Navroop Mitter:

[00.00.02.23–00.00.29.17]

Hello, this is Navroop Mitter, founder of ArmorText. I’m delighted to welcome you to this episode of the Lock and Key Lounge, where we bring you the smartest minds and legal, government, tech and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, ArmorText.com, and listen to them on your favorite streaming channels. Be sure to give us feedback.

Navroop:

[00.00.29.19–00.00.47.22]

I was in Riyadh in December for Black Hat MEA, and that’s one of those conferences where you wind up in a lot of conversations that stay with you long after you’ve returned home. It’s actually where I met today’s guest. She was doing several things that week, which, when taken together, tell you a lot about how she operates.

Navroop:

[00.00.48.00–00.01.09.07]

She participated in a fireside chat on AI and the moving line of privacy. She was also taping a podcast on the human cost of cybersecurity in mental health technology, and she served on a panel on diversity as a force multiplier for the Security Operations Center. One conversation we had there has been on my mind since about what it takes to get AI to be honest about the boundaries of what it knows.

Navroop:

[00.01.09.09–00.01.36.20]

The difference between output you can rely on and output you should question. And when that system in question is actually talking about people’s mental health, well, that distinction actually carries a lot of real weight. That’s one of several threads we’re gonna be pulling on today. Jameeka is currently the managing director of technology at Emerson Collective, which is the former CISO head, space and board member, a founding member of the Cyberhaven AI, the security collective and someone who built her way to the executive and governance table across her two decades in this field.

Navroop:

[00.01.36.22–00.01.51.15]

She started out with the Navy work through Lockheed Martin, Nike, Okta, digital health, and is now going on to much more interesting faster. And so I’m delighted to welcome Jameeka Green Aaron, CISSP to the Lock and Key Lounge.

Jameeka Aaron:

[00.01.51.17–00.01.59.09]

Thank you so much for having me. I, we had such great conversations in Riyadh that I have been looking forward to this for a couple of months.

Navroop:

[00.01.59.11–00.02.18.03]

Yeah, I mean, I wish we could have done it even sooner, but, I’m glad to have you on today. It was a great time in Riyadh, so for those of you who aren’t familiar with me, his background, I’m going to provide you a little bit more context. Jameeka as a CISSP with more than 25 years of experience across information technology and cybersecurity.

Navroop:

[00.02.18.05–00.02.42.20]

Her career spans the US Navy, Lockheed Martin, Space Systems Division, Nike, Hurley, United, Nike Apparel and Auth0, where she served as the chief information security officer for the customer identity platform powered by Auth0. She most recently was the Headspace where she was, where she was serving millions of members and led IT, cloud operations and information security, cross HIPAA, SOC 2 and GDPR compliance frameworks.

Navroop:

[00.02.42.22–00.03.08.19]

And now hot off the presses as of literally yesterday. She’s now the managing director of technology at Emerson Collective. She currently serves as a board member at the Digital Brands Group, bringing security and risk governance lens to corporate oversight. She’s also a founding member of the Cyberhaven AI Data Security Collective, a member of Black Women on Boards and an active speaker on AI governance, privacy, and the intersection of cybersecurity and mental health technology.

Navroop:

[00.03.08.21–00.03.20.11]

She’s also a sixth-generation veteran of the US Armed Forces and, by her own account, the first in her family’s military lineage to not serve in a segregated military. Thank you very much for your service.

Jameeka:

[00.03.20.13–00.03.21.18]

Awesome. Thank you.

Navroop:

[00.03.21.20–00.03.53.09]

Her perspective on institutional accountability is clearly grounded in all of these lived experiences and operational practices across multiple sectors, from aerospace and defense to consumer identities and digital health. And so with that said, you know what we’re gonna be talking about today is, you know, something that we’ve always spent years in this industry talking about. It’s who belongs in the room, who should be at the table, who should be in the boardroom, who should be in the executive suite, who should be on the security leadership track.

Navroop:

[00.03.53.11–00.04.22.22]

What we’ve talked about as far less is what actually takes what it actually takes to get there, and whether the commitments organizations have made to broadening who leads or holding when the environment around them makes it easier to, frankly, let those commitments lapse. Jameeka has operated at both levels simultaneously. She’s been a practitioner responsible for making security governance work inside of a global digital healthcare company, and has served on the board, where her job was to actually ask questions about whether the organization was doing what it said it would.

Navroop:

[00.04.23.00–00.04.43.16]

So today we’re going to fold up right across three connected domains. What her path to the C-suite was and the boardroom, what it required to get there, what it looks like to hold organizational commitments to principled leadership, when the external pressure runs the other direction, and what it means to govern AI deployed to millions of people during some of the most vulnerable moments.

Navroop:

[00.04.43.18–00.05.03.11]

A through line is a single question. What does it take to build and sustain structures as a whole, not because they have to, but because the mission actually demands it? And with that, let’s get into it. So, Jameeka, you’ve described yourself as a girl from the South Side, and 21 years later, you’re the CISO of a global digital health company.

Navroop:

[00.05.03.11–00.05.22.02]

Rejection just were, right?. And you concurrently sit on a corporate board. When you trace that arc, honestly, what were the things that actually moved it forward? How much of it did you build? How much of it was paved for you by others? How much was luck? What did it take?

Jameeka:

[00.05.22.07–00.05.42.10]

I think it’s a combination of all of those things. So I think that the platform, the foundation for who I am today, was actually laid by my family. I come from Northern California, and I am from the south side. I’m from the south side of Stockton, and the south side of Sacramento, in my family, sharescropped in Northern California.

Jameeka:

[00.05.42.10–00.06.00.11]

They ran road onions, they pick strawberries. They worked in the fields. They came from Texas. In the early 1900s, my family came from Texas to California. And it was also the California was also segregated. And so when they thought about the work that they were going to be able to do, they did what they knew how to do, which is work in the fields.

Jameeka:

[00.06.00.13–00.06.21.19]

And so my family, my grandmother, her uncles, and her children all worked in the field as a part-time job. When my grandmother wasn’t working in the field, she was working at the Del Monte cannery. And so this, you know, this idea of hard work wasn’t just an idea for us. We are people who work hard. And, you know, for black kids, for people of color, also, we get told that you have to work hard.

