How’d You Get Here with Jason Waits: A Professional Journey28 min video / 28 minute read
Jason Waits talks with Arnell J. Ignacio about his professional journey at Inductive Automation. In this discussion, they explore Jason’s experiences from the early days all the way to his current role as Chief Information Security Officer. Jason also shares what it is like to work at Inductive Automation, what makes IA such a unique place, his journey to becoming the Chief Information Security Officer, and much more. We also get a peak into Jason’s interests and what he sees for the future.
At an organizational level we have really low turnover, but like, specifically on my team, I think mostly when we hire people and once they kind of see the atmosphere we work in. I think we pretty much all agree like, ‘Oh, this is probably the best place we've ever worked.
Chief Information Security Officer - Inductive Automation
Jason Waits started at Inductive Automation in 2016 and previously served as Cyber Security Risk Officer and Director of IT/Cyber Security. In his current role as Chief Information Security Officer, Jason continues to strengthen the company’s cyber security stance by maintaining a central and high-level view into the needs of our entire ecosystem, and works to continually protect all of the company’s products, data, and digital assets from cybersecurity threats. Jason has a Bachelor’s of Science in Information Technology from Western Governors University and is completing his Master's in Information Security Engineering from the SANS Technology Institute. Jason was also part of the first-place team in 2017 US Cyber Challenge and received a letter of recommendation from the Department of Homeland Security for his efforts.
Arnell: Hello and welcome to Inductive Conversations. My name is Arnell J. Ignacio, and we're here doing another episode of How'd You Get Here? where we explore the professional journey of an Inductive Automation employee. Today, joining with me is Jason Waits. He's the Chief Information Security Officer here at Inductive Automation. Welcome, Jason.
Jason: Hey, happy to be here.
Arnell: Before we jump in, can you please tell us a little bit about yourself and what you currently do here at IA?
Jason: Yeah, as you mentioned, I'm a Chief Information Security Officer. So I'm currently in charge of running our corporate security program. I've been here for about six and a half years. Started in IT, and I was formally tasked with building out a security program in early 2018, so I have been pretty focused on cyber for the last about five years now. I currently run a team of... Our security team and also oversee IT.
Arnell: The work that you've done has been great for both the organization, both the product Ignition. So prior to IA, what were you doing and what prompted you to wanna make a change?
Jason: Yeah, at the time I was working as a network administrator for a grocery store, running all their back-end IT systems, databases, point-of-sale, Wi-Fi, you had to maintain stuff like PCI compliance and things like that. I'd finished a bachelor's in IT with an emphasis on network engineering and systems administration, and I was really fired up about moving to security as well, and I was looking around for a bigger environment, I'd outgrown my current environment, so I was looking for just a new role with more tech to play with.
Arnell: Has security been something that you've been interested in since... For a long time, or was there something that got you interested in that?
Jason: I think I really thought of it as a plausible career path back about 10 years ago, so I was doing... I did a security course in college, and I think in the first week I was like, “Oh, I think I'm going into security." So I was pretty much... Caught that bug.
Arnell: And so in the midst of your search, you're trying to look for new opportunities, how did you come across Inductive Automation?
Jason: I was pretty lucky. I just stumbled upon a posting for an IT position on LinkedIn, and really easy to apply. I had a call back really quickly, and within about a week I was hired. So it was pretty... It was pretty surreal. I'd been kinda starting to kind of loosely look around, but not super aggressively, and I saw Inductive and it was a compelling job posting, and here we are.
Arnell: And at the time... You kind of touched upon it, what attracted you to IA and what made you decide to take on the position?
Jason: I think I really liked, one, that it was a software company. I thought it would be a really great environment to play with a lot of technology and hopefully be fast-moving and just a lot of the things to do. And then I also really liked the industry it was in, making SCADA software, that was pretty new to me. But just going down rabbit holes, learning about that, it's pretty critical stuff, and so I really liked the mission of supporting a company that makes software used in all these critical industries all around the world, like massive companies doing really cool stuff.
