games that I wanted to play that I just didn't have the money to get.

Jason Haddix:

Game hacking is such an in for so many people I talked to in this industry. The fact that they just got a little bit of their technical skill in reverse engineering or whatever, it all started from them wanting to pirate some game or cheat some game or something like that, and then that snowballs into other things.

Joseph Carson:

Literally, it was gaming and access to the software as well. Those were the things, and throughout the '90s and early 2000s, that was a lot of the motivations. There was the second moment, the second moment because that got me into IT, not necessarily security. Security, when I was doing it, it was just something extra that you did on top of your day job. Security, when I started, was a key to the door and a password to the computer. Literally, that was it. That was the basis of security, but then there was a moment, it was in 2000 ... I always remember. It was 2002 and it was the grc.com. So I was responsible for a NOC, a Network Operations Center. At that time, Steve Gibson, who basically was his company, grc.com, became the attack of the DDoS attack. My company I was at the time used the same service provider. So we became a secondary victim, and it was that investigation that Steve Gibson did, and I was also looking to logs and were sharing and looking at the event.

It was that event. Being a secondary victim of a DDoS attack, that then got me excited that there's more that I can learn here, and that's what really took me in the path of getting into security. So those are some of the defining moments that really sometimes sets you off, and it's really important to find that, defining what it is that excites you. So going into that, you then looked in the industry. What were some of the early penetration tests of the early bug bites and stuff that you got involved into? Was there any lessons learned from those that you have?

Jason Haddix:

So I went on to do a lot of ... Back then, it was a lot of network. The thing that people were purchasing in those early days was network pen tests and externals and internals. So they would give you an IP range, and that was still in the day where you could have service-based exploits. So you could pop SSH or you could pop some FTP or something like that. It was a very different world than it is now. So I got my chops during the time where we transitioned from that stuff getting a little bit more secure, and then the web being going through the dot com bubble and the web being crazy and then web vulnerability as being the primary issue. So I got to grow up and be trained during that time.

So I definitely learned a lot about ... My whole career has been lessons that I didn't know I was taking as lessons in security strategy. As an offensive practitioner, you're a consultant and you see so many companies. I would say that at this point I've worked for maybe 90% of the Fortune 100 as a consultant at one of my companies. You get to see and you get exposure to their issues and their problems. Despite size and scale, they all have very much the same issues. It's shadow IT. They all end up after a certain point, they have shadow IT and they have configuration issues and they have AppSec issues. A new technology comes out and the business wants to adopt it and then to make money and then IT lags behind and then security legs behind that and then so you're playing catch up for the new technologies.

Right now, you could consider AI is going to be the next thing for that, but before, it was mobile apps and before that it was web services and things like that. So definitely I've learned a lot. As far as testing goes, I think the one thing I've learned that's really important is that the test is only 50% of that job. A lot of people want to go into it and they love the idea of the hacker job, but the other half of your time is spent reporting and presenting.

So that means that not only do you have to be a good writer, but you also have to be able to communicate your findings to a customer about why they matter. I like that a lot more people are talking about this nowadays. I think the extension of this nowadays, since many people do have decent reports and can present on them, is instead of the saying is showing up and throwing up when you're an assessment person, offensive assessment, auditor, whatever you are, is trying to help the organization because they're underwater. They're absolutely swimming in eight million things they could do. Everybody has vulnerabilities. You're not going into a place telling them anything they really don't know. They knew they were going to have vulnerabilities. Very few organizations are going to be like that org that just doesn't have any findings. I've only had that a few times in my whole career.

So these days, it goes beyond just giving them vulnerabilities in a report and a presentation. Now, I want to see our assessment industry grow to give defensive and better remediation advice. So if it's AppSec, let's give them some easy to implement libraries that solve the problems that they have because developers know how to do that. If it's detection, let's give them open source Yara or Suricata rules or Sigma rules or something like that or Splunk queries they can prioritize or Windows configurations that'll make this thing easy. I want to see the next generation of help for organizations go a little bit deeper than what we've been doing so far. So that's what I'm trying to build right now with my team at BuddoBot is better reporting and better presentation and add a little bit more purple to the red.