Jameeka:

[00.06.21.19–00.06.37.12]

Being lazy is not something that we can do. We can afford to do. And so that’s what they did. They told me to work hard. My family worked so hard that they put themselves through college. So my grandmother didn’t go to college. But my dad and all of his siblings did.

Jameeka:

[00.06.37.13–00.06.54.05]

They all actually went to the University of the Pacific in Stockton. So they’re all alumni. And I saw that growing up. My aunt was one of the first black beauty queens at San Joaquin Delta College. And so this was something that… I saw the hard work, I saw the dedication, and I realized that they were making great strides.

Jameeka:

[00.06.54.05–00.07.15.08]

I had no idea what those strides really took; I didn’t understand. But I knew that hard work was the key. And so I started to do those same things. And coming from also a family that has generations of military veterans from every branch, we’ve served in every conflict back to the Civil War. And I would say we probably were there, too.

Jameeka:

[00.07.15.08–00.07.35.06]

We just don’t have a record of it yet. And so you know, that was the other thread. Hard work and discipline. Being where you’re supposed to be, showing up and doing the job that you say you’re going to do. All of those things are the bridge to being an exceptional practitioner, especially in cybersecurity. I would say that a lot of our work is not necessarily about intellect.

Jameeka:

[00.07.35.06–00.07.52.02]

It’s about the ability to recognize patterns and to understand how to solve problems. And so when you come from a group of people who work really hard, they recognize problems, and they know how to solve them. They recognize patterns, and they know how to solve them. And so what I am today is really a lot of that is from my family.

Jameeka:

[00.07.52.02–00.08.12.15]

But then I also have had an exceptional tribe of mentors. I would say that in every role that I’ve had, from the United States Navy to Lockheed to Nike, to Auth0, my leaders have been exceptional, and I think that they are the other part of that thread. I still stay in touch with all of my bosses from those companies.

Jameeka:

[00.08.12.17–00.08.35.16]

They saw something in me that I probably didn’t see in myself. And it wasn’t just my race. It was, “She’s got something to her. Don’t know what it is, but I’m going to give her a shot.” Everyone that bet on me won that bit. And so, I think that’s the other part of it. It’s like it’s a communal situation where it’s family, but it’s also this network of people, Friends, leaders who really saw something in me and have helped me to achieve.

Jameeka:

[00.08.35.16–00.08.36.21]

I didn’t do this alone at all.

Navroop:

[00.08.37.01–00.08.54.02]

You know, as someone who’s always had a little bit of time with you, but who’ve gotten some really deep conversations rather quickly, I think it’s pretty easy to see today what they saw then. I don’t think anyone would have any doubts as to why they decided to take that bet on you. But I do find it really fascinating.

Navroop:

[00.08.54.06–00.09.18.23]

This is completely aside from the security discussion we’re about to have. But, you know, as someone who spends a lot of time in Stockton, I didn’t realize there was so much of that taking place there in the early 1900s. But it’s also someone who’s the son of a geneticist. It is interesting to watch people reconstruct those family ties and those family trees and then find out new things about and sources that they didn’t necessarily know about, but that someone else had.

Navroop:

[00.09.18.23–00.09.40.04]

Luckily had the opportunity to catalog the life journeys. So I really do hope you continue to find out more about that. But coming back to the numbers in this field, you know that they’re pretty stark, right? We were doing some research ahead of this episode. Given what you’ve given us, context, and it looks like things are moving pretty slowly, right?

Navroop:

[00.09.40.05–00.10.03.20]

Women make up, what, 22% of the cybersecurity workforce globally. Here in the United States, I think that’s less than 20%. Black women in particular represent roughly 9% of that already small fraction, and only about 7% of women in cybersecurity hold CISO-level executive roles. And so you’ve been on the inside of this pipeline long enough to watch organizations say the right things, but then not follow through, so…

Jameeka:

[00.10.03.20–00.10.05.18]

Yeah.

Navroop:

[00.10.05.20–00.10.18.01]

…what do they keep getting wrong? Is it intentional? Is it malicious? Is it not knowing how to engage with communities that don’t necessarily look like them? You know, what is it that they keep failing to do?

Jameeka:

[00.10.18.05–00.10.47.21]

I think it’s a failure to recognize talent. I think that one of the challenges that we have in America is that we I think we put we put a lot of focus on likeness. Someone’s like me in this way. Someone’s different in this way. We put a lot of focus on putting people in boxes. And what happens is when you are already in an underrepresented group, and you show up somewhere where we are very focused on, and we, we call it likeness.

Jameeka:

[00.10.47.21–00.11.08.09]

But what we really mean is what we’re really saying is culture, right? And I think that what happens is that if you are not someone who grew up in a diverse environment with people of color and specifically black people, then when I show up, I am not like you, and then it’s on me to prove that I am like you.

Jameeka:

[00.11.08.10–00.11.26.22]

It’s not on you to decide to find ways in which to interact with Jameeka. It’s on Jameeka, the work is on Jameeka. And so a part of the reason that I’m successful is that I am I have high EQ. I recognize that, and I’ve found a way to navigate it. But that’s not a skill that everyone has or that they should have.

Jameeka:

[00.11.27.00–00.11.43.13]

You shouldn’t have to go somewhere and prove that you are like everyone else, because you just are. You’re human. So that’s where the likeness for me begins and ends. And I talk to my leaders about this a lot. I’m like, the benchmark for working here is humanity. You’re human. Then that’s what you do. And you work here, and you’re going to do a good job at it.

Jameeka:

[00.11.43.18–00.12.00.07]

That’s the benchmark. I think in a lot of corporate spaces, that’s not the benchmark. The benchmark is, are you a man? Do you golf? Do you do these activities? Do you go to the bar after work? Do you? And so I don’t do any of those. Well, I do golf. I take that back. And I do go to the bars after work.

Jameeka:

[00.12.00.12–00.12.08.05]

But I don’t do any of those things because I necessarily like them. I learned to do them because they were necessary for my success. That sucks. Right?

Navroop:

[00.12.08.07–00.12.10.06]

Who hates the game of golf?