Arnell: Yeah, it's kind of funny talking with other individuals who have come on board, industrial automation is not the first thing that comes to mind when they apply to a company, but once you get into it and you start learning about all the different things that are occurring in an industry, how our software works with that, it's... You start to see what can happen and what is being done, and it's really cool to be a part of that, so... Yeah, I can understand your view on that. So when you first started here at Inductive Automation, what was going through your mind at the time? Anything that stands out to you?
Jason: It was just kind of surreal. I landed a really cool job at a really cool company, and it was just a really fun first year. I got a lot of exposure to a lot of new things. I was doing exactly what I wanted to be doing at the time, which was networking and security and some systems administration stuff. And then I end up half doing just dedicated security work. It was just a really cool company, everyone was so nice, and I was just surrounded by so many smart people and stuff, it was just like... Yeah, it's good times. Really fun first year.
Arnell: So yeah, let's take a look at that journey at IA. Can you briefly talk about your progression here? What skills you were starting off with? What skills you picked up along on the way? And what were some of the projects that you were working on that put you on the path to success?
Jason: So I started out kind of focused on a lot of networking, running our network here, our switches, our access points, our firewalls and any of the security tools we had at the time, and did IT support on the side, ran Linux servers and Windows servers, Active Directory and stuff like that, and just got to really upgrade and fix and tune and implement a lot of new things in those areas. I think one of the bigger projects was to get to rebuild the entire network stack as we moved to the new building, and that was around what? 2017. So that was a huge project, just completely new architecture and baking a whole bunch of cool security stuff, really fun project, so... Otherwise, I just got to wrangle in a lot of these things and just more upgrades and updates and implement some new security tooling.
Arnell: At the time, where were you... What was your role when you first began? What was the title that you started off with?
Jason: I was IT Support Specialist when I started.
Arnell: And then you progressed to... What was your next progression in your journey?
Jason: My next title was Cyber Security Risk Officer.
Arnell: And then from there you got to the Chief Information Security Officer?
Jason: Yep, basically. I think I was Director of Cybersecurity somewhere in the middle there too. So once we turned cybersecurity into its standalone division, started adding more members and fleshing it out, so now the role is a little more global in scope and scale.
Arnell: And then I ask this question from a lot of individuals, have you... Did you envision yourself being in the place that you are now?
Jason: Definitely not, no. Definitely not kinda at the top of the food chain, in terms of security. I expected to end up being a security engineer, or just kind of do... Working in security, building our defenses, implementing detection and response capabilities. That's kind of what I expected, so I didn't quite expect the trajectory I've had here.
Arnell: You were mentioning how you were coming up with all the systems and infrastructure for a new building, is that something that was exciting for you to work on?
Jason: Yeah, that was probably the highlight of my career here. I feel like... I think most people who are involved on the IT side probably feel the same way, but it was really cool to just architect a whole new kind of building from scratch and to do all the groundwork to get it operational and then to watch people's kind of faces when they walked in that first day. 'Cause we'd been working on the building for a year, and then so most people just showed up. They went home on a Friday and they showed up to a new building on a Monday and it was like completely new thing. So that was really cool. It was a lot of fun. A lot of work. A lot of fun.
Arnell: Yeah. No, I can imagine the amount of work that went into it and thank you for all the work that you've done and the team has done here to make the building what it is today. Were there any like challenges or accomplishments that you, that stood out during the work that you did here at the building?
Jason: No. I mean, I think the biggest challenge was just the timeline. We had a pretty short timeline to move everything from one building to the other. We did all over a single weekend. So.
Jason: We had to send people home on a Friday, move everything over on Saturday, Sunday, be operational on Monday. So that was pretty crazy.
