Jason Soroko of Sectigo: “Make sure they are protected by strong authentication via a certificate”

Ensure everything in your digital ecosystem is secure, including your website, laptops, smartphones, sensors, servers, etc. Make sure they are protected by strong authentication via a certificate. As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of […]

Thrive Global invites voices from many spheres to share their perspectives on our Community platform. Community stories are not commissioned by our editorial team, and opinions expressed by Community contributors do not reflect the opinions of Thrive Global or its employees. More information on our Community guidelines is available here.

Ensure everything in your digital ecosystem is secure, including your website, laptops, smartphones, sensors, servers, etc. Make sure they are protected by strong authentication via a certificate.


As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewingJason Soroko.

As the CTO of PKI for Sectigo, Jason Soroko is responsible for facing customers, researching, innovating, educating and contributing to strategy, national-level guidance, intellectual property development, and consortium standards. Solving real business problems by synthesizing security state of the art with real world operational needs is what Jason does on a daily basis. He has 20 years of experience researching, innovating, educating markets, developing intellectual property, and contributing to national-level guidance and consortium standards. He works closely with enterprise companies daily to synthesize managed PKI security solutions that meet real-world operational needs.


Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in Northern Canada and live here to this day. Because of my upbringing, I love being in nature and exploring all that the outdoors has to offer. In terms of education, I have a four-year undergraduate degree in geography from the University of Ottawa. Following my tenure at university, my first professional job was as a business systems developer.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I did not always want to be in the cybersecurity space. My initial plan was to stay in research and grow in the academic space. It was during my postgraduate studies that I realized the business world was very appealing to me. Initially, I worked as a business systems developer before moving into a business system architect role. I was then able to channel my passion for research into learning more about security and malware, which got me very deep into the cybersecurity world. From there I worked in the office of the CTO and moved my way up to becoming the CTO myself.

Can you share the most interesting story that happened to you since you began this fascinating career?

The most interesting story is the ongoing story of change. I am privileged to have spent a lot of time directly in front of customers and hear their real-world needs. There is a point of pressure at every stage of innovation where the customer’s assumption of what a needed solution will look like doesn’t match the technology proposed. When the shift from horse and buggy to motorized automobile happened, people assumed the shape of a car would just be a slightly modified horse cart because their imaginations had not yet conceived of the driver-focused enclosed car that we know today. This problem is especially true with security technologies because there is an essential aspect of trust and comfort, so customers have strong expectations. Being able to tell the story to the customer about the larger vision on the technology horizon is always the most interesting story, and that story never ends.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

On many occasions, I find myself quietly acknowledging that a decision or action that I’ve made is based on something I’ve learned from people I have worked with over the years. The most influential mentors to me have been the ones who have taught me the business side of technology innovation. Sectigo’s CEO Bill Holtz has helped me be prepared to work at the management team level, and our best work together has always been to take a good idea and hone it to make it great.

Are you working on any exciting new projects now? How do you think that will help people?

I work with Sectigo’s Quantum Labs, a modernized center of excellence that has enabled long-term cryptographic agility for our customers. I find it intriguing how distributed computing will be used to democratize quantum computing. I’m excited about the prospect of quantum computing, specifically when it is ‘made useful’ through public cloud democratization to help with technological and societal advances. At Quantum Labs, we have a strong team with hardcore technology skills and the resources to try to solve the problem of cryptographic agility. As a security vendor, we have to be able to future-proof our customers. This exciting initiative will go a long way to improving our customers’ overall security posture.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Before the COVID-19 pandemic, there were many good technology conferences that were coming together of some of the best minds in the industry. I always felt that attending some of these conferences throughout the year helped me be exposed to new ideas and generate my own. Meeting up with colleagues and attending briefings helps me to feel refreshed from a professional standpoint.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

1).The learning never ends.

2). The stakes are always high.

3). There is a massive opportunity to make a tangible difference.