Joseph Carson:

Absolutely. I think that's one of the important things we've learned over the years is that defensive side of things is really important, but it's important that it merges and actually collaborates with the defensive team to show them what things they can do in order to, let's say, put the right controls in place, and they're also the right prioritizations because a lot of times, and I think that's why, really, purple teaming is so critical because it should be something that you'd be doing ongoing.

I think going even further into the reporting side of things, it also gets important to be able to convert that into the business language. One of the things I'm advocating right now is we need to start transitioning from talking about cybersecurity in a silo. You're talking more about how it actually should map to the business security, ultimately how it maps to the business services and what's the pride of those business services. Absolutely, you brought up an important topic is that the media does portray this as a very hands-on keyboard all the time, but a lot of the times reporting skills and the writing skills becomes an essential part of the skillset.

Jason Haddix:

It does.

Joseph Carson:

Then being able to translate that into things that the business understands is also another skillset that is definitely getting enhanced further and improved. Reporting is so critical in our area.

Jason Haddix:

It's reporting and then if you're going to be on the leadership side, presenting too, I think is also really important. One of the things I was going to say is that one of the lessons I learned recently from being a CISO at a very large organization like Ubisoft was I actually thought about security, I would say wrong for a majority of my career, and I was on that side where I wasn't thinking about the business impact. I was from a hacker point of view. I wasn't having any trouble explaining that a vulnerability was critical because of XY reason or because it affected X crown jewels, but one of the things I learned at Ubisoft after being the target of several real threat actor campaigns was that, actually, the biggest risk to the business and the most expensive cost to the business is not actually vulnerabilities or it really doesn't have anything to do with AppSec, actually. It's downtime.

So when we faced threat actors that took our network down and our services down, we lost a lot of money, and that was the worst thing that ever happened to us by miles. So I feel like a lot of people, they asked this question. We're stuck in this dance of what we do every year. It's like, "Oh, we get a pen test, we get some AppSec assessment, we have some stuff," and we're answering the-

Joseph Carson:

That's Tuesday.

Jason Haddix:

Yeah, exactly. We're so stuck as an industry in keeping that going. I don't feel like a lot of people are asking the right questions of instead of, "Can I be tested?" because everybody can test it, everybody has volumes, it's like, "Can I be breached?" is really the question that you should ask.

Joseph Carson:

What's the impact? What's the impact?

Jason Haddix:

Yeah, "What's the impact?" because like a lot of ... I talked about this last week with ... I was telling you that I got to present with Ed Scotus and I was talking with him about it and it's like, "Okay. I learned that downtime is a really big thing." So it really shifted my mind as to like, "Okay. Well, when I consume a red team service or a testing penetration testing service or an AppSec service, that has never been included in the scope of those tests. Can you bring me down somehow?" It's always been domain admin or, "Can I leak some user data?" Those things are important, but if you're honest with yourself as a business, what is the material impact of leaking user data? It is bad for your brand. You may have to buy them credit monitoring. Most of the time those passwords are hashed, so the attackers aren't getting passwords anymore. They're getting email addresses, which everybody's email address is everywhere anyway.

Joseph Carson:

It's literally public information.

Jason Haddix:

It's almost public information, right?>

Joseph Carson:

If you cannot guess an email address of a person-

Jason Haddix:

Yeah, exactly. The only case that comes up, although you have celebrities, where celebrities are people of interest that are trying to protect their identity, which it is important.

Joseph Carson:

You're assuming celebrities are going to be using anonymous type of email addresses that literally ... because there's a bunch of email addresses that I use which are basically completely randomized that are no association to my name or to references, and those are ones ... It's how to separate yourself from basically communications. So you're assuming that celebrities would have something similar set up and those, absolutely, when those email addresses that are set up to be, let's say, only limited to certain contact lists, those are the ones. They can cause harm and sometimes even stalking, especially for celebrities, that becomes the big issue.

