Todd Foley: Hello and welcome to the CDO Magazine interview series. I’m Todd Foley, Chief Digital and Information Security Officer at Lydonia. Today, I have the pleasure of talking with Jacob Lorz, Chief Information Security Officer at Cintas. Jacob, thank you for taking the time to talk with us today.
Jacob Lorz: Hey, thanks, Todd. I appreciate the opportunity. I’m looking forward to it.
Todd Foley: It’s always been the case, but even more so today, because of the constant evolution of cybersecurity, there are new threats, new technologies, but that’s also a people challenge, right? A skills challenge. How do you keep your teams current? How do you make sure that they’re not only up on the latest and greatest but that they continue to be lifelong learners in their role?
Jacob Lorz: Yeah, it’s a great point. I really advocate lifelong learning. I tell anyone who comes to me and says they’re interested in a cyber role, “Great, so you’re going to be in school for the rest of your life. Are you comfortable with that?” Not necessarily going to university or anything like that, but you’re constantly learning. Everything’s constantly changing. So, we do meticulous hiring, right? We focus specifically on finding someone who can convey that internal passion for constant learning. Then, we provide educational opportunities, whether it’s in the form of continuous or recurring tabletop exercises—both at the technical level and at the executive-level decision-making level—or if it’s about gamifying some type of opportunity, like capture-the-flag scenarios. Something like that is great. It taps into the competitive nature of things, like, “Hey, I’m the winner.” Or if it’s just constant security awareness campaigns based on your role—not necessarily your role within cyber or IT, but your role within the enterprise itself. Yeah, you’re 100% right. It is a lifelong learning aspect. We look for people who have that passion to continue to evolve and grow. We curate daily threat feeds that we send out internally, and inside those daily threat feeds, we say, “Okay, this is what the world is seeing, this is how we are prepared for it, or this is some additional investigation that we’re doing,” to again spread awareness and grow that security culture. It can no longer be an afterthought, where cyber is in the back of your mind. It has to be up front.
Todd Foley: I love that. Right? And it’s really representative of how you got started. The same intellectual curiosity that drove you to start doing Cisco CLI with a PICS firewall is what you’ve built into your program and your team.
Jacob Lorz: You have to be curious to be successful in this role.
Todd Foley: Yeah, and you mentioned another aspect that I want to ask about too, which is ongoing security awareness in the context of your team—not just for their role but for the enterprise. I think every CISO nowadays is being asked, not only to drive and check the box on it, but to really be effective at security awareness for the enterprise. How do you do that at Cintas, if you can speak to that? What role does the culture of your security team play in the culture of the organization when it comes to security?
Jacob Lorz: Every organization, I think, is different. Let me just start there. Some organizations are cyber from the get-go, and other organizations take a little bit of time to warm up to it. But you have to approach, in my opinion, cybersecurity through that “no-fault” lens. So, every time you interact with anyone in the organization, you’re interacting with them for their benefit. Right? They might have made a risky move, and you’re not contacting them because they made a risky move. You’re contacting them to help them avoid making that risky move in the future, whether it’s at the enterprise level or at home. Make it personal for them. But we do more than just check the box. Checking the box for cybersecurity insurance: “Do you provide security awareness training once a year?” Yes, we do, because we have to check the box. Right? Then we also, as I mentioned, provide role-specific training. So if you’re in finance, you get specific training related to cybersecurity for finance professionals. If you’re in an executive role, you get specific training for that role. If you’re handling a different type of device profile, you get specific training related to that device profile. Another “check the box” item: “Do you do phishing simulations?” Well, yeah, of course, we do. But we don’t just do one simulation a year from a domain that says “you’ve been phished.com.” We take a look at the legitimate email phishing attempts that we receive and block at our perimeter, and we craft internal campaigns based around those—real-world examples, not just once a year. They’re coming all the time. Then we measure our metrics against that. We try to understand, “Okay, what are some areas where internal employees are tripping up that we need to reinforce with security awareness campaigns?” Whether it’s something as simple as additional posters, additional communications that are going out, or reminders on their screensaver lock screen.
Todd Foley: I love that, and I love what you’re describing as a “no-fault” approach. I think it’s rare that I don’t talk to another CISO who doesn’t admit that, at least when they started the role, they may not have been the most beloved person in the organization. A lot of what we do in our work with clients is try and create initiatives where there’s a specific benefit that security is trying to drive, engaging the business with a “How can we help?” approach instead of a “Don’t do that” approach. And I think that’s huge in terms of perception and the effectiveness of programs overall. If you look at any of the continual surveys on employee adherence to security, you’ll understand that if you don’t bring them into your program, if you don’t have a cooperative environment, you’re not going to be effective, regardless of how good your protocols are.
Jacob Lorz: Spreading security through fear, uncertainty, and doubt or flood is not the way to go. I mean, that was the way 20 years ago, where you came in with an approach that you had to lock everything down. You’re the office of “No,” you’re the office of “Everybody is operating with malicious intent.” No. I operate on the mindset that everyone’s trying to do their best to get their job done correctly, and sometimes there’s a cyber risk component that they didn’t anticipate. And we’re here to help them.
Todd Foley: I love the way you articulated that. I think that’s something we all have to take to heart, and it’s the only way I think that programs are truly going to be successful. So, let me ask you a hype question. I don’t think I can talk to anyone these days without at least talking a little bit about AI. There’s a lot of buzz, a lot of hype, but there’s real potential there too, right? And while avoiding getting into specific technicalities, can you tell me how you view AI’s place in cybersecurity? Maybe as both something that you can leverage and something that presents a new challenge?
Jacob Lorz: Yeah, and this one definitely comes back around full circle. Let’s start with the challenge first, right? From a challenge perspective, we know we’ve seen it already: Threat actors are leveraging AI to launch more attacks. Their bots are getting better and are able to pivot more quickly. Threat actors are also using AI to craft better phishing campaigns, or more targeted phishing campaigns, like spear-phishing and whaling campaigns. We’ve seen this, and we know it’s going to continue. I can just imagine that as artificial intelligence and machine learning continue to advance, their attacks are going to improve.
But one thing I heard at a CDO Magazine event, at their cybersecurity summit, was from a different perspective. Someone took it from the benefit side, saying it’s not so much about how AI can help us as cyber professionals, but let’s flip it and talk about intelligent automation (IA). A huge benefit of AI is now the ability to leverage it inside our tool stack to get better at intelligent automation.
You called out earlier— I think you made the point related to the workforce—that we still have a massive shortage of cybersecurity professionals, with roles that are open within the United States. The numbers vary, but it seems to land around half a million unfulfilled roles per year. We can only overcome that by employing more automation, especially in environments that filter out the noise, identify what’s a true positive versus a false positive, and correlate different events to highlight a true scenario or an indication of compromise that we need to focus on.
So, the boon AI could bring to cybersecurity is really, I think, just better increased automation, increased orchestration, reduced opportunities for the threat actors to either hit the environment or dwell within it. It also helps address some of those unfulfilled roles, because while we’ll still need that capability, I think we can overcome a deficiency in that capability through automation.
Todd Foley: Well, thank you, Jacob, for joining me today. For our listeners and viewers, please visit cdomagazine.tech for additional interviews. It’s been a pleasure talking to you. I hope you have a great day.
Jacob Lorz: Oh, thanks a lot, Todd. I had a great time. I appreciate the conversation. It’s good talking to you.