Arnell: No. Yeah, no, and I remember when we did that transition and yeah, it was fairly seamless, we just left the other building and then, as you said, the weekend, we came back on the Monday and we were up and running and ready to go. So yeah, it was really cool. So while working for Inductive Automation, for the company, what stands out to you as being the most important? What is important for you while working here?
Jason: It is just really been nice to work with a lot of just really smart and nice people in a very kind of transparent and collaborative culture where we all work together to solve these problems. So I think that's been a really key factor, I guess.
Arnell: What would you say would be a unique, what's something unique to IA that you find working here?
Jason: I think just how happy and mission-driven those people are and how... It's been really cool to see kind of the customer side of things too. How many cool customers are doing really cool stuff and with our product and then how much they appreciate the company. And so that helps keep a really positive vibe inside the company. And then we have people just kind of working together to solve some of these problems for people.
Arnell: And how would you describe the culture here at Inductive Automation?
Jason: It's just very mission-driven and collaborative I'd say, just a lot of people working and teaming up to solve problems. It's really easy just to Slack someone and jump on a quick meeting with them and hammer something out across division lines and stuff like that. So the growth's been pretty crazy for the last five, six years, so just a lot of new faces, a lot of growing and scaling and doing that in efficient ways has been a lot of fun.
Arnell: Yeah. And having, becoming a remote-first company recently, how has it been like to... Has the IT been, have they been remote? Have they been onsite? Has it been like kind of hybrid type of structure and how has it been like with that structure?
Jason: I guess we're a bit split, so the security team is fully remote. All the other members are in other states. So that's been no problem at all. We have really good communication. With stuff like Google Meet and Slack and stuff, it's really easy to stay in solid communication with each other. The IT team, they're split some of the members who run the data center or do like help desks out work have, there's an in-office component to that since we have a building. So they're usually in some kind of a split state where they're in the office one or two or three days a week. Other people working in like the Cloud Engineering team, they're fully remote.
Arnell: Do you feel like Inductive Automation gives you what you need to succeed here?
Jason: Yeah, absolutely. In a lot of companies, IT or security are kind of looked at as cost centers because they're not directly generating revenue, but IT or security divisions are pretty foundational to an organization's success, because we're doing stuff that underpins everything everyone else is doing. We're using technology to solve problems through automation to make things more secure, safer, faster, more consistent. And so when you shortchange that you end up with just operational issues that burn you in the end. So I guess I'm really thankful that we've always had a pretty solid... I mean, we're a tech company and so no one's ever fought that, and we embrace technology to solve these business problems. And so we haven't had to be in that situation that I see peers in other companies in, where it takes years to solve these problems or they just don't have budget to actually solve it. And they're constrained in ways that I'm not. So that's... Well, it makes it really fun. And that's why I think on my team, we have... And that at an organizational level we have really low turnover, but like, specifically on my team, I think mostly when we hire people and once they kind of see the atmosphere we work in. I think we pretty much all agree like, "Oh, this is probably the best place we've ever worked," and if we ever went anywhere else, you would be... It'd be just so hard, because you'd be so constrained in these... By what you can do and the problems you can solve.
Arnell: From what you're saying, it sounds like security is a... Sometimes in a lot of organizations not top of mind, and it should be. And so with that, when you have employees that are coming in, or applicants I should say, coming in to Inductive Automation and they start seeing the different things that we have here, do you find that there's a bit of a surprise on their part of how we operate in terms of kind of the industry?
Jason: Definitely. I think the vast majority of companies don't have really robust security programs. And that's why you're kind of seeing these like ransomware breaches in the news on a daily basis at this point. Stuff that would've been massive news five years ago is a daily occurrence now. So this stuff isn't kind of going away and a lot of companies just kinda underfund areas like security until something bad happens. And then they realize, "Oh, well I guess funding security and investing here is cheaper than the alternative." Kind of a sad state of affairs.