Jameeka:

[00.12.10.07–00.12.34.09]

They’re not my real hobbies, right? They’re not real hobbies. They’re not my actual hobbies. They’re the hobbies that I realized that I had to learn to be successful. That’s why I think the reason why you don’t see more Jameekas. Because honestly, that’s not necessary. You shouldn’t have to do that to be successful. Ultimately, I think the thing that has made me the most successful is that I’m a great practitioner.

Jameeka:

[00.12.34.11–00.12.52.22]

I’m a great communicator, and I’m a great leader. Right? And so those are measurable things. You can say: Is she good at her job? Yes or no? Is she a good leader? What does attrition look like? Do people like working with her? Can she maintain talent? Does she grow talent? Yes or no? Right? And so those are the things that I was taught to measure myself against.

Jameeka:

[00.12.53.00–00.13.07.12]

But as soon as I entered into corporate America, I was like, hold on. Hard work isn’t going to cut it. You’ve got to have relationships. You’ve got to network. People have to like you. If they don’t like you, you’re not going to go very far. Well, what does that mean in a country where they don’t really like black people?

Navroop:

[00.13.07.17–00.13.13.14]

So the myth of meritocracy was beaten out of you by actual real-world experience once you got it.

Jameeka:

[00.13.13.18–00.13.40.08]

Absolutely, absolutely. It is not a meritocracy. There are, I think merit can take you so far, but I think when we think about the executive ranks and even board-level seats and board positions, meritocracy isn’t good enough. There are thousands of people who have résumés that are similar to mine on LinkedIn, on job hunting websites, and they can’t land, and they’re not landing because they don’t have relationships.

Jameeka:

[00.13.40.08–00.14.02.07]

And those relationships are required. And a lot of that is not something that, you know, if you’re just not naturally charming, you’re not naturally communicative, and you’re not, then you’re missing a skill set that is required for success in the current version of corporate America. But we also say another thing. We also do things like, well, it is merit.

Jameeka:

[00.14.02.08–00.14.27.20]

And if you can code really well, and if you’re a practitioner, then we’ll give you a job. That’s not true, though. It’s not true. And so I think that, you know, I know this not to be true, not because I’m someone who sits around and complains about it. I’m doing something about it. And I know that those soft skills that are required in the way that you have to acclimate yourself into what corporate America currently is to be successful — is required to be successful.

Jameeka:

[00.14.27.21–00.14.31.20]

It is. And nobody wants to tell the truth about that.

Navroop:

[00.14.31.22–00.14.56.03]

But you’ve definitely overcome this, right? You are an excellent communicator. You have built incredibly deep relationships across your entire career. It’s obvious in the way people speak about you, right? We were doing just a little bit of digging, and it’s very clear that people really value and respect you. And so, you know, were you always a good communicator? Were you always good at building relationships? Was it a natural thing or just learned?

Jameeka:

[00.14.56.05–00.15.15.19]

Yes. It’s natural. My, my dad, who has since passed away, was the most charming, charming human being on the planet. Absolutely wonderful to be around people liked him. He would make you laugh. And I picked that up. And some of it, I think I picked it up, but some of it, when you learn it, and you also have that in you, I think it’s probably the gift of my dad.

Jameeka:

[00.15.15.21–00.15.37.07]

He was also an incredibly intelligent person, and I watched him work his magic and work those things together. Work those skills together. My dad, though, didn’t get the opportunities that I got. He was in Vietnam. He served in a segregated army. He came back home and couldn’t find a job after. You know, he was promised that when you serve, you’ll have a job when you get home.

Jameeka:

[00.15.37.11–00.15.55.00]

That wasn’t true for black people. That wasn’t true for a lot of people. But I think the experiences that I have are certainly framed by my own black experience. But he couldn’t find a job. It was different for me. I got out of the Navy, and I went straight to Lockheed Martin. You know, there were… the world had changed by then.

Jameeka:

[00.15.55.02–00.16.13.10]

There were special networks of recruiters who were looking for veterans. And so, you know, that was something. But I also know that all of the other skills that he had — those soft skills are the things that make me more successful. But I guess my question is this: In tech, we’ve always said that it is a meritocracy.

Jameeka:

[00.16.13.14–00.16.33.16]

So are those things really required? And I guess the other answer to that is yes, because leaders require different skill sets. And so if I were going to stay in the security operations center, which I worked in probably about two decades ago, I probably didn’t need those skills. But as I started to understand and rise to levels of leadership, I realized like, yeah, no, it’s EQ and IQ.

Jameeka:

[00.16.33.16–00.16.59.19]

Those two things go together. And I would say that IQ — probably, you need to index a little more heavily on that as a leader. So I do think that it’s necessary that people like you and respect you, but I think that, you know, I think that in the society that we live in, as people of color, people liking and respecting us can be an insurmountable task.

Navroop:

[00.17.00.00–00.17.33.13]

It almost makes you wonder, right? As someone for whom, you know, relationship building and/or communicating wasn’t a natural gift, right? For me, it is definitely something we learned. That, too, was probably a little bit later in my career than I would have liked. You know, I had the benefit of having people who cared enough to point out where I wasn’t communicating in the right way, where the way I showed up wasn’t always being as well received, because I was just insisting on sort of things and just kind of sticking to the technical lane I was in, as opposed to evolving and growing with the new roles and positions that were being given to me.

Navroop:

[00.17.33.15–00.17.41.19]

And I definitely had folks who helped coach me through that and helped me see the value and, you know, becoming better. Perhaps some…

Jameeka:

[00.17.41.21–00.17.57.19]

You know, what’s interesting about our conversation is that we use words like, I had the benefit. I was lucky. It was a gift. And for everyone else, it’s not a benefit. They’re not lucky; it wasn’t a gift. It’s just a thing that’s done.

Navroop:

[00.17.57.22–00.18.16.10]

Perhaps I will say I did have colleagues of all different stripes and colors who similarly benefited from that. One is still a really good friend of mine today. The lessons that have been imparted to me in some of the coaching I received ultimately ended up being things that I helped pass on to him, and it kind of reached his career.

