A Q+A with Justin Berman, Chief Information Security Officer

November 2, 2017

Hi Justin, welcome to ZenNation! We’re so excited to have you on the team. Can you explain what exactly it means to be Chief Information Security Officer?

The role has definitely evolved, but to me it means that I am the executive stakeholder in charge of protecting the company from security risk, building the brand around trust that helps Zenefits shape the conversation with customers, creating a lasting culture of security within the organization, and helping Zenefits to create market-leading capabilities around security and privacy for our customers.

Which projects are you most excited to work on at Zenefits? Is there a certain area of our business that takes priority right now for your team?
Tough question! I am really excited to learn our business end-to-end; I firmly believe that in order to keep something safe and make the best possible decisions, it has to be from a place of understanding. That is also the place where I can learn the conversation we need to have with customers, understand their pain points, and look for opportunities they don’t even know exist.

How did you discover your passion for security?

I found it fascinating back in high school, and in college I took some of the first-offered network security classes at a university level. That said, the passion emerged after I transitioned from being a software engineer to a security consultant. The love of security definitely emerged there. I like to say I stay in security because my mom shouldn’t have to call me worried about her online accounts.

What are tech companies in 2017 at most risk for when it comes to information security breaches?

The trend I would focus on is that we are seeing the continued commoditization of technology for bad guys. As an example, there are criminal organizations selling Ransomware as a Service. One level of criminal creates a capability to attack businesses, and other criminals pay to use the service and then collect the ransoms. That is terrifying because it means that more advanced capabilities are being distributed to attackers who do not have the resources to develop them on their own. That really raises the bar for all defenders faster than many can adapt.

How do you educate employees about these potential risks/threats?

I think it varies by the company, but the themes I have seen work to create lasting understanding is by getting to the heart of the ‘why’ and the ‘how’ security matters to people. Education about security has to be relevant for people to retain it, so I like making it highly applicable to the team, or even the individual at times. You don’t force the finance team to learn about secure software development, and you don’t ask the software engineers to think about finance processes and how people could commit fraud within the company.

What do you think of bug-bounty competitions? Does the security team have any plans to participate in one soon?

We actually participate right now! Zenefits uses HackerOne to manage our bug-bounty program.

What can you tell us that would surprise us about the world of security-tech?

I have a ton of thoughts on this! Let’s focus on one thing that I think goes without saying, but bears repeating. Security tools and products are never as much of a silver bullet as they claim to be. Many people across companies get caught up in the idea that they can just buy the right tools and then security is “solved”; but security is, and will always be, a process of managing risk more than a problem to solve. Our goal is to make our people and systems expensive enough to attack that the adversaries go elsewhere.

Share with us the #1 reason you are excited to be part of ZenNation

I am excited because ever since I became a manager I became hyper-aware of, and interested in, the relationship work has in people’s life. Zenefits is the kind of company that can help really shape that conversation and promote practices that enable us to measure the right things and make work and life a more healthy integrated whole.

Is there anything else we should know about you?

I am intensely passionate about wilderness preservation and climate change. I spend a lot of the time I take away from work photographing wild places and donate all the money I make from selling prints to causes like the Southern Environmental Law Center, The Rainforest Trust, and Wild Earth Allies.