Jason Haddix:

The big issue, but that stuff is, to a business as far as loss and material loss goes, it pales in comparison to someone finding out that they could take you offline and none of your service mailing. So at Ubisoft, we had many, many games, somewhere between the, I think, 40 to 60 range. So every one of those is a product. They're all running their own stack. When one of them goes down for technical reasons or for security reasons, that's millions of dollars lost because gamers are not consuming your product, they're not purchasing your micro transactions. It's very similar to what's going on right now in Vegas. So right now, Las Vegas MGM is under attack.

Joseph Carson:

The casinos, literally, the casinos basically can't accept the online transactions at the moment.

Jason Haddix:

I was telling-

Joseph Carson:

People couldn't get into the rooms as well and they were handed physical keys.

Jason Haddix:

I was telling somebody, they're like, "How big of a deal is that?" and I was like, "Well, casinos on average bring in $1.3 billion a day just from the gaming floor. So if all the gaming floor is down and rooms are affected and all this stuff is affected, so you could say it's about 1.3 a day, plus the IP loss, plus the PR loss, plus the recovery cost, plus if they decide to play the ransom, they may be looking at close to $2 billion loss," and that'll probably be the worst pain.

Joseph Carson:

You're talking about that one billion. That's per day.

Jason Haddix:

Per day.

Joseph Carson:

How long is it going to last?

Jason Haddix:

How long is it going to last?

Joseph Carson:

I just mean my voices are with the team because it's such a stressful environment.

Jason Haddix:

Of course.

Joseph Carson:

The community can be harsh and sometimes quick to jump and blame. I can only be sympathetic because going through your answer response, the stress that that team must be going under is immense.

Jason Haddix:

It's so stressful.

Joseph Carson:

Especially when you put such a cost of the business on top of it. When you know that the business is suffering, that even puts a tremendous pressure on the team as well.

Jason Haddix:

It's interesting because I know I haven't spent extensive amount of time, but I know the security leader for that specific issue that's going on right now and he's trying to do everything right. His plan is sound. They have been doing pretty advanced security assessment to try to get all their stuff shored up and wanted to be at the forefront of assessment and bug bounty and all this stuff and still got ransomware.

Joseph Carson:

You can do all the right things.

Jason Haddix:

You can do all the right things.

Joseph Carson:

It just takes one area of lack of oversight and lack of transparency. A lot of times, it's sometimes through supply chain that a lot of it comes through. Sometimes it's through basically hybrid cloud where you've got your visibility in one area, but you're not seeing it through a lot of API security and stuff. Right now, you can do all the right things. It just takes one area that the attackers finds that basically they exploit.

One important topic you brought up as well, I had the same. For many years, I also had the same view that security was about enforcing and pushing, but many years ago, one of the, basically, departments I was responsible for was the ambulance service and in the ambulance service, that actually taught me a very valuable lesson. It was very early in my career, it was something, one of the first organizations I worked for. It was very urgent because my metrics that I had for the system was aligned to the metrics that the business had in order the service that they had to provide.

When you align that, that's one of the things is that when you look at a service as you're talking about, you get a service and that service is worth X amount to the business. When that service isn't running, you have an impact. When my metrics that I had, at that time, I was responsible for the IT infrastructure and security, and I had to align my metrics to the business metrics, and that was actually the SLA that ambulances needed to get to actually victims of either car traffic accidents or health issues and stuff like that. So I had an SLA. My SLA basically was 23 minutes, and if I went beyond that SLA, people died.

That was a big realization. When you're in that situation, you start realizing the importance of IT, the importance of assistance being available. When hospitals, even today, are getting attacks, you start realizing that has an SLA impact, that those SLAs get under serious strain and that people's lives are at the end of it.

