Jason Lee joined Zoom in June 2020 to become the videoconferencing platform\u2019s CISO. The company was midway through a 90-day security plan launched to address security and privacy issues exacerbated by Zoom\u2019s meteoritic growth amid the COVID-19 pandemic and mass shift to remote working. Lee was tasked with overseeing strategies to drive the organization toward a cybersecurity and privacy posture more in scope with its rapidly advancing customer base, features offering and use requirements, all under increasing public scrutiny.CSO had an opportunity to speak with Lee about his experience coming into the CISO role mid-crisis.Can you give us a little background on the situation at Zoom leading up to the point when you arrived?Lee: Back in December 2019, Zoom had around 10 million daily meeting participants, but come April\/May, it grew to around 300 million. That\u2019s right when I was jumping in \u2013 when we were really starting to add a lot of customers. In the first few months of 2020, the team was working around the clock just trying to get used to the volume and the new, different types of users. I can\u2019t imagine there are too many companies that have gone through such incredible growth so quickly.\u201dAs such a big, high-profile company, there was a lot of scrutiny from our customers. I like to call them \u201cfree pen tests\u201d, but our customers were doing strong security reviews of our product. I always welcomed that, and they were really doubling down to look at things like data routing and proper encryption. [CEO Eric Yuan] took the feedback and put together the [90-day] plan which essentially involved pivoting the Zoom engineering team to really focus in on security and privacy only.What was your approach to the problem coming in fresh?Lee: [It] is very much about security and privacy by design, not just in our product, but in every aspect from our engineering system to our IT environments. This also touches upon common security controls. A lot of companies have multiple identity systems; I\u2019m a fan of one identity system, which is easier to manage and offers a consistent experience.When you\u2019re building a security team as fast as I was, it\u2019s really easy to tack on controls and slow down business processes. [One way we worked around that:] When engineers use a library for cryptography, we\u2019ve created a one-point, one-stop-shop option \u2013 making a \u201chappy path\u201d design so they can focus on innovating cool new features with core security things already done and built.There needs to be a common compliance framework \u2013 one control framework that can be overlaid with all the certifications within that framework. That means you don\u2019t have to do a new audit for every single certification, which is a critical thing for a software-as-a-service company.The final piece of the business agility puzzle is operational excellence \u2013 for example, how quickly we can respond to an incident, or if engineering needs us to review something, what are our service level agreements?How did you operationalize the strategy?Lee: This is about making sure we hire top talent and provide innovative security features in our products. I had four of my security team give presentations at RSA this year. I love that we\u2019re being able to talk about security at some of the biggest conferences now, and it\u2019s a symbol of how much we\u2019ve focused on raising the bar of the security team and security at Zoom.I\u2019m a big fan of gamification when it comes to training. I love it when I can have teams compete against each other. A great example is with our development team. We have competitions between teams on who can find the most vulnerabilities in a fake application that we\u2019ve built. We have prizes, so it\u2019s the fun, carrot approach to training, and the engineering team loves it.\u201dWhat are some of the changes you made to address Zoom\u2019s security and privacy needs?Lee: A couple of important things we did first was making sure we had 256-bit AES-GCM encryption by default, and we acquired a company called Keybase with CEO Max Krohn going on to build end-to-end encryption as an optional feature, launched in October last year.As Zoom\u2019s profile grew, a lot more researchers were trying to engage with us and it was, quite honestly, overwhelming at the time. So that was the precipice for building a bug bounty program. We invested in that, and I brought onboard Adam Ruddermann from NCC Group, who\u2019d been leading the consultancy in helping companies build out bug bounty practices.\u201dYou\u2019ve outsourced your bug bounty program. How is that working out?Lee: The beauty of partnering with such third parties is that they are specialists at triaging alerts, dealing with high volume and can scale quickly. If you\u2019re thinking about starting a bug bounty program from scratch yourself, I think it would take much longer to get off the ground.Zoom added security-by-default features. What were your priorities when developing and implementing them?Lee: We had so many new users that didn\u2019t know how to use these features, and it was really important for us to nail making it easier for everybody. When you think about security features, the most important thing to consider is how to make security super simple from a user perspective. We also put in a \u201csuspend participant activities\u201d feature, which is where somebody can freeze a meeting and remove somebody that had accessed the meeting link but was not supposed to be there, resume the meeting and then report the person.We added a feature to allow users to select which of our 21 co-located data center locations they want their data going through, and which ones they don\u2019t want to use.One of the things that we put together was a CISO council, with a whole bunch of CISOs from customers across various spaces. When we started, it was really focused on product strategy \u2013 which is something a lot of companies use a CISO council for. However, we ended up pivoting somewhat, because we found that the CISOs were more interested in learning what I was building within the security program, and not just about the product. I\u2019d present some of my board content to them for example, and they\u2019d get to throw \u2018tomatoes\u2019 at it \u2013 providing me with feedback that has been super helpful. I\u2019ve loved having that group of mentors and advisors, and we discovered that the CISO council was an untapped opportunity to not just get some product feedback but also wider feedback around the security program.What are the remaining key challenges and opportunities to continue to evolve the organization\u2019s security position?Lee: It\u2019s now about pushing maturity and innovation and getting further along with all the security programs we\u2019ve got in place. The bug bounty program is a great example. Now that it\u2019s a year old, our focus is shifting to how we can make it more advanced and do more advanced things with it. For example, we\u2019re looking at opportunities to do live hacking where we can bring in the security researchers and almost have a hackathon type of event.We\u2019re still building scale like crazy and so maturing our processes is really the most important thing. We\u2019re really trying to automate as much as possible, so there are hurdles to overcome in shifting from manual to more automated processes.We\u2019re a video-first company and we\u2019re working with tons of organizations that are still trying to work out how they can best operate in a hybrid model, with workers regularly both in and out of the office. How does that interact with those that are at home? That\u2019s something we are looking to address with new features that I\u2019m very excited about.