Navroop:

[00.18.16.10–00.18.46.19]

And so what my follow-up for you then on this is in recognizing that and recognizing it for you, perhaps part of that was paved because your dad was a role model, that behavior for you. Some of it’s already inbuilt, but you have great modeling of that behavior in front of you. Have you been in a position, and have you taken folks who perhaps didn’t have the, you know, inbuilt natural Jameeka gift that helped them become better along the way so they could actually, you know, take advantage of the fact that merit-wise, they should have deserved it.

Navroop:

[00.18.46.20–00.18.50.19]

Now, thanks to each of the developed actually did get it to.

Jameeka:

[00.18.50.21–00.19.08.17]

I think that’s my life’s work, right? I think that when I think about what my legacy will look like, that is what I do. I am someone who says: Okay, this is the world as it is today, and this is what you need to do to be successful in it. Here are the skills that you need. This is how you should communicate.

Jameeka:

[00.19.08.17–00.19.25.04]

This is how this is what the board would like to hear from us. This is what will enable the business. So because I’ve had the opportunity to move around so many different spaces, I am not a gatekeeper. I will tell you what I know. If you ask me. Sometimes, even if you don’t ask me, I will still tell you.

Jameeka:

[00.19.25.06–00.19.31.11]

But I will tell you what I know and what I think and what I think will be helpful. But I am especially thoughtful about that advice that I give for women.

Jameeka:

[00.19.31.13–00.19.53.12]

For black people. For people of color. I think that advice that I give is much more authentic. And it is much more based in my own experiences and what has worked for me than it is in best practices, just general best practices. I’m like, hey, this is what I had to do.

Jameeka:

[00.19.53.14–00.20.12.10]

And have in the last 30 years or so, have things changed? Absolutely. But has the needle moved as much as I would like it to? No. I think I thought we would be further along, and I’ll tell you, I was so hopeful. Especially when, like, the .com boom was happening, I was like, oh, it’s about to get good.

Jameeka:

[00.20.12.11–00.20.28.09]

Things are going to change. And I think I very much feel like, you know, the people that I grew up with, I grew up in a predominantly African-American community, but it was a pretty diverse community. The schools that I went to were diverse. We had an International Baccalaureate program with a magnet program.

Jameeka:

[00.20.28.09–00.20.46.20]

So we had kids coming in from everywhere. And I can remember us saying to each other, when we grow up, it’s going to be different. And it’s not. In fact, not only is it not different, we are the ones who are making it far more divisive than it used to be. And I’m not sure what the reason for that is, but I know that we know better because we know…

Navroop:

[00.20.46.20–00.21.45.15]

There’s definitely been an interesting pendulum swing that we’ve all witnessed right over the past, you know, ten, twelve years now, right, where there were a lot of organizations that, you know, made commitments, very publicly. And now we’re watching them walk those back. And one of the things that struck me in our previous conversation was that you made a point about the fact that, given that you were in a C-suite level position at a private company, it gave you some latitude to hold your organization accountable to its stated values that perhaps they wouldn’t have been as willing to work with you on had they been a publicly traded company, where they might have had other market forces that were to be, you know, being leveraged against them, right, and forcing their hand? And it really sounded like you not only intended to use it, but had used that position in order to hold them accountable. And so the question is, what does that accountability actually look like in practice?

Navroop:

[00.21.45.17–00.21.49.06]

And what’s your message to readers who are feeling pressure to go quiet right now?

Jameeka:

[00.21.49.10–00.22.32.22]

I mean, I think that one of the things that I said to the team at headspace is that the business that we’re in requires that we — the business that… the people that we serve, is everyone. Right? And so mental health and access to mental health and mindfulness is something that benefits everyone. And because it is something that benefits everyone, we have an obligation to make sure that what we are doing actually does focus on and support and serve everyone. And it doesn’t matter what any administration says, whether it’s this administration, the previous, or the next one. What we are trying to do is help.

Jameeka:

[00.22.32.23–00.22.57.19]

And helping people doesn’t have a demographic. People who need help are not of a specific demographic. And specifically mental health support. And so that is, I think, where I was able to really remind our company, not just because we are a private company, but the work that we do, the mission of this company is one that is a global mission where everyone is included.

Jameeka:

[00.22.57.21–00.23.21.05]

So that wasn’t something that was a hard sell. I think that headspace, by and at large, has done a wonderful job of making sure that the content that we create, that the work that we do, that the people that we hire understand this mission, and they are focused on it, they get it and they bring the uniqueness of themselves to the table to make sure that we support and serve all of those communities.

Jameeka:

[00.23.21.07–00.23.41.17]

That is what every company should have done. And I think that where they went wrong is when they made these big announcements of what they were going to do, and then they fell short and decided to abandon those commitments to communities. It’s not required that you make an announcement, that you’d be a diverse company, or that you have diversified, or that you’re going to do the right thing.

Jameeka:

[00.23.41.17–00.24.01.14]

Just fucking do it. Like, that is where I think everybody screwed up. Just do it. Like you didn’t have to change your LinkedIn, and you didn’t… You didn’t have to do any of that. You could have just done the work. And when the tide changed, you could keep doing the work. And there are a lot of companies that did just that.

Jameeka:

[00.24.01.16–00.24.23.21]

They never made a big announcement. They never said, they never tried to sell us their product based on the demographic that we come from. The thing that I know is that black culture sells. It does in many spaces when you can figure out how to sell to a black audience; not only does that audience buy it, but black culture helps to fuel culture in America.

Jameeka:

[00.24.24.02–00.24.42.10]

So a lot of the things that we do here and we buy here, they started in the black community. And once a company realized like, this is a community that has swag, that they know how to sell, that they look good in things, then the larger group picks it up. And so they wanted to make money on our community, but they don’t want to support our community.

Jameeka:

[00.24.42.11–00.25.00.07]

And that is what we’re about. And we’re like, listen, if you want to make money on us, then you have to support the things that we believe in and what we believe in. And what we’re asking for is not more. We’re asking for the same. Treat us the way you treat everyone else. Give us access to the same jobs that everyone else has access to.