Jason Haddix:

People who work for those types of services. I have a buddy who's former Microsoft, and he used to run the SOC there like Global SOC and MSRC, and he was like, "It's just a different kind of stress when you know that your operating system is running on planes and if your operating system messes up, things go wrong on a plane or a vehicle." No wonder so many InfoSec people burn out because there's a high amount of existential stress and then there's also a high amount of on-keyboard hours stress. It is amazing how the mental load for this job, how high it is sometimes.

I'm not saying that anything else is any better, but I do know that some days my wife talks about the mental load for moms and how running the household is really an unglorified position, but there is this giant mental load associated to it. So we talk about it all the time. It's like, "What can we do for you that we can make sure that your mental load is sustainable?" It's the same thing for InfoSec people too, like SOCs and even assessors too. You have a mountain of assessments you need to finish. You have to make sure that things get remediated, at least as an internal person. So my heart goes out to anybody going through a breach.

Joseph Carson:

I think every time I think about my ... I've been asked a lot of times what was my most stressful moment ever in my career, and I always go back to, actually, it was Y2K, but it was not the reasons of Y2K. It was actually the preparation for Y2K. So what happened at that time was that because I had this SLA. I had 23 minutes. 23 minutes was always to keep systems and services running, and that was for emergency phone, the phone, and then that got routed to police, fire, and ambulance and rescue.

Jason Haddix:

Got it.

Joseph Carson:

The preparation was that we were basically connected directly to the mains, electricity. In preparation for Y2K, we were worried that it was going to be this blackout, complete electricity failure

Jason Haddix:

I remember.

Joseph Carson:

Everything was going down. I remember going around with a floppy disk, updating all the systems, all the machines. It was me with two floppy disks and synchronizing all the machines.

Jason Haddix:

Two floppy disks and a dream.

Joseph Carson:

I literally still have it somewhere, but the thing was the preparation was that we ... In order to prepare for the potential electricity blackout, that we had to change over to basically generators, and that meant basically the electricity. So we had main phases and then the generator phases. So what I had to do and the critical systems was basically our mainframes that we had that was basically the ambulances to know what addresses to go to, the patients and also was the routing and logistics and all of that stuff. Basically, we chose the time of the week where it was at least busy, lowest impact. Of course, not Friday night or Saturday because they were always the busiest times of the week.

Jason Haddix:

Yeah, for sure. Makes sense.

Joseph Carson:

We try to choose the minimum impact and we part on the servers. We unplugged all of the plugs from the mains, put them where, actually, the generator supply was and the phases and basically part everything back up and everything didn't come back up as expected. That was the most stressful moment of my career was watching the clock of the SLA exceed when you didn't know if your services were-

Jason Haddix:

You didn't know if it was going to work.

Joseph Carson:

That was always the impact is when you start realizing when you can tie it back to the impact and you make those relations. I think that changes our view a lot of times. Even in recent times, it was back in 2016, I did ... Actually, that was another changing moment. I did a pen test of fire station and it was the CEO and CFO basically had changed my whole view because at that point in time, I actually thought my job was cybersecurity, and that was a moment in my career where I started realizing that's my skill and my job is to reduce the risk and to help organization become resilient.

Sometimes I think, to your point that you brought up earlier, I think there's a point in time realizes that when you put yourself in that other position where you're defending and where you're in a leadership role, how we prioritize things and see things drastically changes. I think that's something that we all have to get into, especially those who've been in security for a long time. We had to start realizing that. So it's not security first. Security's important element of it, but it supports something else and we have to make sure we understand what that aligns to. We can no longer work in a silo. We have to find ways to break those down.

Jason Haddix:

It is. It is so common to work with an established organization, I would say, but they do have this view of security and the security group has this view of themselves that they're the police inside of this organization. They're there to admonish and punish and-

Joseph Carson:

Enforce.

Jason Haddix:

Enforce, yeah, and it's our rules of the highway.

Joseph Carson:

Punish those who breach the rules.

