• United States



CSO Spotlight: Justin Berman, Zenefits

Jul 13, 20189 mins
CareersIT Leadership

Being wrong is good, embrace it, learn from it and grow from it, advises Berman. Being an effective security leader is about recognizing that "your job is to get the best answer, not to have it."

justin berman zenefits
Credit: Zenefits

Justin is the CISO at Zenefits, where he leads all security and IT efforts. He brings more than a decade of security and technology experience from high-profile organizations. Previously, Justin served as Vice President of Information Security of Flatiron Health. Prior to that he led security architecture at Bridgewater Associates and served as a Principal Security Consultant at Aspect Security. Here he shares his thoughts on some of the worst trends in cybersecurity and his advice for future security leaders.

What was your first job? A long time ago, I was a cashier at Target. My first technical job was in engineering at an email server company, but my first security job was as a consultant for a bespoke application security consultancy called Aspect Security. It was an awesome place to transition from thinking predominantly about software engineering challenges to security challenges and gave me a huge opportunity to grow.

How did you get involved in cybersecurity? It was more about luck than anything else. I was fascinated in college, but I had no idea how to break in then. I was lucky to make friends with someone at the consultancy when I was at OSCon a long time ago.

Tell us about your career path. My career path was remarkably straightforward from my perspective. I’ve always been aggressive about getting feedback and growing, so I shot up at my consultancy and built out a number of different businesses within it. I went in-house because I felt that the work I was doing at a consultancy was not having the impact I wanted. I ended leading a team quickly due to circumstance, and my boss didn’t want to manage anymore, so I got a battlefield promotion. From there, I got to lead security from such an early point at Flatiron Health. I was the 60th employee and had leadership that really cared about security. Taking the CISO role at Zenefits was a natural next step for me as I wanted to continue to work with companies whose mission resonates with me, and that really understand that information security impacts their business and their customers.

Was there anyone who has inspired or mentored you in your career? I have had so many really amazing mentors in my career at different stages and phases. It took me a long time to develop toward having more of a community of people outside the company I was at to rely on though. Jeff Williams was my early on mentor at Aspect. He was always measured, thoughtful and cared about his people. Paul Wood was my CISO at Bridgewater Associates and he taught me a lot about what it means to really be practical in making risk decisions. Going to a startup after that and leading security, my mentors started to move outside the company, though I want to give Gil Shklarski (the CTO at Flatiron Health) a shout out for really teaching me what it looks like to care AND hold people accountable. My mentors now are my peers and people I respect immensely, people like Geoff Belknap, Adam Ely, Mike Johnson and a host of other people who give freely of their advice and time.

What do you feel is the most important aspect of your job? The fast, trite answer here is “hiring.” There is nothing as important to me as building a truly amazing team of really high-quality people. The real complex answer is balance. I have to balance my time between guiding the tactical and driving the strategy. I have to balance risk practically. I have to balance security for defense vs. how it can facilitate revenue generation. That balancing act is a constant for me.

What metrics or KPIs do you use to measure security effectiveness? That’s a tough question! The high-level answer here is that we use KPIs that are more closely tied to security resilience vs. particular adversary activity. Zenefits focuses on leveraging intelligence gathering about our adversaries’ activities and measuring our controls vs. those activities. Measuring resilience by constantly testing and validating our controls against real adversary activity. A last thought, many organizations measure security effectiveness with the very binary, “Are we hacked?” or not, which is frankly just not a sufficiently nuanced or fair way to answer the question.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? Security skills shortages definitely affect me. It comes in two ways. First, certain technical skills are in short supply. That complicates hiring and necessitates that we think about training internally or accepting more significant gaps in experience. Second, due to an overall practitioner gap, there are a lot of people who can command titles and roles beyond what they are truly ready for. That is a big problem for the whole industry right now. Everyone wants to be a director of something, and you can see people with two to three years of experience getting those titles. That inflation hurts all of us and few more than the people that report to those very junior managers.

Cybersecurity is constantly changing – how do you keep learning? I relentlessly read the news, hire smart people that also read a lot and listen to my peers all over the place. Also, while I agree some things about security are constantly changing, even more things stay the same. We face similar threats albeit with increasing capabilities. Most of us face the same budget challenges, the same staffing challenges. I think we all get caught up in “the latest vulnerability with a website.” Most of those are simply more of the same.

What is the best current trend in cybersecurity? The worst? The best current trend is consolidation of vendors. We have too many vendors solving very narrow use cases. A great example of this is the phishing training space. Vendors are being purchased or expanding their portfolios because phishing training is not differentiated enough to be a business by itself. The worst trend is by far the abuse of the terms “AI” and “ML” in security tools. Your predefined rule sets do not make an AI tool, and selling otherwise is pandering to people who don’t know enough. My second thought on bad trend is that continued obsession with stopping the “APT.” The vast majority of companies can’t get the basics right, so stop trying to sell them something designed for companies that are already mature and looking for incremental gain on specific adversaries.

What’s the best career advice you ever received? Always start with why. If you don’t understand the context then it becomes very hard for you to execute toward a shared goal.

What advice would you give to aspiring security leaders? First, care about people. It is all too tempting to become a slave to metrics. Your people are your best possible resource, growing them will pay you more dividends than nearly anything else you do. Second, have a mental model, write it down, articulate what you are doing AND what you are NOT doing. Do not let yourself be constantly pressed into deviating from your plan. Third, get comfortable with being wrong. Love being wrong, ask questions open-mindedly and learn constantly. That openness to alternatives will help you learn more quickly and help prioritize the best solution rather than the ones you thought up. Recognize that your job is to GET the best answer, not to HAVE it. 

What has been your greatest career achievement? My greatest career achievement is building leaders that have gone on to take senior jobs elsewhere. I have had the great fortune of working with a variety of extremely talented security professionals, helping them to grow and become leaders in their own right is really satisfying.

Looking back with 20:20 hindsight, what would you have done differently? Learn to market better. Leading a blue team is so much about marketing and convincing others about the need and value of security. Recruiting is basically a marketing effort. Messaging to clients is a combination of communications and marketing. My job is so much talking and influencing that anything I could do to be better at that would pay tons of dividends.

This interview is part of CSO’s regular Spotlight series, which focuses on the career paths of security leaders. If you know someone (or are someone) with a story worth telling, please contact