Jason: But you know, so a lot of these industries only do what they're kind of mandated to do by whatever compliance, the framework they have to follow. And so what I find is that most people I interview or hire come from very compliance-focused roles where they're less so solving technical security issues and implementing security and doing like the real good meaty work. They're instead just doing what is required of them to make sure they can check some compliance box so to speak. And so when you come here and we're not constrained by compliance frameworks that mandate things that maybe are 10 or 15 years old, we're actually just assessing risk and reacting to it as fast as we can and trying to keep up with the trends and stay on top of it. So there's just like, I guess there's a level of agility that you... Most people probably aren't used to in wherever they were previously.
Arnell: No and I think that's very apparent here in terms of how security's approached, I feel like we're a little... We're a lot more proactive in terms of our security. You know we have a security hardening guide, your department or your division puts out a lot of great resources in terms of training when it comes to security. So I feel like it's always top of mind and it's not something that we're kind of trailing. I think we're kinda, we're there on the forefront of it and making sure that we're always in a good position. Especially, the product that we make in some cases it's mission critical so it's good to have that in place.
Jason: Yeah, I mean, just to touch on that, I mean we have no choice to be proactive in this regard because we're an increasingly critical part of the supply chain for some really important customers, you know, all around the world. And so that gives us a really good mission statement there to make sure nothing goes wrong, make sure we're doing our due diligence, to invest in this area.
Arnell: Yeah. Yeah. And I like how we're, not only we're proactive, but we're also working well with our Ignition community. And a lot of the messaging that we have about security is that it's a kind of a mutual... It's a mutual thing. You know, we can put security as much as we can, but it also is upon our users and our customers to implement best practices. We're providing the tools, but it's also up to our customers to implement that. You wanna kinda speak to that a little bit?
Jason: For sure. I mean, so Ignition's a platform so you can... It's gonna be whatever you make of it, you can do amazing things with it. You could also probably do terrible things, and that's why we put out stuff like the security hardening guideline. There's been a tremendous amount of work that's went into that. So definitely that's my number one thing to recommend any customer is make sure you are aligning to that because, just doing the basics gets you a really long way in security. In almost any crazy breach you read about, it's basically someone skipping something very basic. It's usually not... You don't need super fancy machine learning, AI-driven, cutting-edge security tools to stop a lot of the bad things that happen. It's just really basic stuff like we outline in the hardening guideline, turning on encryption, using multi-factor authentication, keeping things up to date.
Jason: So as you mentioned, we do our part and we try to keep Ignition free of vulnerabilities. We regularly engage in third-party penetration testing. We participate in things like Pwn2Own competitions where our software is targeted and people disclose bugs to us, so we fix those as fast as we can. And we have tools built into the pipeline that will find vulnerable versions of dependencies, fix them and ship that. But that's our part, right? And so it's kind of on the customer to make sure they can upgrade their Ignition instance regularly as well. So definitely we recommend as much as possible, and I think we actually have a blog talking about this, make sure customers try to put themselves in a position where they could patch quickly if they need to, because we could fix a bug in five hours, but if someone's on a two-year patch cycle, it's not gonna help them much.
Arnell: And it's interesting that you mentioned the Pwn2Own. I think that's been kind of an exciting thing that we've seen here at Inductive Automation. I know we've participated in I believe two already, is that right?
Arnell: And so we've seen messages come through of how we did that, and it's kind of interesting to actually engage in that. Do you find that a lot of companies want to engage in that or is that something they kind of shy away from altogether?
Jason: You know, in the big picture historically, a lot of companies shied away from this. If you look back 10-20 years, a lot of big companies were trying to sue security researchers that were saying, "Oh, hey, we found a vulnerability in your software." And the default response would be, "How do we silence this? Makes us look bad." Increasingly, large companies are kinda embracing this approach and kind of thanking the researchers and working with them proactively. But I think this is still fairly new for industrial control systems and IT stuff. So that's why the Pwn2Own competition was kinda a big deal when they launched in 2020 there. So we were super happy to be part of the first one and the second one.