Jason Haddix:

That's a model that has proven to not work except for maybe in a handful of organizations that are very strictly regulated, but for most software development and organizations building products, it doesn't work. So we are going through, I would say, the inflection point of modernizing that with DevSecOps and more and more security programs that are built around visible metrics, including developments, security teams acting more transparently, which we call purple teaming in a lot of forms, security assessment being a cooperative endeavor, making sure that we take care of our employees at a deeper level with breaks and training and giving them opportunity for innovation. So I see a lot of good things happening, but it's still going to take, I think, another five, 10 years until we get to the next stage of our evolution.

Joseph Carson:

It's people like yourself that really sets that, let's say, that cultural trend, that change and being those role models to be able to show how it's possible. Can you talk a little bit about your transition from the hacker world into the CISO world because I definitely want the audience because a lot of the audience, they're either getting in hacking, they want to see their career paths and they want understand what's the possibilities. So how was that transition for you? What were some of the key defining moments?

Jason Haddix:

So I went from being a regular pen tester to playing in a CTF at DEFCON and Black Hat with Daniel Miessler. We played in a CTF together and he was like, "Hey, you're pretty legit. Why don't you come and work for me at HP? I'm building a new professional services gig there." So we built out a small group inside of HP called Shadow Labs, and we weren't really allowed to do that. HP was not happy that we built a sub-brand, but we were competing at that time with teams like the most legit back then was Nick Percoco at Spider Labs. That was probably one of the most legit pen tests and red teamy type organizations at that time. So we built Shadow Labs inside of HP and it was really great. So my idol during that whole time was Dan Kaminsky, Director of Penetration Testing. At that time, it was IOActive, and IOActive-

Joseph Carson:

I know, Jennifer Sunshine, yes.

Jason Haddix:

Yup, Jennifer Sunshine, the best people. So that was my goal was to get to that. So I worked my butt off on that team. I developed leadership skills that I really didn't have before. I was able to manage a team. I was able to build a methodology and some products. I did all the above and eventually got promoted into the title I wanted, which was Director of Penetration Testing. Dan and I oversaw over 120 different testers of different kinds, mobile, dynamic assessment, et cetera, et cetera. So that gave me a lot of management experience and it gave me my first exposure to high level management and an executive level at HP. So that was cool. Did that.

Then in the moonlighting time, I was doing Bug Bounty because I wanted to keep my technical skill still up there. I have this view that I don't feel like I can genuinely advise someone unless I know what's going on in the real world. So I wanted to keep my technical skill up and so I was doing Bug Bounty and this was when Bugcrowd was launched and I knew Casey who launched Bugcrowd, and he was like, "Hey, I'm starting this new thing. Do you want to hack on a site and you get paid if you find bugs?" That was literally the email. I was like, "Yeah, that sounds great. Do I need to sign a contract?" because back in the day, you would have to have a-

Joseph Carson:

Oh, NDA.

Jason Haddix:

... full NDA. He's like, "No. I'm just going to send you an email with the site and then when you find something, you go to this SurveyMonkey link and you put finding in there," and I was like, "Okay," and so did it. I started doing it and it was the first few bounties at Bugcrowd and ended up being number one on their leaderboard for a couple years. I'm still very highly ranked. I think I'm 59th all time overall on Bugcrowd.

So through that, at some point, I had many conversations with Casey and back in the day it was Jay Cran who was leading operations and they were like, "Come work for Bugcrowd. We need someone to lead the operations team." Went over there, led that operations. It's one of the best places I've ever worked. I've had the luck to have fantastic teams everywhere I've been.

Joseph Carson:

Casey's awesome. He's such a idol and mentor these days.

Jason Haddix:

Casey's amazing. I worked with Jay Cran too. He's one of the best, Jonathan Cran. Everybody calls him Jay Cran. So I ended up there transitioning from operations director into VP of trust and security, which was another foray into executive land because I could present and I could break down technical topics to non-technical people. That's always been the superpower. Do you think the superpower-

Joseph Carson:

That is the key is being able to translate things into everyday language.

Jason Haddix:

If you think the superpower is knowing all your hacker tools and your TTPs and stuff, it is not. The superpower is being able to write, explain, and present.

