Host: Hello everyone, welcome to another episode of ExtraMile by HiTechNectar, an interview series that assesses the latest innovations, tech trends, strategies and more. I’m your host Rittika and I’m glad to introduce our guest for today’s session, Jake Martens, Field CISO of Upwind Security. The firm aims to establish the world’s best cloud security platform.
Alongside that, Upwind is making AI integration easier for cloud security. As a visionary tech leader and the Field CISO of Upwind Security, Jake intends to offer runtime visibility across the tech stack in all cloud environments. Let us explore his professional journey over the years and understand how Upwind is strengthening cloud security for businesses.
Welcome Jake, it’s a pleasure to host you today.
Jake: Thank you, it’s great to be here.
Host: So, your experience in the tech industry spans over three decades. Tell us about the key highlights from your journey.
Jake: I guess maybe the only thing that’s more indicative of my being old than three decades is the lack of hair that I have. But it’s a good question. And again, it’s great to be here.
I think for me, several inflection points. So, I started my journey at a little company called Hewlett Packard and then went with a spin off of HP. And I think one inflection point there was my first leadership role.
So, taking the reins of actually leadership and management and going from being the key individual contributor to leading a team of individual contributors and the different perspective that that represented for me. I think secondarily, moving from the leader and manager of the team and a technology that I knew inside and out to being a senior leader over multiple teams, many of which I didn’t know the inside and outs of their work and learning to contribute even further through others. I think the next one would be after nearly two decades at HP, I left, really had a bit of an internal conflict and decided it was the right thing for me to leave, to go do something else and really fundamentally prove to myself that I could learn entirely new people, technology, applications, products, acronyms, industries, all of it.
And it was, I think the most important inflection point for me was to really prove to myself, despite a lot of transition and changes within HP and Agilent to actually go and do something else entirely. I think third, so I went to Oracle for six years and I had an amazing run there about half of the time leading secure cloud consumption as a member of the internal IT risk management function and about three years working closely with product development and in-product development leading secure cloud deployments and departing there as vice president of cloud security. But choosing to leave there again to prove to myself that I could go do something else, I loved the CISO role and really wanted to go and do that full-time and in a smaller tech company than the massive Oracle shop.
So, I pivoted to multiple CISO roles after that at relatively good-sized companies and learning the inside and outs of all aspects of cybersecurity, taking that broad role, if you will. I think additionally, and maybe the last two, I’d comment on an inflection point a few years ago where I really wanted to learn more about the startup culture, venture capital, private equity, portfolio companies. So, stepping into a variety of advisory roles there, learning about investment grounds, learning about the startup culture, learning about exit strategies, just really both informational and inspirational in terms of just understanding that ecosystem better.
And then last, really in just in the last four months or so, pivoted to this Field CISO role at Upwind and really wrestled with the idea of going into a Field CISO role. I don’t ever want to be in sort of selling out my practitioner mindset, but the way the company approaches the role and the way that I’ve set it up here is that it’s not about sales. It’s not about quotas.
It’s not about commissions. It really is about representing the practitioner mindset internally and fundamentally expanding my impact and value beyond a single organization. And I get to help multiple, in some ways, countless practitioners and organizations do better.
Host: Yeah, that sounds like an excellent journey. Moving ahead, considering your expertise in the cybersecurity domain, how do you think security practices have evolved over the years?
Jake: Oh, yeah. They certainly have evolved substantially, right? From the late 80s, early 90s, where we were talking about perimeter-based protection, this sort of hard outer shell, early antivirus protections to combat the early worms and basic known signature threats.
And then the evolution in kind of the mid-90s to the 2000s, where you had the expansion of the virus threat, much more targeted on government enterprises. You got into some of the early reputational and behavior-based detection and response kind of pivoted from antivirus to EDR. The first large-scale denial of service attacks, demonstrating the potential disruption on a worldwide global basis. And then you started to see kind of the first focus on preparedness and response and CERT teams and that sort of thing.
Kind of the 2010s and maybe up to about 2020, early 2020s, you saw the increase of attacks that are motivated by profit, expanding attack surfaces, including the cloud and your interconnected third parties, more sophisticated attacks like ransomware and advanced persistent threats. And all that drove an important need for constant monitoring, constant threat detection and response. This concept of zero trust or that hard outer shell was determined to be a myth.
The bad guys are already inside, and how do you protect things differently? I came from application development. And so, this was about the early days of protecting the product development process earlier for coming in focus, rather than doing some sort of a review as you’re putting it into production or a pen test afterward.
And kind of the beginning of the importance around user education and employee training to combat threats like phishing and social engineering, the beginning and emergence of multi-factor authentication, for example. And really the last couple of years, you’re starting to get into this sophistication of AI, deep fakes, the need for true zero trust philosophies, the recognition of complex multi-cloud security to accompany the complex multi-cloud reality of modern organizations. Generative and AI security, while we have to embrace experimentation, we have to govern and manage the risk as well.