Jameeka:

[00.25.00.12–00.25.26.06]

Allow us, when we are meritorious, to ascend to the highest levels. Those things are not happening. We still have so few women and black women CEOs, despite all of the data saying that black women CEOs outperform and outindex other CEOs in nearly every category in growth, in scalability, in profitability. But you don’t see more of us ascending to those positions even though we are qualified.

Jameeka:

[00.25.26.08–00.25.37.18]

And so I think that there’s this narrative that black people are asking you to give us something that we didn’t earn. That’s exactly wrong. We’re asking you to give us what we’ve earned and give us what we work for, and we’re still not seeing that happen.

Navroop:

[00.25.37.21–00.26.12.17]

So Jameeka, I’d love to shift gears a little bit. I, I want to make sure we get to the other topics that we outlined. At the start. And we, I think, could talk about this topic that we’ve been talking about for hours. You know, somebody’s thoughts on the matter. So, but switching gears for a second, so in a previous episode, we spoke with, you know, Christopher Hettner of the Nasdaq Advisory Council for Boards on Cybersecurity about kind of the expectations that they’re telling CISOs that the boards are going to have of them or what boards expect from CISOs.

Navroop:

[00.26.12.19–00.26.36.09]

We’ve talked to your and what maybe, you know, this CISO of Interpol about what it means to be operating in his role during geopolitical crises. And, frankly, everything else taking place in the world right now. You’re in an interesting position because you are not only a CISO, so you have also simultaneously held the role of a board member, and now you’re moving into Emerson Collective, right?

Navroop:

[00.26.36.09–00.26.56.21]

So I know you’ve just joined Emerson Collective, but I want to kind of take you back to your headspace role for a second here. Let’s pretend you’re still there, right? You’re the CISO walking into the headspace boardroom, and you’ve got to make the case for security, investment, and survival. They don’t see you or the board member. Different groups receiving, you know, briefings on the other side of the table.

Navroop:

[00.26.57.00–00.27.00.19]

Most CISOs don’t get that vantage point. What do you see from having both?

Jameeka:

[00.27.00.23–00.27.25.10]

I think the thing that I see the most, I would say, that my board seat has changed my perspective on being an operator as a CISO. What I realized in the past, I would say five or six years or so, is that security is, can, is and can be a business-enabling function. It is if you figure out how to do that for your company.

Jameeka:

[00.27.25.12–00.27.43.01]

And that is not an easy task. It is an incredibly tall task. And I have been very fortunate to have security in it in my last two roles. And I’ve realized that if you get those two groups together, that is where the acceleration can happen very quickly, and you can very quickly become a business-enabling function.

Jameeka:

[00.27.43.01–00.28.06.03]

And I’ll tell you, a lot of this I learned and landed at Auth0. Auth0 is a cybersecurity company. They do customer identity. So the log in when you log in to your bank or to your banking app or right, they build the security for that. And I was out talking to customers about why they should enable the different features of Auth0 and why they should become an Auth0 customer.

Jameeka:

[00.28.06.03–00.28.27.19]

It was there that way… because it’s a business enabler. If the security team is spending a lot of time defending against attacks, defending against log-in attacks, which we all are, defending against perimeter attacks, and you can put a product in place that’s going to help you and also automate that defense that becomes a business-enabling function.

Jameeka:

[00.28.27.20–00.28.52.09]

You can save money there. You can figure out where there are economies of scale. You can work with other groups and other teams to help you with your threat intelligence through that model. And that is what I did. And so when I left Auth0 and came to Headspace, that’s the first thing that I did. I said, this is an enabling function to figure out where the log-ins are, figure out the perimeter, make that faster, make teams more efficient, and then document that and give that feedback to your board.

Jameeka:

[00.28.52.12–00.29.08.13]

And so when I was talking to the Headspace board, those are the outcomes that I talked about. We’ve removed a lot of the friction we turned on fast-fast functionality. Our users, which are a mobile workforce, now have ease of access. But then we went further and said, what else can we do? How can we help enable the business?

Jameeka:

[00.29.08.18–00.29.28.00]

So now we turn into not just a group that’s a call center, but a group that is fueling innovation by making the company more secure and making sure that we’re removing friction from the processes that people need to access every day. That was the part of me that came from the board that figured that out. The CISO in me said, you know what?

Jameeka:

[00.29.28.01–00.29.43.03]

This is still, the humans are still one of the areas that we really have to do a lot of work on, and we should lock them down. The part of me that comes as a board member says, don’t do that. Figure out how to make it faster, more aligned, how to enable the user, how to make them your first line of defense.

Jameeka:

[00.29.43.05–00.29.50.06]

And so those two roles together have created the CISO that I am today. And I think it’s made me more successful than I would have been.

Navroop:

[00.29.50.11–00.30.13.16]

Okay. So staying in that Headspace mindset, for a second year, you know, the public position that they had on AI safety was essentially we built guardrails because people’s well-being demanded it, not because regulation required it. Right. Which I think is an amazing guiding light. Right. We’re doing this because it’s the right thing to do.

Navroop:

[00.30.13.18–00.30.36.07]

Not because someone else is telling us that if we don’t do it, we can’t play in the marketplace. But as the CISO responsible for making that claim operationally defensible, what did that actually look like? How did you build a security and governance structure around a mission-driven commitment rather than a compliance mandate? Because so much of what we often see is CISOs begging to get the dollars necessary just to meet the compliance mandate.

Navroop:

[00.30.36.09–00.30.48.05]

And it’s like, here’s the minimum amount we need to do… spend that, don’t do more. And here you’re talking about going after a much larger mission-driven commitment, right? How did you bring that there?

Jameeka:

[00.30.48.09–00.31.09.00]

So I think it wasn’t driven solely by me. I cannot take credit for that. I think that ethos is driven by Headspace, by the leaders at Headspace, all of us. It is something that we realize that we are taking a risk on a technology that is not fully fleshed out, not fully vetted yet. We’ve got a lot of news this week about what’s happening, right?

Jameeka:

[00.31.09.05–00.31.31.15]

We knew that. But we also said we believe that this technology can help people. And you hear that from a lot of folks in the medical field. And so, spending my time with those practitioners, I realized that there is a calculated risk that we had to take. And the reason that we have to take it is because we also have to be the ones to come back and say, we don’t think this is going to work if it doesn’t work.