Joseph Carson:

Finding zero days, not the superpower, but actually being able to explain it to people every day.

Jason Haddix:

So I went there and you get into the fire there because Art Coviello was on that board. There were some hardcore people on that board and you had to come ready and present. So that was my first exposure to a Silicon Valley aggressive funding board for a startup. That was really interesting, and all of my superpowers that I had developed up to that point worked really well. I helped a little bit starting Bugcrowd's internal security programs, but that was taken over by another team eventually. I helped bring on researchers and stuff, and then I left there to go to Ubisoft, and that was my first breakout, big company. That was 22,000 employees.

The way I got that job is I had had titles that were ready to go up. So director of operations, manager of operations, those titles are ready to graduate to CISO land if you want to work in strategy and you know what the role is. So when I went in for my interview for Ubisoft, I used my hacker hat a little bit. I did attack surface management and recon on Ubisoft. Then what I did is I built a presentation for them and I said, "This is probably what I think you're facing right now. You have these sections of your business that are being attacked constantly. You have these games which are being trying to be cheated. You have internal player toxicity and X issues. This is your attack surface, everything I can see of it."

Then I actually found a bug during the recon. I had found that a couple of their developers had put passwords on GitHub, and I disclosed that to them before they even had a Bug Bounty. Then I went to the office in Montreal and I presented to them, "This is how I'd structure a program." I said, "First of all, it doesn't seem like you have visibility over everything you have. You're acquiring and being a production studio for all of these places. I'm sure the acquisitions are difficult. You're not getting all the assets offline and you're getting hit on these assets."

Then I talked about building an external asset management program, building a vulnerability management program that supports all of those, how to prioritize different things to defend against different types of attacks that they probably face. I'd had some game hacking experience before. I talked a little bit about that. I was the only candidate who came in with a technical minded plan even though when I got there it didn't match reality. I didn't have any idea what their internal security program was. They were so impressed with the fact that I made a plan for them that they hired me, and that was how I got into Ubisoft. Then I had to learn what the real was, and I was 50% right. I wasn't 100% right, but I was like 50% right and we worked-

Joseph Carson:

You're looking at it from the outside-

Jason Haddix:

Yeah, exactly.

Joseph Carson:

... which it's a whole to doing the reconnaissance and doing that whole assessment. You're looking from the outside. Of course, when you get inside, you start seeing the organizational structure and processes within, but that's pretty impressive to look at it already from that perspective and show them that even without having the internal knowledge, that you came up with a strategy and a plan that really resonated with the team.

Jason Haddix:

Then I went there and that was my first breakout role and really exposed me to big, complex leadership at a big company because there's politics, there's many different business units. It was multinational. You have to deal with multiple compliances. You have a huge team, so there's lots of interpersonal stuff going on. You have dedicated purchasing in HR, whereas any company-

Joseph Carson:

Procurement, legal.

Jason Haddix:

Yeah, procurement, legal. You're dealing with DPOs and CFOs and you're dealing with the CEO of multinational companies. So it was a great experience.

Joseph Carson:

I guess also all the different levels of compliance as well.

Jason Haddix:

Yeah, absolutely. So it was a great experience. I had a great team there. What I realized there is that, actually, I didn't want to be the big business CISO. I missed the more startupy CISO, and I missed testing a lot, but I learned a lot of valuable lessons staying in that role for a while. So I went back to where I am now. I had been moonlighting for a friend of mine's business, BuddoBot, for years, 10 years, and doing pen tests for him. Then when I left, he was like, "Come over here and lead the offensive side that we're going to move into enterprise," because they've been doing government DOD pen testing for a long time.