And I think the last thing that I think we’re seeing now is this, the critical lockstep partnership between cybersecurity and development teams. It can’t be a conflict. It can’t be tolerating each other. We really have to recognize that we’re in it together.
Host: Yeah, totally agreed. Shifting our focus to cloud security essentials. Cloud security is unignorable as global firms are turning toward cloud infrastructure very rapidly.
So, according to you, which practices and trends are ruling the cloud security sector?
Jake: Yeah, some of which we’ve talked about, but I think zero trust is a big part of it. You have to assume breach. You have to assume that you’ve got the people you don’t want already inside and how do you navigate what they can do and what they can exfiltrate and that sort of thing.
Next-generation identity and access management capabilities. Again, both of those in practice rather than the sort of theoretical or high-level philosophies of the past. You’ve got critical practices around continuous real-time monitoring.
No longer good enough to do the static sort of stale once in a while scanning, even daily scanning is not sufficient. And then the hybrid cloud reality, which I mentioned a bit ago, the reality that we may have a preferred CSP and we may be fundamentally mostly in one shop, but almost every large global organization is in every one of the clouds. And what’s the responsibility model and what’s the consistency of your cybersecurity practices across that multi-cloud complex environment.
At the end of the day, we have shared responsibility between the CSPs and organizations, but ultimately the responsibility lies with the CISO. Additionally, I would just add a couple of things. I think trend-wise artificial intelligence for proactive defense is a big one.
I think that moving from kind of the early days of CNAP to CNAP 2.0, where you’re having this runtime context throughout the entire cloud stack. And then again, I would just reiterate the important critical collaboration partnership between cybersecurity teams and development teams, building that partnership in a key way. Those are the things I think I would mention.
Host: Yeah. Great insights. Moving further, what is serverless security and how does it facilitate broader visibility and protection for serverless workloads?
Jake: Yeah. Great question. And I think back to the sort of age-old philosophy that you can’t protect what you don’t know about, you can’t secure what you can’t see. And so serverless technology starts to involve these ephemeral spin-ups, spin-down environments and applications.
And the security of those, the serverless security really involves protecting these ephemeral and event-driven serverless applications that don’t have that traditional fixed set of security parameters and controls. And I think there’s sort of three pieces to this. One, you have to shift left, right?
So, integrate security into the development pipeline, using tools to scan code both statically and dynamically, and navigating and managing dependencies for vulnerabilities before they’re deployed. So, shift left. I think additionally, we don’t talk enough about shifting right, right?
So, you have to have true runtime monitoring in place and real-time visibility into what’s happening across the applications, dynamically scaling functions in this serverless world, allowing security teams to detect and respond to anomalies as they occur. And in between those two, the shifting left and the shifting right, you have to have key controls in place like input validation and secret exposure management. You need to restrict network access to only trusted sources and enforce the principle of least privilege where access and capabilities are provided on an as-needed basis.
And then lastly, the set timeouts or cost or rate limiting measures to protect against those more advanced denial of service attacks.
Host: Yeah. As companies are adopting serverless infrastructure very quickly, security has become a must.
So, stepping ahead, AI and cloud computing are two emerging technologies in recent times. How can AI advance cloud security and empower businesses across the globe?
Jake: Yeah, that’s a great question. I think it’s really easy for cybersecurity people to think about all the scary aspects of AI, right? And there are scary aspects to be sure, the increased attack sophistication, the increased likelihood of data leakage, what are hallucinations running wild doing to us as a risk management program and professionals.
But fundamentally, I believe on balance that AI will be a massive benefit for organizations and for risk management in general. It advances cloud security and empowers global businesses to be more secure and more efficient on a global scale when done right. Things like proactive threat detection.
So, unlike traditional systems that are utilizing these static rule-based detections, AI uses machine learning, analyzing these data sets that we can’t possibly imagine in real time and finding those subtle anomalies or those sophisticated patterns and alerting our SOC teams to those. To that end also, the automation of incident response, right? So, AI significantly can reduce incident response times from hours or days to seconds or minutes and automate the countermeasures of containment and response.
I think additionally, one cool aspect is around predictive risk management, right? So you have the analysis of all these data sets, historical data sets, and current threat intelligence and bringing that together in a way where AI can help predict where and how future attacks might occur. So, allow organizations to address vulnerabilities proactively.
The net-net is to your question, I think AI can absolutely empower businesses by freeing up human analysts and tech teams to focus on higher value initiatives like that collaboration between development and cybersecurity teams or like a focus on maximizing customer trust.
Host: Yeah, totally agreed. AI-driven automation and continuous monitoring are two significant elements that can back cloud security in recent times.
Jake: Exactly.
Host: So next up, what is the significance of compliance in cloud security, and can you share any use cases of how Upwind Security has firms automate compliance practices with Cloud Compliance?
Jake: Yeah, good question. Compliance in cloud security like compliance and other parts of cybersecurity is significant in general for two reasons. One, I think it really helps companies avoid fines and lawsuits, reputational damage from failing to demonstrably meet foundational security controls.
