Farms, goats and cybersecurity are rarely heard in the same sentence, but they all apply to the life and career of Jenai Marinkovic. In this interview, Beth Maundrill finds out more about Jenai’s fascinating life and perspective on cybersecurity...
When you think of a cybersecurity expert, you think Silicon Valley, high-tech campuses, and the bustle of big cities. Not often does your mind wander to a farm in rural California in an ex-gold mining town, surrounded by goats.
“I actually live on a farm and a ranch which I own, and I have hogs and chickens and ducks… and way too many goats,” laughs Jenai, kicking off our call by setting the scene in a way I certainly could not have predicted. “I was yelling at my husband this morning; I was like, ‘we gotta do something about these goats’!”
Having grown up in a steel mill town in Indiana, Jenai’s life journey has taken her through Chicago, New York, Los Angeles, and Silicon Valley before settling into the farming lifestyle in California.
Landing on a farm forced her to look at cybersecurity in a different way, she says. Queue a story about overengineering a solution to prevent deer from mowing down a field of tomatoes.
“My response to the problem was robots. I started building these little Arduino robots because I figured I can just have them go up and down the fields and kind of scan if they see something weird and send me an alert. It wasn’t the digital that broke on that, but it was because none of my little robots were ruggedized,” she says.
Needless to say, Jenai received some strange looks from neighboring farmers. Plan B was to put up a fence surrounding the tomato field, but that made the entire plot feel like a prison surrounded by huge wire fencing, she explains.
“The long story short of it is I had to rip all of that stuff out and redo it the right way and the right way was for me to sit down, look at who the threat actor was, identify what the asset was that I was trying to protect and then design a security model that facilitates that.”
The moral of the story, Jenai says, is that oftentimes in life we don’t take a step back and design security from the onset.
“That was a very expensive and silly lesson because at the end of the day what I needed was proper fencing and dogs. I absolutely put tech in places where tech wasn’t needed.”
Jenai wasn’t necessarily destined to work in the cybersecurity field, but had a love for science and technology from an early age; as a child she wanted to be a doctor and then at high school she settled on the idea of being a forensic pathologist.
“It didn’t work out that way, so then I went into chemistry and loved it and I also loved biology. For me it was always the hard sciences. Back then it was just a different era, and I didn’t know anyone in tech.”
Journeys Through Industries
Today, Jenai’s curriculum vitae includes time spent at Electronic Arts (EA), in the healthcare industry as an information security manager and as senior director of enterprise security and then IT innovation at DirectTV. Today, she is vCISO at Tiro Security, she is also on the Technology Advisory Board for Beyond a design agency, executive director at GRCIE (GRC for Intelligent Ecosystems), home to the award-winning NextCISO Academy and member of the ISACA Emerging Trends Working Group.
Reflecting on her journey in the biomedical industry she highlighted the switch from working at places like EA and in security consulting to ending up in a highly regulated arena like biomedical development.
The big lesson she says she learned in that field, at a time when security system regulation wasn’t as established as it is today, is to be equipped with the correct vocabulary to communicate security and risk without spreading fear.
“I learned a couple of things. One was another way of communicating; it was the first time I understood security and production lines. The way that you design security for that is very different. The other thing is that we were just on the verge, in 2003/2004, of systems being interconnected in ways that people didn’t understand. That was the era of ‘worms’ that move rapidly through these environments, and the way that you handled the block and tackle in those environments is different. But most importantly, the way you communicate must be in line with that company’s culture. This was a hard lesson to learn.”
This was the launch-pad for Jenai to consider how to build defense frameworks, something that she developed further during her time at DirectTV.
Circling back to the idea of language, Jenai said working for many different companies has taught her that learning how they speak enables you to establish a bond quickly.
“There was one moment where someone else was in a strategy meeting; she had come from large companies and then started talking. I’m not exaggerating, I almost started crying because she was using words that no one else used but that I did use. We were there for hours talking, and it’s almost like when you’re in a different country and you find someone who is from not just the same country but the same neighborhood and immediately there’s a bond.”
Leading in Leadership
Jenai has spent a fair amount of time in leadership roles at various organizations. When entering the biomedical industry, it was the first time she was able to establish her own team and work with some really impressive people.
“It was the first opportunity I had to bring people outside of the world of security into our industry,” she says. “Where I really started to learn management skills was when I went into insurance and biomedical manufacturing with Zenith Insurance Company. I had moved into the director role so that the movement from frontline management into middle management was hard.”