So now, we have moved into the enterprise world and are doing red teaming. So I developed strategy for internal security program, and I also develop our methodology for red teaming and higher engineers and do a little bit of hacking myself. So now, I think I've got the perfect thing to make me happy, whereas I was just-

Joseph Carson:

Perfect. Ingredients now of all of those-

Jason Haddix:

All the ingredients now, and that was something I had to learn too. One thing I tell people who are looking to make that graduation is understand what the job is. If you think that you're going to go in and a lot of your time is going to be building security strategy, you're actually wrong. A lot of your time as a CISO is spent basically in, for lack of a better word, it's politics. It's schmoozing things over between different business units. It's presenting your plan over and over and over again so people know exactly what you're doing, exactly what they're investing in, explaining why you have priorities set the way they are, and then responding to big incidents and stuff like that, but there's not a lot of time that you are actually drafting security strategy. Most of that gets brought to you by your directors and then you approve, "Sure."

Joseph Carson:

Your peers, your peers are going to be, they're going to be navigating the ship. What you're doing is making sure is that ship's been navigated, is that you're not going into a story water-

Jason Haddix:

An iceberg.

Joseph Carson:

... or off the coast of Somalia where you're going to hit the pirates. That's ultimately our job is to look and see what the least risk is and make sure that we navigate those safer waters.

Jason Haddix:

So just be aware of what you're getting into. There is differences between medium-sized business CISO work and large enterprise CISO work. It's much harder. Large enterprise CISO work is much more stressful, much harder because of your footprint. When you're being a CISO for a startup or a medium-sized business, you still understand all your assets and all your security. You haven't ballooned out, you haven't made a lot of acquisitions yet. It's still very easy to go into a business like that and define a security policy and define a security program. Whereas if you go into a legacy organization, it's much harder to retrofit security onto something like that. So it's just important to have good resolve if you're going to-

Joseph Carson:

Speed, speed is much faster. You can do things much quicker, for sure.

Jason Haddix:

Yeah, exactly, for sure.

Joseph Carson:

Jason, it's been awesome having you on and definitely for the audience, for peoples looking for these different possibilities and paths that they have all these opportunities ahead of them. I think that's really important is that you don't see, some people might get stuck in a rut, but it's really important to see that there is a lot of options and the industry is so broad that there's a lot of choices and a lot of ways to broaden your skillset. You're definitely, for a lot of people in the industry, you're definitely a role model and a mentor, for sure.

Jason Haddix:

Oh, that's awesome.

Joseph Carson:

For many out there, if there's a way that people can reach out to you if they've got questions or advice, are you willing to let them reach out to your contact?

Jason Haddix:

Oh, yeah. Yeah, absolutely. So I am @JHaddix, J-H-A-D-D-I-X on Twitter or on X now, I guess. You can reach out to me there and ask any questions that you want. You could DM me there. I would be remiss if I didn't mention my company, BuddoBot. So we do adversarial emulation and simulation and red teaming. That's B-U-D-D-O-B-O-T dot com. We're building something special over there. Happy to answer any questions, happy to come back and talk again. Loved it. It was great conversation.

Joseph Carson:

Fantastic. Excellent. We'll make sure, actually, we'll get all of those in the show notes as well, for sure, so that's so much easier for the audience.

Jason Haddix:

Very cool. Nice.

Joseph Carson:

Jason, it's always great talking with you. We should do this more often.

Jason Haddix:

Yeah, we should.

Joseph Carson:

This is the fun part of my week.

Jason Haddix:

That's great's.

Joseph Carson:

It's always great talking to you, amazing mentors, and so those who really make a difference in the industry.

Jason Haddix:

Thanks, man. You, too, man. It's been a pleasure.

Joseph Carson:

Absolutely. So for everyone, definitely, Jason Haddix is a great person to follow. Make sure if you do have questions, you're looking for advice in your own career that you might be considering a CISO role, definitely check out Jason Haddix's work. You have an awesome workshop as well, by the way.

Jason Haddix:

Oh, thank you very much. Thank you. You, too.

Joseph Carson:

So definitely if people's interested, take a look for the workshop as well. So everyone, this is the 401 Access Denied Podcast. Definitely tune in. Every two weeks, we bring amazing guests, thought leadership ideas, career advice, all the things, really, to really make your career and path a great one. So again, thank you, everyone. Take care. Stay safe and see you next time.