Jason: And, but definitely, I mean, definitely not all the... You know, not all the potential targets were actually included. There're definitely a lot of companies that would prefer not to have vulnerabilities found and disclosed. But at the end of the day, these researchers are just finding vulnerabilities that exist in software. So the faster we find 'em and fix 'em, you know, the better off we are. It's better to have an ethical researcher find it than an adversary in another country that wants to use it for harm.
Arnell: And is that something that... When they first had that is something where we were... Were we invited to that or is that something we said,"Let's try this and be a part of that." How was that? How did that look like in the beginning?
Jason: Yeah, I think they started with a couple categories they wanted to target, and then they just reached out to people that they wanted to include. And so we were on that initial list. I believe it was the HMI category. And so we, yeah, I was stoked when I saw that email 'cause we pay lots of money to third-party testing... Testers to test this up already. So this is just a shot to get dozens of more researchers taking a crack at it and trying to find some stuff that we could use to help improve Ignition. So super fun. Really fun to go to that first one. Definitely one of the highlights of my career here. And to see the response on our side was also really cool to watch the software engineering team fix those bugs as quick as humanly possible.
Arnell: Yeah, no, I think when we saw how... When we first saw the results of that and then how we responded and then at the speed at which we put something out, I think that's... It was a great way for us to show that we're proactive about it and that we're making... It's not like we're hiding the fact, software has a lot of vulnerabilities. It's just kind of the nature of it, right? But it's a matter of how we approach it and how we respond to it. And it's kind of like, it's an ongoing thing. We gotta just continue to be on the lookout and to be on top of it. And definitely the work that you've been doing, and definitely your team has been doing has shown that. And so it's great that we have been participating in stuff like that.
Jason: Yeah, I think prevention is ideal, but detection and response is a must. And so a lot of our security program revolves around doing the best we possibly can from a proactive preventative standpoint, but otherwise building out response capabilities. And I personally always judge vendors on their response. How do they respond to bad stuff? Because there's always some weird potential thing, one-in-a-million chance that could happen, or vulnerabilities, right? They're just present everywhere. It's part of the game. So how quick do you respond and what kinda attitude do you take in that regard?
Arnell: Yeah. So looking into the future, what do you foresee for yourself, for the company, software, the industry as a whole, what do you see coming down the pipeline in that regard?
Jason: For the company, I think we'll just continue to grow and just keep adding more consistency and maturity to our programs and processes. Our teams will scale and we'll just keep... From the security standpoint, we're just gonna keep trying to build a world-class program here. I think in my new role, I will increasingly start to reach across division lines on some bigger issues as well. Collaborate more with other divisions and some stuff like that.
Arnell: And so I think in regards to looking at the future, do you foresee any challenges that could be on the way or be there, if you will?
Jason: In general, just the increasing amount of stuff we're putting online and the increasing amount of reliance on technology is definitely gonna be a challenge in the future. There's so many factors here, but the increasing connectedness of all this stuff, this IT-OT convergence that people talk about, there are implications there for reliability and security. So, absolutely benefits to doing this stuff too. But there are always downsides and so I definitely worry about people moving too fast in this regard and hooking up critical systems to stuff that has a path to the internet and things like that that could result in some bad stuff. Similar to what we see with, like, cloud, as people quickly move to the cloud, they kind of made some rookie mistakes that cause some big issues, 'cause they're now exposing stuff that wasn't previously exposed. So there's a lot of stuff has been kinda hidden by air gaps in the past that might come to light in the future unfortunately.
Arnell: It just requires a lot of planning and a lot of work on the customer side, on our side just to work... Again it's that mutual relationship that we have with our customers to make sure that everything is considered and make sure that things are in place. And instead of like, "Oh, here's some new thing, we'll just jump right into it." 'Cause a lot of times people do that. They're like, "Oh yeah, this is so cool, we'll just jump into it." And then, later along down the line, they just didn't realize or take a look at things to make sure everything was in order. So.