The difficulty came with the move from managing people to managing managers, who themselves are leaders. The way you do that is very different, and when you are a director, it is a much more political role where you have to manage strategy, operations and budgets.
“That is important, and the reason is there’s a lot of people that move into management and leadership positions and security, but they don’t manage the budget and until you manage the budget and an operations capability (either security or the newly burgeoning field of regulatory operations) you will struggle to be an effective CISO. Working in insurance gave me that opportunity,” she explains.
“One of the big things also was it was the first time I got to do converged security – physical security, digital security and crisis management,” she explains. “I was able to manage a guard force across 18 facilities, got to work and design a crisis response plan: the physical security plans as well as digital. There, I really got the chance to say ‘well if I’m managing a true security capability then how do these things all integrate? How do they fully operate?’ I got to experience that at Zenith insurance.”
Another key lesson was in the art of delegation, and the tendency not to delegate when you reach director level, saying she used to believe she could just do tasks faster herself, something many of us in leadership roles have thought on numerous occasions. Jenai reflects on something a mentor had once told her: “You’re better off having someone fail 13 times and finally getting it and then doing it right than you doing it and robbing from them an opportunity for them to learn.”
When she moved on to DirectTV she said she learned how to hone in on how to use the superpower of failure and remove some of the shame that comes with it. This enabled her to understand that the only way you grow is through failure.
You’re better off having someone fail 13 times and finally getting it and then doing it right than you doing it and robbing from them an opportunity for them to learn.
Building at Scale and Designing Security
Her journey into DirectTV came as she was “looking for something a
little bit different” and after a successful conversation or two, she moved from the medical sphere to media and entertainment.
Joining DirectTV allowed Jenai to work on building a fully-formed cybersecurity capability from the ground up.
“I was super excited because it meant I could collaboratively build something at scale. I’m always looking towards this future vision of what we can build and the team we can put together to do it,” Jenai comments.
Fast-forwarding to the end-result, during her time at DirectTV Jenai was able to build a full-scale cybersecurity capability that extended across IT systems as well as engineering.
“We really got the chance… from governance, risk, and compliance all the way through building a real impressive forensics capability… to build something that was really, truly special, not in terms of just the security, but the team as well,” Jenai reflects. “We were all speaking the same language.”
She also notes how TV and media evaluated risk in a very different way to other industries she had been a part of. “Not only that, but we were at the precipice of transitioning from on-prem into cloud at the time. So being in a media entertainment company where they are always pushing the limit when it comes to technology, it was great to be on the forefront especially on those teams.”
One interesting element of the organization at DirectTV was that the security function reported into strategy and innovation, Jenai highlights.
“At first, I did not get that. Fortunately, our leadership were pretty amazing and so we were able to do tons of things we needed but I didn’t get why security was in the strategy, innovation and architecture department. And with the architecture side it was business, application, data and infrastructure architecture. In all of my previous organizations I’d never seen that before.”
“That was one of the greatest learnings I took into my career – that being embedded for eight and a half years in an architecture, strategy and innovation function meant that security got designed in at the front end of everything at the innovation level,” she explains.
Towards the latter years of her time at DirectTV, while she was the head of security, she also had the opportunity to lead the innovation function arm of IT.
She notes that one problem many in the cybersecurity sector still face today is that it is not viewed as a holistic system.
“We look at it as a disparate set of things,” Jenai notes. “If you were to architect a human body, I would design an immune system, not just a bunch of separate pieces of highly specialized white blood cells. [Security] is a part of everything - we are a system. The tough part is that security takes time, and everything moves at the speed of light, or now the speed of life.”
The pace at which things change puts high pressure on security professionals and Jenai notes how “there aren’t enough of us,” reflecting on the shortage of cybersecurity professionals the sector today faces. This is something that she has a passion for addressing in her work with ISACA and GRC for Intelligent Ecosystems (GRCIE).
Digital ecosystems keep growing, but there is a finite amount of security people, she adds.
Passion for People
The cybersecurity skills shortage is a constant in the industry and Jenai notes “there is a lot of talk.” However, there are some organizations and initiatives that are attempting to solve the problem, especially in the US at the federal government level.
“The tough part is that you’re talking about human transformation,” she says. “It’s like taking me and saying ‘hey Jenai, tomorrow you’re going to be working on transmissions for big rigs.’ I’d have to completely rewire my brain.”
Jenai believes that a lack of empathy within the cybersecurity industry exists and one way to improve the situation is through diversified lived experiences.
ISACA’s State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyberoperations report highlighted the bottom two soft skills valued in the cybersecurity industry as empathy (13%) and honesty (16%).
“When you go through this transformation you have to look at the emotional state of the human involved,” she says. Jenai points out that during the six to seven months it takes to get an individual ready for a role in cybersecurity, every single insecurity an individual has will rise to the surface.
“In training, if you don’t have a way to help people through that, if you don’t have a way to be able to then take that learning that they had and immediately reapply it in their work and so forth, then it leads to people quitting and not being able to get jobs.”
Without empathy the jobs are just about technology and the reality is that it is a lot bigger than that.
One way you build empathy is through diverse lived experiences and Jenai notes that only 11% of the cybersecurity industry is under 34 and only 25% of the industry has people of color in management positions.
“I think the fact that we lack diversity in this industry is why we lack empathy and it actually hurts us because attackers weaponize empathy, they don’t judge, they understand the emotional state of the person they are targeting and lean into that,” she says. “What do we do with our users is we blame them and we scare them.”
I ask her what her advice would be, through her lived experience as a woman of color in the industry, to those with a similar background perhaps cautious of making the move into the sector or upwards within the industry.
“Now. Is. The. Time,” Jenai exclaims. “Do not squander the light that is being placed on the diversity problems across all areas of tech. Because of that, there are a lot of groups and structures in place to help women, veterans, people of color, and people who are socio-economically disadvantaged get into the world of cybersecurity. This just wasn’t there at all when I was coming up.”
The only way to change the statistics that may look troublesome is to jump in, she says. “The first person through a brick wall always gets a bloody nose. There’s a lot of people who took a lot of bloody noses in order for you to get here. So don’t squander that opportunity and follow your passion.”
With her involvement in GRCIE and their NextCISO Academy, Jenai looks to give back and offer people a leg-up towards getting into cybersecurity.
ISACA’s State of Cybersecurity 2022 study illustrates the need for new people to get involved in cyber, with 62% of all respondents reporting their organization’s security teams were understaffed. The report notes that, “With four million cybersecurity jobs open globally, it’s critical that we completely transform how we train and upskill our workforce with a special focus on our human skills and mastery of security controls.”
The NextCISO Academy, which is tuition-free, started with a question – how to get junior people fit for purpose on day one in a junior cybersecurity or GRC role? The three founders, including Jenai, had a unique set of skills that included people and human resources, security specialties, and recruitment. “We felt that we could get someone who had been working in fast food into a junior cybersecurity position,” she says.
The program is now on its second cohort of students and Jenai says that the first cohort was able to secure compensation at new roles of between $85 and $95,000 after being part of the academy. With this, she says that the NextCISO team was able to help people with contract negotiations and provide them with the tools they needed to gain successful employment.
The NextCISO academy decided to focus on training governance, risk, and compliance, with Jenai saying understanding GRC helps you understand the fundamentals of building the ship. Also, in GRC, she says you can get up to speed and into a job faster.
There was also a strong belief that within the training program NextCISO developed, management skills had to start at the beginning of people’s careers. Jenai’s partner and cofounder, Melissa Elza (a people expert) felt deeply that the time to start training the next CISO is when they first get into the field.
Even in nextCISO’s training and apprenticeships Jenai continues to innovate and push the boundaries by integrating virtual reality (VR) and the metaverse into the program.
“Metaverse does a couple of things, it’s immersive, there’s a haptic response, so there’s actually a physical response of what happens to you, and designers can design the learning experience to influence the emotional response of what happens to you when you go into VR. It all helps to imprint on the learner.”
In order to see success from your learnings, you must be a strong communicator, and Jenai says that after the metaverse/VR learning and training, students were not as scared to present their work to boards and CISOs compared with if they had taken to the stage without that preparation. The students had been presenting on large virtual stages since the beginning of the class. Its a safe way to become comfortable with presenting content on a stage to a discerning audience.
Jenai is someone who has always been willing to take a chance throughout her career and personal life, enabling her to tell a fascinating story. This also explains her passion for innovation to find solutions to the problems of the modern world, as well as her desire to open the door to a diverse range of people and perspectives. It’s a story worth telling, and an inspiring one for anyone looking to forge a career in cybersecurity.