Jameeka:

[00.31.31.17–00.31.56.11]

But we do have to try. And so one of the ways in which we are able to do this work is that we de-identify and anonymize our data. This is something that Headspace has always done. So it’s not new because of AI. It’s something that we’ve done because we believe that people deserve privacy. When you are thinking about matters of health care and especially mental health, in most cases, your mental health record is actually separate from your medical record.

Jameeka:

[00.31.56.17–00.32.20.17]

So folks can’t even… your doctor can’t even access your mental health record. They are two separate records that are maintained for you. And so when you think about that and how that privacy is maintained, I think Headspace has a responsibility to make sure we’re maintaining that. And then also moving beyond that. So how do you do that? We de-identify the data. When we think about the research we do and the clinically backed outcomes that we have, we don’t need to know your name to do that.

Jameeka:

[00.32.20.19–00.32.40.08]

We don’t actually need to know, your name, your email address. We don’t need those things to figure out if the medical outcome that we’re looking for is the result of an outlier or something that we need to take a look at. And so it’s perfect for us to have de-identified and anonymized that data. Now, what that did for us in AI is it also added a measure of protection.

Jameeka:

[00.32.40.09–00.32.59.01]

So when we started to work and figure out how are we going to build this in Headspace, we modeled three different times on three different platforms. So we watched it perform. We watched our model perform on different platforms in different ways, and when we got to the platform where we are now, which is Anthropic, we realized that the performance was much better, but this was trial and error, right?

Jameeka:

[00.32.59.04–00.33.17.09]

To have rebuilt a model that does something three different times on three different platforms. It shows our commitment, not only to privacy, but to security. We’re trying to figure out what is the best model, which guardrails work the best, which ones can we secure in the best way? And so it is when we say fail-fast. We did that.

Jameeka:

[00.33.17.09–00.33.34.14]

We did all of this in about 18 months. Building those models, figuring out what we wanted to do, building the models, getting the architects, hiring people who have expertise in AI, to help us understand what this looks like, and then also putting in place an ethical AI council that reviews anything that happens that we can’t figure out.

Jameeka:

[00.33.34.16–00.33.51.23]

And I’ll give you an example of what that might look like. Sometimes with our model, it does things that it’s not supposed to do. Everybody knows this, right? It answers questions that it really shouldn’t answer. Right. Like you’re not supposed to do that. That’s not even in our ballpark. And when that happens, that gets escalated to the executive leadership team.

Jameeka:

[00.33.51.23–00.34.19.07]

And then we make a decision about what we need to do and how we need to adjust those guardrails. Is this a scalable process? No. But is it necessary? Yes. One of the things that we’re going to have to do if we want to secure AI, it’s not just a security situation; it’s a humanity situation. We’re going to have to figure out where do humans need to continue to be on the loop, in the loop, and also making decisions for AI when it can’t make those right decisions.

Jameeka:

[00.34.19.09–00.34.35.04]

And so I think that it’s more than just an AI framework or any AI control set, which we know we know how to do that. We know how to protect data. We know how to de-identify, we know how to encrypt. We know how to do those things. We know the CIA triad. All of that is still in play.

Jameeka:

[00.34.35.05–00.34.52.02]

All of those things are still in play. And as we get these new AI frameworks and we start to implement them, we, as security practitioners, we will figure out what else we need to do, and we’ll start to communicate and say, hey, this worked for me, this didn’t. AI is so much more than that. It’s more than just protecting what we’ve always protected.

Jameeka:

[00.34.52.02–00.35.11.17]

It’s protecting and understanding the ways in which AI has a stream of consciousness that can change. That is the thing that has come now to the table. And we are now some folks that I think are talking the most about, hey, integrity. The data is one of our biggest challenges. And whose responsibility is it to maintain integrity of the data?

Jameeka:

[00.35.11.22–00.35.19.04]

Is it the CISO’s responsibility? Is it the AI ML team? Is it the data team? Who owns that? And that’s the question we haven’t yet answered.

Navroop:

[00.35.19.08–00.35.36.23]

I think, you know, in a related vein, we were talking in Black Hat about getting the AI to just be honest about its own limitations, letting you know when it’s hallucinating or letting you know when its output maybe a little bit less reliable and should have further human in the loop verification, right? Or human in the loop.

Jameeka:

[00.35.37.03–00.35.49.13]

And I brought up our conversation that we had about AI and scoring at the Cyber Haven AI and Security Council because I was like, hey, I think I’ve got something here, and we’re looking at this to figure out if we can make this work.

Navroop:

[00.35.49.15–00.36.13.07]

Well, I’d love to show you what we develop on that front because most of our listeners would not know this yet. But I just want to say something here because it’s close enough to where we’ll be doing some announcements at our own conference, in about a week. We’ve been working with the team at Gonzaga University, and we’ve done a lot to make the AI a little bit more of an honest broker, at least when it comes to how it ingests, interprets, and then prioritizes and displays cyberthreat intelligence.

Navroop:

[00.36.13.09–00.36.36.18]

And in so doing, all we’ve realized is it’s a lot easier to trust a system when it tells you very matter-of-factly: Hey, on this last particular topic, 60% of what I just said is likely bullshit. Versus 99% looks like it’s perfectly on point.

Navroop:

[00.36.36.20–00.36.52.23]

Oh, and by the way, the 1% that looks off point is actually the title because I’m having a hard time summarizing this title for some reason. Or, you know, even in a case where so much of it is just BS, it is able to actually tell you. But despite that BS, this is the part that is still worthwhile to look at.

Navroop:

[00.36.53.01–00.37.04.08]

Now you make a decision on what you want to do with it. I will keep trying to auto-correct myself and come back to you if I can do better, but in the meantime, at least you know, you should take this one grain of salt. And so, yeah.

Jameeka:

[00.37.04.11–00.37.20.10]

Efficacy of our own models that we’re building, them being able to they should be able to tell us how accurate they are. And so I think what we all need help with is how do we prompt for that? How do we… is that a tool? Is that it? But I think that’s a game-changer.