And number two, it sends a clear signal to the market that you adhere to prioritize value and report against cloud security compliance against industry frameworks. So, I think critically important to do that. But as we all know, compliance is not the same as security.
We have to understand both and we have to follow both and we have to have a compliance framework or several of them to help demonstrate that robustness of our security architecture, to help us demonstrate that we’re protecting sensitive data, to help us build customer trust by showcasing data privacy and security as priorities to the organization. And then ideally, with the mature security and compliance programs, organizations hopefully will no longer need to care about when are the internal or external audit periods, when do they start, when do they end, what are they testing? Getting to a true continuous compliance mindset and practice really is I think that linchpin to trustworthiness that we all want to see in companies that we do business with.
And the second part of your question, Upwind not only can assist companies in moving beyond kind of that first generation of static scanning CNAP tools, but really bring runtime and AI into their cloud security capabilities across all of their cloud and on-premises environments. But we also have a robust set of built-in clients capabilities spanning multiple frameworks. And further, I think one of the coolest aspects that we bring is the ability to have natural language stories represented to GRC teams and executives in real time that help explain findings and actions to regulators, to executives, to other stakeholders.
Host: Yeah, compliance and security really go hand in hand and overlooking it can cause risks.
Jake: Our own detriment for sure, absolutely.
Host: Moving ahead, the cyber threat ecosystem is advancing swiftly. Which threats do you think can be challenging to mitigate in cloud security in the upcoming years?
Jake: Yeah, in many ways it is, you know, the old is new again. In many ways it shines a light on, you know, blending kind of the basic foundational protections with thinking about the evolution of those threats and risks that you’re talking about. I think some of the most challenging ones, again, back to the sort of scariness of AI, but AI driven attacks, right?
We know cyber criminals are using AI to automate and scale attacks. Highly convincing phishing emails, the deep fake new employee or candidacy reality that we’re seeing, development of new malware variants that can evade traditional defenses and doing that in mass as a service. And then automating and identification of cloud vulnerabilities to thwart the attacks, sorry, to thwart the defenses of organizations.
I think the second category would be about supply chains. And I talk about this a lot because it really is a scary thing to connect your environment to other people’s, right? You have to do that with the most amount of prudence, understanding their controls, regularly auditing and checking their controls.
But with these advanced supply chain attacks, these cyber criminals can compromise a single third party and get into the environments of numerous downstream customers, making really large-scale breaches, particularly effective and difficult to contain, especially zero a day. And extrapolating that out, the successful attacks on cloud service providers really can compound that even more. Third, I would say, again, this is not like revolutionary, but this persistence of misconfigurations and human errors and sort of known vulnerabilities, especially within the cloud, been an issue for years, if not decades.
But some of these misconfigurations like exposed storage buckets or overly permissive access controls, unpatched systems really remain one of the most frequent causes of cloud breaches. And it gets exacerbated by the complexity and speed of modern cloud deployments in the world. And then lastly, I would point to insecure APIs, critical connectors.
Organizations have hundreds, if not thousands of these, but often there is poor authentication or excessive permissions tied to them. So, they create easy entry points when exploited by attackers. And again, the sheer number and complexity of these in modern cloud computing environments make thorough security testing difficult for fast moving development and security teams.
Host: Yeah, crucial insights on growing threat landscape. Lastly, what are the best practices for robust cloud security in 2025? And what are the key considerations when choosing the best cloud security services?
Jake: Yeah, I’ll put these together because I think it’s a great question to close on. And I almost always start these kinds of questions by answering around the human element. So human centric security, we just can’t do enough to make sure that our people in our organizations, every stakeholder, every person in every function, in every geography understands why this stuff matters existentially, and they need to know how to behave securely.
So, nothing can substitute for that foundational DNA. I think secondarily, really around resilience, a little bit goes together with the first one. But when we understand that it’s not if, but when bad things are going to happen, even in the most mature organization, we need to think about what to do when incidents happen.
We need to have recovery plans that are tested, people process and technology, we need to practice them on a regular basis. And then getting a little bit more into the tech, we really need to implement true zero trust and least privilege tools and processes. No user device or request should be trusted without a robust multi-factor authentication approach.
We need to consolidate identity and access policies, granting users only the permissions that they need for the time that they need them. And then lastly, I would say, back to what I talked about earlier, you’ve got to shift left and shift right and manage the stuff in between. So, implement a true cloud security platform that is architected from the inside out, that improves collaboration between development and security teams and brings this true runtime, real-time context to all elements of the cloud stack, from infrastructure to configurations to applications, data, AI, API, in a consistent way across all of your cloud providers.
Host: Yeah. Great insights, Jake. Thank you for joining us and sharing your perspective on the evolving cloud security landscape.
It was truly an informative session unveiling the key challenges and strategies for cloud security. Thank you.
Jake: Perfect. Thank you for the opportunity.
Host: And to our viewers, thank you for accompanying us in this session of ExtraMile by HiTechNectar. Stay tuned for more informative sessions with top industry voices in the upcoming episodes.
Explore Our Other Insightful Interviews:
