Jason Chan, Former Netflix CISO, shares his experience and learnings leading security during a hyper-growth phase
As Cyber Week rolled onward, Jason Chan, Netflix’s former CISO, joined us at our Tel Aviv offices for a fun, intimate chat about tried-and-tested security strategies and tips that can be applied to any security leader. Jason joined Netflix in 2011, when its streaming service was beginning to gain momentum and the company was in the progress of migrating its infrastructure to the public cloud. As the organization pivoted to become the online content giant it is today, he had to put in place many new practices that would be suitable for a global cloud-based video streaming company.
For example— the move to the public cloud. Part of Netflix’s migration was driven by the company’s desire to focus on innovations like UI and personalization rather than commodity infrastructure like storage and networking. That meant pioneering a whole new security approach that resulted in building and open sourcing a variety of tools. Plus, along with global expansion came the requirements of hundreds of different country regulations. When we asked about compliance, he told us they built a security that would fit the way they wanted their private data to be secured. Because in Netflix’s case, protecting an exploding number of subscribers and an exploding amount of content and IP meant protecting the business, the very company itself.
When ten episodes of Orange is the New Black were stolen as part of a breach of a post-production company, the Company had two options ahead - either Netflix would pay the ransomware and release the series earlier than planned, or they would refuse to pay the ransomware and stay on schedule.
The final decision was to stay on release schedule, representative of the kind of security leadership Jason practices -- “Keep calm and communicate well.”
Jason focused senior management on one clear goal: to keep the business moving. Don’t play to win. Play to stay in the game.
To stay in the game in the world of security, here are five recommendations we learned that are relevant to any CISO or security leader, and for that matter, any business leader.
You don’t have the time to do everything. You won't be able to stop everything either. It would translate to too high an opportunity cost. Your job is to highlight the priorities, continuously and clearly.
2. Start fresh.
What worked for protecting a DVD mail order business would not be right for a large scale customer streaming business that required visibility and control over the new cloud infrastructure. When you start something new, Jason argued, it may be better to start fresh rather than attempt to migrate what worked for another company or security stack. It’s best to see the advantages of what the newest technology landscape offers and build on it.
Think of yourself as a step-down transformer. Your job is to convert high-voltage situations into low-voltage for smoother, better run operations.
4. Communicate the Delta.
As Jason says, “there is always a delta between how you want the world to look and the reality of how the world is actually operating. Your job is to make sure that delta is well understood and well communicated,” and that the executives are on board.
5. Give leadership the tools to make higher quality decisions.
80% of leadership time is spent communicating. Ask yourself, are you providing them the information they can act on immediately? In turn, what do you need from them to steer? Which decisions do you need from them to keep the business moving forward?
Questions? Comments? Write to us at firstname.lastname@example.org
Jason Chan is an advisor to SeeMetrics.