Jameeka:

[00.37.20.12–00.37.44.08]

I think that the work that you’re doing is a game-changer, because ultimately, when the models do spit out information very confidently, that is inaccurate. Unless you know that it is inaccurate and tell the model it’s inaccurate, that becomes fact. And we see that a lot in legal. Right? We’re seeing that in the legal field right now, where people, lawyers all over the world, are in trouble for citing cases that didn’t exist. Right?

Jameeka:

[00.37.44.10–00.38.15.12]

And so I’m like, that’s the perfect example. I think, conversely, we also understand that there are situations where AI is going to be incredibly accurate, right? Cancer diagnosis. It’s incredibly accurate. Looking at images and finding minuscule instances of cancer that are largely undetectable. It’s incredible. I think we know that. And so I think at Headspace, there’s an intersection of those two areas where mental health support has to be accurate.

Jameeka:

[00.38.15.14–00.38.35.22]

And what we’re doing is we’re not a medical device. And so the work that we’re doing is helping support people in the ways that we think they need help. And we already see that happening. We see, you know, folks using ChatGPT as a friend, as a therapist. And it’s like, oh, you’re not. And so that’s really, I think, where we started to realize we actually do this work.

Jameeka:

[00.38.36.00–00.38.57.21]

And we are experts in this work. And so if people need a mental health companion to talk to, we can build that. But we also have to recognize, and we do recognize, that what that means from a conversational perspective is that people tell lies, right? And so we AI is a version of us, whether we like it or not.

Jameeka:

[00.38.57.23–00.39.14.04]

It was built to do what we can do, but do it in superhuman format. That’s the best way and the easiest way I can say it. And if we think about it in the way that we think about ourselves, we are also flawed. It is flawed in a different way, but it is also flawed. And so.

Jameeka:

[00.39.14.04–00.39.35.16]

And we can change perspectives, and our minds can be changed. And what I have found from working with our own model is that it happens all the time, especially when you are. And we’ve also added conversational natural language processing to our model. So now not only are people typing to it, they’re talking to it. When you are talking to someone, they can be convinced. Well, so can AI. Guardrails and all.

Jameeka:

[00.39.35.18–00.39.53.02]

And I think that is the challenge that I’ve seen. That is great. And that we have to figure out how do we fix that. How do we compensate for that? And we have not solved that yet because none of us actually built those models. We’re using models that the other companies built and that we have built on top of.

Jameeka:

[00.39.53.04–00.40.11.21]

And that’s very different for us in technology. Typically, when we build on top of a model, open source model, once we build on top of that model, it becomes ours for the most part, right? It’s open source code, but once we add our code base to it, it’s not open source anymore. Maybe the foundational code is open source, but once we add ours, it’s… and that is where the security is built in.

Jameeka:

[00.40.12.01–00.40.39.22]

We build it on top of open source code, and then we build security to it. Well, luckily models are a little different. It is open source-ish in the way that we can’t see it. Right? But we know that’s coming to right open source AI models are coming, but it is essentially an open source-ish model, and we can build some guardrails on top of it, but we can’t deeply ingrain security into it in the way that we would open source code because we can’t see the code.

Navroop:

[00.40.40.02–00.41.04.04]

I think at the end of the day, a lot of it is, is efficacy, as you said, but really two forms of transparency. I think there’s one which is getting the AI to be transparent, again, about its own limitations, but two, getting companies to be a little bit more transparent about the fact that AI maybe can’t really do everything that their marketing literature says it can, because so much of this is the overhyped…

Navroop:

[00.41.04.04–00.41.21.00]

You know, you overhyped promises that marketing and sales teams are making about how great and how perfect and infallible the AI is, when really it’s not. And we started being a little bit more transparent about that. Yeah, there might be some companies that make a few sales, but we’d all be working for the…

Jameeka:

[00.41.21.00–00.41.45.00]

The trust that would be built. And so the trust and transparency that’s built when you say we’ve got this flawed model, here, try it out, and tell us where. And here’s where the flaws are. So if you see those, let us know. And, I think we’re seeing that. Right. We’re seeing that happen now. I think what we just saw with Anthropic and, and, and their new models, and they clearly explained to us, right?

Jameeka:

[00.41.45.05–00.42.09.00]

How it works. We’ve tested it out this way. We understand that it can do these things. And right, we understand that it found security vulnerabilities. Finding vulnerabilities and compromising vulnerabilities are two different things, right? So knowing that a vulnerability is there, great. Can you actually take action and compromise that vulnerability? That’s where agentic AI becomes highly problematic, because in many cases, it can take most of the steps to execute that compromise.

Jameeka:

[00.42.09.00–00.42.31.09]

That’s what’s dangerous. But they told us that. They told us it can do this, and this is how far it can go. And we’re like, okay, now we can work with something that is true, but this is not a new instance. Technology companies have been promising that their tools do certain things forever. And so I wouldn’t even say that it’s new with AI, or it’s something new.

Jameeka:

[00.42.31.09–00.42.52.07]

It’s something that has always happened. I think what the difference is that when I buy a tool that’s an 80% match for what I need to do, I’m mostly okay with that. With agnetic AI. That’s a whole different ballgame. If it’s 80% accurate in a security compromise. I have a problem with that. That’s dangerous. Right? And so I think that is where we have to talk about this differently.

Jameeka:

[00.42.52.07–00.43.15.17]

We have to have different kinds of conversations because 80% accurate, as a threat actor is a dangerous threat actor. In fact, most threat actors are not 80% accurate. They’re probably accurate 5 to 10% of the time at best. And they spend a lot of time trying to figure out how to get to that 5 or 10%, 80% accuracy, as a threat actor, is probably the world’s most prolific hacker that we’ve never met.

Jameeka:

[00.43.15.19–00.43.18.16]

Highly, highly dangerous and so different kind of conversation.

Navroop:

[00.43.18.19–00.43.48.15]

Absolutely. Look, I just realized how much time has gone by. There are a couple more questions I definitely want to go ahead with, so I’m going to jump ahead. There are a couple of topics we’ve talked about, but I want to bring this back to kind of like career mentoring. I mean, you just told me about the new role at Emerson Collective before we jumped on, and it sounds like you’re gonna be able to do a lot more of your life’s work, your passion around helping correct some of the efficiencies you see out there.

