Fighting hackers isn’t an easy job, but someone’s got to do it. Thankfully at Inductive Automation, we’ve got Cyber Security Risk Officer Jason Waits on the case. Not only is he an invaluable member of IA’s staff, but he’s also one of a handful of winners of the 2017 US Cyber Challenge, receiving a commendation from the White House for his work.
His colleagues are equally big supporters. Dominic from IT said, “I’ve learned so much of what I know about IT from Jason. He’s an excellent teacher and he makes time to talk and ask questions. I’ve considered him a mentor throughout my time here, and he goes above and beyond to connect and support others.”
Like many team members at Inductive Automation, Jason has experienced a lot of professional growth during his time at the company. After spending over a year in IT Support, Jason was promoted into a management role as Cyber Security Risk Officer, and now oversees all internal security for Inductive Automation and Ignition. He will share his expertise as a featured speaker at the upcoming event Code for Folsom, a two-day boot camp for local high schoolers. While his job and commitments might keep him busy, he still makes time for his passion and hobby, Spartan Races. With nine races under his belt, it’s safe to say Jason is in shape to fight anything that comes at him, cyber or otherwise. Learn more about Jason, his thoughts on the cybersecurity field, and Code for Folsom:
How did you get your start at Inductive Automation?
I started my undergraduate degree as a psychology major and was 90 units deep before I realized I wanted to study IT. I started a job at a health-food store doing typical IT stuff: running their network, Wi-Fi, and point-of-sale system, and realized I loved the work. After switching majors and graduating with a degree in IT, I started a security certification. While I was working on the certification, I saw the job posting for IT Support at Inductive Automation on Linkedin. I wasn’t even really looking for jobs, but without thinking about it too much, I one-click applied. The next morning, I got an email from (HR Director) Kristi about setting up an interview. Within a week, I had completed my interviews and was hired. It felt kind of surreal to find a great job when I wasn’t even searching for a new position, and at a really cool company. I joined the IT team in May of 2016 and I’ve been here ever since.
Can you talk about your journey as a staff member at IA?
I was hired for an IT support position, which is a vague title, but each IT person tends to focus on a few areas; mine were networking, Windows servers, and security. After about a year and a half, I was promoted to my current position as Cyber Security Risk Officer, which I started in February. Now I oversee projects for internal security for IA and Ignition, working with people in several teams across the company. Primarily, I’m focused on securing the company: our website, our email servers, our computers ... With Ignition, I spend time securing source code and helping the development team create built-in security tools like vulnerability scanners as they build the product. Between the two, I’m kept pretty busy.
What motivates you to continue innovating at IA?
One thing about being in the software industry is that we’re always focused on disruption, so innovating is at the core of how we work at Inductive Automation. Also, the security industry is always changing; innovation is part of the game, especially for us since we’re such a market-disrupting force. From a security perspective, you have to be really agile and ready for anything. It requires constant innovation since there are new attack vectors almost daily. You’ve got to keep up with everything going on around you. I read a lot, study up, and listen to a lot of podcasts to keep on top of what’s going on in this space. You never know when a new threat is going to present itself, so I like to be ahead of the curve. A common saying in the field is “Security is a process, not a state”; that really encompasses how I think about my job.
How did you get involved in the 2017 US Cyber Challenge? What was that experience like?
I was on Twitter and I saw something about a security challenge set up like a game of capture-the-flag. I was intrigued, so I just clicked the link, checked out the website and decided it seemed fun. First, it was an online capture-the-flag event where you studied network logs and packet captures. I think it was like 70,000 lines long; the premise was a hacker moving through a SCADA network. At the end, there was a long quiz with questions about the logs. I gave myself the weekend to complete it, which meant I had to do some serious research, but I finished it. When the results came in, I was in the top 100 people who completed it.
The top 100 people got invited to three boot camps all across the country; I went to one in Utah that was four days of intensive training with instructors from an organization called SANS, which is one of the premier cybersecurity training groups in the country. We got to live in dorms on a university campus and participate in training all day. The fifth day was a group competition, which my team won. The team members each won a cash prize, another training package, and a trip to Washington D.C. for the Affirm Cyber Summit. It was a great experience; I got to meet a lot of cool people, do a lot of cool stuff, and learn a ton through the whole process.
Of all of the IT team’s accomplishments, which are you most proud of?
I’m most proud of how the team handled our company move. Moving into the new building posed a unique security challenge for us, and we were able to do it really effectively. It was a huge project that we were planning for a long time, while simultaneously supporting the company as we were experiencing massive growth. We had to build a new computer network infrastructure, deal with all the new computers, all kinds of stuff. It required a lot of planning and a ton of teamwork. For the actual move-in, we had a very short timeline and a lot of requirements to make the move and our new office as secure as possible. We all came together and were able to meet our goal — it was a lot of fun, too. There were some late nights, but it was so satisfying when the job was finally done.
In your time here, who has been a mentor to you?
I’m a traditional network-and-server kind of IT guy, so when I started at IA, SCADA was completely new to me, and I had a lot of questions. Kevin McClusky has been my go-to guy for all things SCADA since the beginning. Whatever my questions are about SCADA architecture, how protocols work, what protocols people are using, he’s always had answers for me. I did a course at Black Hat this year on hacking control systems and IoT; before I went, Kevin gave me a primer on all the protocols and how things worked, and it was incredibly valuable. He’s so knowledgeable about our industry.
You never know when a new threat is going to present itself, so I like to be ahead of the curve. A common saying in the field is “Security is a process, not a state”; that really encompasses how I think about my job.
What advice do you have for someone just starting out at IA?
Work hard and listen carefully; this company is filled with really smart people who are true experts in their fields. There’s a lot you can learn just from being around the knowledgeable people here. If you put in your time and put in some work, there is a ton of room for growth. It’s also really cool to work at a place with such enthusiastic customers and staff.
What’s your favorite IA perk?
That’s easy, I love our membership with Life Time Fitness. It’s an amazing gym. Also anything with free food or food trucks.
How do you spend your time away from the office?
I’m a bit of a “gym rat,” so I spend a lot of time at Lifetime outside of work. I also love doing Spartan races and obstacle courses, any physical challenges are really fun for me. I’ve done six this year— two five-milers, two ten-milers, and two 15-milers. I’ve officially qualified for a race in Sparta, Greece, and plan to compete there in November 2019.
Author’s note: Jason’s intense gym habit is well-known around the office. Dominic said, “I worked out with Jason one time — never again. I was sore for weeks.” Somehow in spite of the pain, Dominic was convinced to try again, since the two are planning to run a Spartan race together this November.
Can you tell us a little about the Code for Folsom cybersecurity event?
Code for Folsom is a two-day boot camp for high school students to teach them about cybersecurity. I’ll be one of several speakers educating on all aspects of cybersecurity. Security officers from private and public organizations are participating, so there will be a variety of skill sets and perspectives. It should be a really engaging, fun event, and a great opportunity for high schoolers to start learning.
There’s even more excitement on the horizon for IA’s Cyber Security Risk Officer: he’s currently studying for his GIAC (Global Information Assurance Certification) Incident Handler Certification after completing the SANS course “Hacker Tools, Techniques, Exploits, and Incident Handling” in San Francisco. After that, he’s pivoting deeper into training on digital forensics, finally segueing into completing his Master’s Degree in Information Security Engineering.
You can meet Jason in-person at the ICS Cyber Security Conference this October 22-25, where he’ll be running the Inductive Automation booth — be sure to stop by if you’re there!