Those are the three things that come to mind, but these are true in a wide range of subject matter that’s not just about enterprise IT. The things we work on include critical infrastructure and systems that are responsible for safety. And all of this is happening in a changing world that requires new levels of automation and interoperability, and at scales that have never been imagined before. Meeting those multiple competing challenges is a source of excitement.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Companies need to start preparing for the quantum computing era. Within several years, the fundamental cryptographic algorithms widely used to protect every facet of digital life will be easily defeated by quantum computers. The RSA and ECC encryption algorithms that touch every aspect of our daily lives, from online shopping to validating passports and even managing the control systems powering the electric grid, will be vulnerable to general quantum computing in combination with Shor’s algorithm. New efforts are currently underway to implement quantum-resistant crypto algorithms to thwart these vulnerabilities as well as provide a technology bridge to enable us not to require a complete overhaul of existing systems. The time to get hands-on with this new technology is now, and that’s the purpose of Sectigo Quantum Labs.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

The most important achievement in a breach is what you do ahead of time. Your level of preparation will dictate a lot about what the outcome will be. Knowing your risks and bringing the appropriate level of control would seem to be common sense. Still, security is not a natural skill for most enterprise IT teams motivated to ‘keep the lights on’ and keep systems running. Linear thinking that makes a system run as intended is not as helpful in a breach event where the adversary is thinking diagonally and using your system to do things you never intended but are nonetheless possible. Unfortunately, Hollywood movies and sensationalist technical journalism have made most people believe that a cyber adversary is somehow ‘breaking’ your computer system. In the vast majority of cases, nothing is being broken at all, except for faulty assumptions about how a system is supposed to function. Perimeter-based security and too much trust in enterprise networks within the firewall environment are the past trends that have led to a multi-decade rethink about how to improve security.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

I use Secure/Multipurpose Internet Mail Extensions (S/MIME) email certificates every day. This way, my digital notes are encrypted and secure from cybercrime. S/MIME email certificates provide a seamless means of adding the digital signatures needed to fight Business Email Compromise (BEC) fraud. S/MIME email certificates:

  • Automatically encrypt and decrypt emails.
  • Display encryption via the blue lock symbol in popular email programs.
  • Tell users emails are authentic and unmodified via checkmark icon.
  • Decrypt incoming attachments.
  • Automatically encrypt replies.
  • Encrypt all sent attachments.
  • Deliver the same experience as a plain text email.
  • Utilize the same email repository and search.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

The risks for any enterprise or smaller organization are unique, but what would help, regardless of your organization’s size, is to partner with a security vendor with the necessary experience and expertise. Part of your security control procurement process should include questions about what level of value the vendor offers as a partner in your security needs. At Sectigo, I work with colleagues who have solved some of the most complex security needs that have existed. The partnership value-add beyond just the ‘over the counter’ software is enormous.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

The assumption that you will be able to tell that you are suffering from a cybersecurity attack of any kind is a flawed assumption. Read any of the critical incident handling publications, and you’ll find that organizations that have a lot of theoretical capability to detect an adversary are often not the ones to find it, but instead receive a call from someone else who has detected it. It’s not right to expect a layperson to somehow have better capability. The old adage, ‘my computer is acting strangely’ may or may not mean anything other than a bad configuration or a poor internet connection. Still, most importantly a person needs to be able to go back to a previous known state. That means keeping backups and being able to restore that backup.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

I believe in finding a good security partner ahead of time. Incident response is a specialized skill, especially for the technical aspects of the response, and no matter how big your internal team is you probably will want to engage the pros. The amount of basic preparation and security hygiene you do ahead of time will help determine your outcome. That spans everything from your corporate communications, to knowing your liabilities and measuring those against cyber insurance, to simply knowing where your crown jewels are and what (if anything) happened to them during the breach. History has shown that there is a big difference between a good and bad response and the best response have been companies that were prepared and utilized strong security partners.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

Our internal response has been to ensure our own compliance. The response we see in our commercial business is that customers are moving towards more secure systems that rely on public key cryptography to safeguard data wherever it is. In other words, regardless of the letter of the law or federal guidance, enterprises are anticipating that the future will have more legislation like this. So rather than trying to guess the future and the exact nature of every word of legal text, it’s better to just blanket secure as much as possible. To put it simply, it has driven demand for the security business. I could describe other legislation affecting the IoT vendor business and the writing is on the wall that it’s time to take advantage of digital identities to secure data at rest, data in transit and ensure that strong authentication is occurring between any nodes, assuming that the network boundaries being crossed are all hostile, even if the network is behind a firewall. That’s the trend and it will be with us for a long time.