Navroop:

[00.43.48.16–00.43.55.10]

You are a self-described girl from the south side who went to speak at Black Hat in Saudi Arabia.

Jameeka:

[00.43.55.12–00.43.57.08]

The south side of Saudi Arabia.

Navroop:

[00.43.57.10–00.43.59.10]

The south side of Saudi Arabia.

Jameeka:

[00.43.59.12–00.44.01.22]

And when we were, you know.

Navroop:

[00.44.02.00–00.44.17.17]

I do know we were quite a long bus ride away from downtown, and it took forever to get ready for that. That much I do know. But my geographically challenged self is not going to make a guess as to which direction we were, but I do have a question, actually, for real in this one.

Navroop:

[00.44.17.17–00.44.27.03]

For someone earlier in their journey — right? — especially someone navigating that same sort of structural conditions or similar structural conditions that you navigated earlier, what would you tell them? What’s the one thing you wish someone had told you that nobody did?

Jameeka:

[00.44.27.07–00.44.51.08]

I honestly, a part of why I kept going is because I had no idea. I think the part of me that was naive didn’t know what my limitations were, and so I would tell people to keep going. No matter what, and not to keep going in a way that, like you, you sacrifice yourself for the work that we’re doing.

Jameeka:

[00.44.51.08–00.45.12.00]

This is a job. But I would say that when it gets hard, that is not the time to give up. I realize now that when things get really hard for me, it’s because I’m on the cusp of a breakthrough. I’m on the cusp of the next thing, and I just have to get over that part that’s causing me friction and causing me tension.

Jameeka:

[00.45.12.02–00.45.34.22]

And so I would say that when it gets like — the hard parts are the parts of me that are truly exceptional. Getting over those things that were challenging is what has made me not be good, not be great, but be exceptional. And so when it gets hard, you have to figure out how to navigate through that space and out of that space and not give up.

Jameeka:

[00.45.35.00–00.45.52.03]

There have been many, many times in my career where I was like, I just don’t even want to do this anymore. This is too hard. And it wasn’t the work. It was the politics of work. It was people. It was loneliness, sometimes, where I showed up every day, I was like, there’s nobody to talk to you. And not even in a sense of like, there are no people here.

Jameeka:

[00.45.52.04–00.46.17.18]

There are no people here that I can drop, you know, I can drop the fronting that I’m doing at work and just have a real conversation with them about how I’m feeling today, about, that I’m lonely today, that I feel like an outlier here. Those times are the times when I think framed, the work that I do, and why I’m so committed to mentoring, and why I’m like, yes, I might have been the first, but I won’t be the last.

Jameeka:

[00.46.17.20–00.46.34.07]

I might be the only one right now. But I plan on making sure that I am not the only one forever. That is why I do this work, and that is why moving on to this next phase of my journey is so important. Because when we think about just the name Emerson Collective, it is about us, all of us.

Jameeka:

[00.46.34.09–00.46.58.20]

And I think that the idea that I get to do that work that is helping to change and support humanity, which I said this in the beginning, humanity is the baseline, that I get to help do that work for everyone is the best gift that I could have ever given myself. I didn’t see my career going in this direction, but I realized, as I was going through interviews, talking to other companies, that my mission is not just to be a CISO.

Jameeka:

[00.46.58.20–00.47.17.17]

So I think that I thought when I made it to CISO, like, this is it, this is the best thing in the world. It’s not. The best thing in the world is that I know that I can help build more people, in security, that look like me, and I can help them make it. And so I think being able to do that work and still be in that fight is incredibly important to me.

Jameeka:

[00.47.17.22–00.47.29.05]

But to be able to do that work after almost 30 years and do it in a place that is, that knows, that what we’re doing is critical to the world, I think is the best gift ever. I’m so, so excited.

Navroop:

[00.47.29.08–00.47.54.02]

I love it. You know, you’re on a podcast called The Lock & Key Lounge, and as you’ve probably guessed, it does tie to our love of speakeasies and libations. So I had a question of mine originally that we always ask a fun closing question, but, we’ll talk a little bit… You’re a black woman on boards five years from now.

Navroop:

[00.47.54.02–00.48.09.18]

And the latest batch of mentees that you had have not only become CISOs themselves, but have recently been promoted to boards. Their boards recognize the value of having a CIO. So there. And it is your mentees that just made it. What’s in your glass to celebrate?

Jameeka:

[00.48.09.20–00.48.23.14]

What’s in my glass to celebrate? Bourbon? I’m going to drink bourbon. Neat. I got it just about I think I’m going to drink bourbon neat. And that bourbon is going to be. And I’m a bourbon and a Scotch girl. So it’s either going to be a Glenlivet or a Balvenie.

Navroop:

[00.48.23.17–00.48.48.03]

Okay. All right. Both of those are scotches. So no Bourbons unless, I also am a connoisseur of all forms of whiskey. Some Irish whiskey after bourbon to many others nowadays. So I will have to join you for either a Balvenie or a Glenlivet one of these days. You know, this is a conversation that I will be sitting with for a while.

Navroop:

[00.48.48.03–00.49.16.20]

Right? Governance at holds, not because of mandates, but because someone decided the mission really demanded. It is rare and, you know, it’s something incredibly, incredibly, just rare that I really appreciate. Right. The numbers in this field haven’t moved fast enough. And to stick to, you know, getting the job done even when there are now political or commercial headwinds potentially against you, and still holding people accountable.

Navroop:

[00.49.16.20–00.49.34.08]

And pipelines are still too thin, and the seats at the governor’s table are still just too few. That’s work that really matters. And so with that said, thank you, Jameeka. I really enjoyed the conversation. And, until next time, build the structures at home, even when no one required to. This is the Lock & Key Lounge.

Matt Calligan:

[00.49.34.10–00.50.06.22]

We really hope you enjoyed this episode of The Lock & Key Lounge. If you’re a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we’d love to hear from you. Please email us at lounge@armortext.com or our website: armortext.com/podcast. I’m Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you’ll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.