CISO Jason Lee on Zoom's response to its pandemic security challenges

A year into his role, Lee discusses how he and Zoom's security team addressed security and privacy issues amid rapid growth and public scrutiny.
Jason Lee (Zoom)

Jason Lee (Zoom)

Jason Lee joined Zoom in June 2020 to become the video-conferencing platform’s CISO. The vendor was midway through a 90-day security plan launched to address security and privacy issues exacerbated by Zoom’s meteoritic growth amid the COVID-19 pandemic and mass shift to remote working.

Lee was tasked with overseeing strategies to drive the organisation toward a cyber security and privacy posture more in scope with its rapidly advancing customer base, features offering and use requirements, all under increasing public scrutiny.

CSO had an opportunity to speak with Lee about his experience coming into the CISO role mid-crisis.

Can you give us a little background on the situation at Zoom leading up to the point when you arrived?

Lee: Back in December 2019, Zoom had around 10 million daily meeting participants, but come April/May, it grew to around 300 million. That’s right when I was jumping in – when we were really starting to add a lot of customers.

In the first few months of 2020, the team was working around the clock just trying to get used to the volume and the new, different types of users. I can’t imagine there are too many companies that have gone through such incredible growth so quickly.”

As such a big, high-profile company, there was a lot of scrutiny from our customers. I like to call them “free pen tests”, but our customers were doing strong security reviews of our product. I always welcomed that, and they were really doubling down to look at things like data routing and proper encryption.

[CEO Eric Yuan] took the feedback and put together the [90-day] plan which essentially involved pivoting the Zoom engineering team to really focus in on security and privacy only.

What was your approach to the problem coming in fresh?

Lee: It is very much about security and privacy by design, not just in our product, but in every aspect from our engineering system to our IT environments. This also touches upon common security controls. A lot of companies have multiple identity systems; I’m a fan of one identity system, which is easier to manage and offers a consistent experience.

When you’re building a security team as fast as I was, it’s really easy to tack on controls and slow down business processes. [One way we worked around that:] When engineers use a library for cryptography, we’ve created a one-point, one-stop-shop option – making a “happy path” design so they can focus on innovating cool new features with core security things already done and built.

There needs to be a common compliance framework – one control framework that can be overlaid with all the certifications within that framework. That means you don’t have to do a new audit for every single certification, which is a critical thing for a software-as-a-service company.

The final piece of the business agility puzzle is operational excellence – for example, how quickly we can respond to an incident, or if engineering needs us to review something, what are our service level agreements?

How did you operationalise the strategy?

Lee: This is about making sure we hire top talent and provide innovative security features in our products. I had four of my security team give presentations at RSA this year. I love that we’re being able to talk about security at some of the biggest conferences now, and it’s a symbol of how much we’ve focused on raising the bar of the security team and security at Zoom.

I’m a big fan of gamification when it comes to training. I love it when I can have teams compete against each other. A great example is with our development team. We have competitions between teams on who can find the most vulnerabilities in a fake application that we’ve built. We have prizes, so it’s the fun, carrot approach to training, and the engineering team loves it.”

What are some of the changes you made to address Zoom’s security and privacy needs?

Lee: A couple of important things we did first was making sure we had 256-bit AES-GCM encryption by default, and we acquired a company called Keybase with CEO Max Krohn going on to build end-to-end encryption as an optional feature, launched in October last year.

As Zoom’s profile grew, a lot more researchers were trying to engage with us and it was, quite honestly, overwhelming at the time. So that was the precipice for building a bug bounty program. We invested in that, and I brought onboard Adam Rudderman from NCC Group, who’d been leading the consultancy in helping companies build out bug bounty practices.”

You’ve outsourced your bug bounty program. How is that working out?

Lee: The beauty of partnering with such third parties is that they are specialists at triaging alerts, dealing with high volume and can scale quickly. If you’re thinking about starting a bug bounty program from scratch yourself, I think it would take much longer to get off the ground.

Zoom added security-by-default features. What were your priorities when developing and implementing them?

Lee: We had so many new users that didn’t know how to use these features, and it was really important for us to nail making it easier for everybody. When you think about security features, the most important thing to consider is how to make security super simple from a user perspective.

We also put in a “suspend participant activities” feature, which is where somebody can freeze a meeting and remove somebody that had accessed the meeting link but was not supposed to be there, resume the meeting and then report the person.

We added a feature to allow users to select which of our 21 co-located data center locations they want their data going through, and which ones they don’t want to use.

One of the things that we put together was a CISO council, with a whole bunch of CISOs from customers across various spaces. When we started, it was really focused on product strategy – which is something a lot of companies use a CISO council for.

However, we ended up pivoting somewhat, because we found that the CISOs were more interested in learning what I was building within the security program, and not just about the product.

I’d present some of my board content to them for example, and they’d get to throw ‘tomatoes’ at it – providing me with feedback that has been super helpful. I’ve loved having that group of mentors and advisors, and we discovered that the CISO council was an untapped opportunity to not just get some product feedback but also wider feedback around the security program.

What are the remaining key challenges and opportunities to continue to evolve the organisation’s security position?

Lee: It’s now about pushing maturity and innovation and getting further along with all the security programs we’ve got in place. The bug bounty program is a great example. Now that it’s a year old, our focus is shifting to how we can make it more advanced and do more advanced things with it. For example, we’re looking at opportunities to do live hacking where we can bring in the security researchers and almost have a hackathon type of event.

We’re still building scale like crazy and so maturing our processes is really the most important thing. We’re really trying to automate as much as possible, so there are hurdles to overcome in shifting from manual to more automated processes.

We’re a video-first company and we’re working with tons of organisations that are still trying to work out how they can best operate in a hybrid model, with workers regularly both in and out of the office. How does that interact with those that are at home? That’s something we are looking to address with new features that I’m very excited about.