What are the most common data security and cybersecurity mistakes you have seen companies make?

The biggest mistake is to fail to understand the risk you face, and to also fail to match the security controls to mitigate that risk. It is less common now, but for a long time it was common to hear customers say that they felt that they were not targets. That failure of understanding was based on the idea that the adversaries were after the largest hoards of cash and their motivation was purely fraud. Perhaps that is caused by watching too many bank heist or train robbery movies. The bad guys are playing a much bigger game. Data is worth money, and the data you have even as a smaller player is worth money. The bad guys are skilled in ‘big data’ and they are able to cross correlate data from many sources that they breach, making everyone’s data highly valuable. Everyone is a target. Security through obscurity and security through hiding behind the underdog claim has failed everyone who has attempted it. Additionally, while I understand that it can be daunting to choose good security controls, what needs to be done first is to take an honest inventory of your risks. There are the obvious risks associated with fraud and breach liability, but there are also risks associated with your brand, your operational capabilities and even your employees’ and customers’ wellbeing in the case of critical infrastructure. Smaller enterprises with modest data don’t have to procure complex security controls that they don’t need, but they do have to match the controls they procure to the risks they actually face. It’s that matching of risk and associated control that may need the help of a security partner.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Between distributed workforces and scattered schedules, the COVID-19 pandemic has forced enterprises to modernize their security measures. With this, we’re witnessing an uptick in errors caused by the disruption. As a result, businesses have turned to zero-trust security principles, and the concept of digital identities is central to any zero-trust strategy. Now more than ever, it is necessary for enterprises to utilize automated management of digital identities to scale deployments successfully. As employees continue to work remotely, the zero-trust approach is the best fit for distributed environments and is critical for security.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

  1. Be on the ready — Your company will be attacked

All companies, including yours, will be attacked. Despite maybe thinking otherwise, no company is too large or small to be targeted by cybercriminals. Every company has something of value to an attacker, whether it’s intellectual property, customer contact lists, or logistical access to partner enterprises.

2. Train all your employees on security policies

Especially with remote workers, it’s imperative that employees understand the basics of digital hygiene and are trained to recognize social engineering attempts like phishing. A 2020 Wakefield Research report identified phishing as the biggest risk to data, systems, and operations due to employees working remotely. All staff should understand the basics of avoiding malware, viruses and phishing — as well as the bare bones of digital identity.

3. Secure every device and endpoint

Ensure everything in your digital ecosystem is secure, including your website, laptops, smartphones, sensors, servers, etc. Make sure they are protected by strong authentication via a certificate.

4. Trust in zero-trust architecture

Too much is trusted implicitly. With zero-trust, that’s not an issue. Central to any zero-trust strategy is the concept of digital identities. Now more than ever, the zero-trust approach better addresses today’s distributed environments and is critical for operational and secure success.

5. Simplify security

Make security simple by managing your security using a single pane of glass. By using a digital identity manager, all your digital identities, security processes, and protocols are centralized and simplified.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

I would influence the need for education, globally. Any and all investments in education worldwide help everyone, not just because it ensures a better future, but also because it’s a fundamental expression of respect and patience. If you are important enough to educate, then you by definition are respected and deserve patience. That’s true whether the student is a child or adult. It not only makes a smarter person, but it makes a person who will pass along respect and patience in their own lives. I do not believe we live in a world that is a zero sum game. I believe emphatically that we live in a world capable of win-win relationships. Education in itself may not be simple and fast, but a culture that accepts it as fundamental, or itself and for others, has immediately made a decision that affects everything for the better.

How can our readers further follow your work online?

You can find me on LinkedIn and tune into my podcast, Root Causes, on Spotify, iTunes, SoundCloud, Apple or wherever you listen to podcasts.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

    Share your comments below. Please read our commenting guidelines before posting. If you have a concern about a comment, report it here.

    You might also like...

    Community//

    “Always be upbeat and positive around your workforce”, With Jason Remillard and Marianne Bailey of Guidehouse

    by Jason Remillard
    Community//

    “Consider the Zero Trust model”, With Jason Remilard and Timothy Carlisle

    by Jason Remillard
    Jason Wood
    Community//

    Jason Wood on the Power of Mindfulness in His Career

    by Paul Ade
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.