Jason: Yeah, an ounce of prevention is worth a pound of cure, right? So it's very true in security. So just properly planning some of these deployments and following like hardening guidelines and proper segmentation gets you a long way. It's way harder to add that stuff on later.
Arnell: Yeah. Do you find... When it comes to security for a lot of people, do you think it's just where to start? Is that kind of where people get caught up with when it comes to that?
Jason: Yeah, it's hard. There's a lot of stuff to consider. Security sits on top of everything underneath it, right? So you have like... Just so... There's so many layers. It's very complex. There's a huge lack of talent right now. Unfilled jobs maybe more so. And when you're time constrained and you can't figure something out, it's easier for some people to just ignore it and say "I'll do it later." So it's really common troubleshooting approaches to turn off the security stuff, get something working and then people often forget to turn it back on.
Arnell: We've been talking a lot about the things that you've been doing here at Inductive Automation and kind of the focus on security. So let's focus outside of work. What are some of the things that you like to do or are involved in?
Jason: I'm currently working on my master's degree, so it's about three years running, so about to finish up in six weeks. So, still do a lot of cyber security stuff outside of work around that master's degree. Listen to a lot of podcasts and audio books. Mostly cyber focus, so pretty big part of my life. Otherwise, my outlet is kind of fitness-based stuff. I like to work out a lot. I have a nice home gym now, thanks to COVID. Do a lot of obstacle races, I think I've done 35-ish Spartan obstacle races.
Arnell: Oh, fantastic. Yeah.
Jason: I have recent shoulder surgery to prove it.
Jason: Yeah, it's usually my outlet, just to try to disconnect from tech as much as I can.
Arnell: The Spartan races that you've been involved in, how did you get involved in that, as opposed to other sort of competitive fitness events?
Jason: Yeah, so I actually hate running, but I always liked lifting and climbing things and kinda like American Ninja Warrior style stuff. It was more appealing. So I definitely just saw some of the obstacles. I was like, "Oh, I want to go crawl through mud and then climb over that giant thing or jump over fire." So it sounded cool. I don't know. So I like stuff that's as far away from my day-to-day, I guess, as possible. So that was appealing. And then I had to run as part of those things in between those obstacles, but mostly just showed up to climb stuff.
Arnell: And has there any been a particular Spartan event, a race that stands out to you?
Jason: I did one, I didn't like do... I'm not saying I did well, but I did the World Championship course, I think it was back in 2018 in Tahoe. So it was a way up there, really high elevation. It was a brutal course, super cold, had to swim in like 30 degree water, people were getting hypothermia. So that one was fun. It felt good to finish it.
Arnell: Excellent. Well this wraps up our podcast. Jason, thank you so much for joining me here today. Thank you, having conversation regarding your journey here at Inductive Automation. Is there anything that you... Any parting words that you want to leave with our audience or with any perspective applicant to IA?
Jason: To future applicants, I think it's a great place to work. The vibe, the culture, the people are fantastic. So it's been just a nonstop stream of new projects and things to do and growth that's been a really positive experience, I think. To customers, please follow the Ignition security hardening guidelines, so it's my big plug there. Otherwise, I mean, it's just really cool though to see what our customers are doing with our software. We had ICC a couple months ago, so just every time hearing these crazy things that people are doing, 'cause I'm a bit removed from the customers’ side of things, so it's always a nice refresher to see just the scale and the scope and the creativity that some people are showing. It's pretty awesome. So it makes it really... I dunno really, it feels like we're doing good work here and our roles are all important. So a lot of fun.
Arnell: Yeah, it's always great to see what our customers do with our software. And again, thank you for your work with security and thank you for everything that you've done here at Inductive Automation. Again, thank you for joining with me, Jason, and I hope you have a great day.
Jason: You too.