In this episode, Jesse Magenheimer, State Farm's CISO, discusses his journey from high school intern to cybersecurity leader. He shares insights on emerging threats, the importance of reducing attacker dwell time, and how evolving regulations are shaping cyber insurance.
In this episode, Jesse Magenheimer, State Farm's CISO, discusses his journey from high school intern to cybersecurity leader. He shares insights on emerging threats, the importance of reducing attacker dwell time, and how evolving regulations are shaping cyber insurance.
[00:00:00] I started with State Farm actually in high school, and I was doing what would be traditionally desktop support at that point, second shift as a senior in high school. When that finished, they came back to me and they said, we wanna offer you an internship. What would you like to do? And I said, well, I, I've done networking and desktop support.
I love that sort of stuff. I don't know anything about security, but that might be a field that is going to grow. And so this is early two thousands by the way. You call that one? Yeah.
Welcome to Speed Data, quick Conversations with Cybersecurity Leaders. I'm your host, Megan Garza. I'm excited to introduce our guest today, Jesse Heimer, chief Information Security Officer at State Farm Insurance. Welcome to the show, Jesse. Thanks, Megan. I appreciate you having me. Since joining State Farm Jesse has been a jack of all trades working as an [00:01:00] analyst and leader of the financial services product line before being appointed the Vice President and CSO in 2021, like a good neighbor.
Jesse is also an active member of several private sector organizations and federal government-sponsored groups. Expanding the FBI, department of Homeland Security, US Department of the Treasury and the United States Secret Service, the Secret Service. That's incredibly impressive, Jesse. Thank you. Yeah, they, um, years ago they set up, at the time it was called the Electronic Crimes Task Force, and it's evolved into a cyber fraud task force.
And so the office in Chicago hosts those meetings basically on a quarterly basis, and it's a chance for private sector. The secret Service to get a chance to interact together. Here's some information about cyber fraud, trends that are going on, partnerships that can happen between private sector and, and the public sector.
Basically a way where if something should happen, you're not meeting somebody for the first time, right? So it's important what you do in the interstitial [00:02:00] time and, and these are a great thing that the Secret Service Office in Chicago sponsors. What made you wanna go into cybersecurity? Interrupting story.
I started with State Farm actually in high school, and I was doing what would be traditionally desktop support at that point, second shift as a senior in high school. When that finished, they came back to me and they said, we wanna offer you an internship. What would you like to do? And I said, well, I, I've done networking and desktop support.
I love that sort of stuff. I don't know anything about security, but that might be a field that is going to grow. And so this is early two thousands by the way. They called that one. Yeah. So they trusted putting a freshman in college into their, their small at the time cybersecurity team. And I just, I had great mentors.
I loved the work that was occurring just in those summer months when I was here and I sort of became sold on it. And it's just, it's stuck with me ever since. Now, what are you seeing today as new emerging threats in cybersecurity? What are, what are the [00:03:00] most common threats that you're seeing today?
Here's the risk of me answering with any specific thing. This landscape changes so quickly at times and threat actors are opportunistic, so I could say something then by the time we publish, or by the time somebody goes and views this, it's going to have changed. I guess my advice is that cyber crime, if you, if you measure just the financial impact of it over the last several years has been increasing.
So actors look for opportunity, which to me is you've gotta get on all the fronts with your information security and cybersecurity practices. If you harden on one spot, say against potential count takeovers or fraud, well actors might redirect to something like a distributed denial of service attack or an insider threat and corporate espionage piece.
So a really robust program kind of has to look and make sure that you're, you're protecting all fronts because actors will always find wherever you're, you're sort of least investing the things that we just, we continue to watch will be things that helps. If bad actors earn money through fraud or [00:04:00] otherwise, so we, we certainly want to protect against that.
Wanna make sure that our systems remain available so that customers can do business with us, and so that we can fulfill our, our promises to our customers. And so that could be withstanding ransomware, Takacs system, outages that may or may not be cyber related. The other thing that just stands top of mind is making sure that we have talent that meets today's demands and tomorrow's demands.
So that means we have to keep an eye on where the attackers are going and where they're focusing their energy, and try to split our time doing both, preparing for the future and being good at what we do today. Yeah. So it sounds like, you know, you have your hands full trying to cover the entire litmus of Eric.
Organization and secure everywhere and everything. Um, what type of data breaches keep you up at night? Those complex ones that you know after the fact you read in the news about somebody having experienced an incident. An attacker was in a system for 30, 40, 50, 67 days. So, you know, that's a, that's a long [00:05:00] time at data speeds for bad actions to happen, for information to potentially be lost.
So for me, it's making sure that we have got a pulse on what's going on in our systems on a constant basis so that we. Really work to minimize what's called that dwell time for an attacker if somebody should get a foothold with us. Those kinds of things, especially the really skillful attackers that are able to dwell that long are really good at covering their tracks.
So what keeps me up at night is just making sure that we are in a position to understand their tactics and techniques, and that we can detect those as quickly as possible if we see signs, and ideally make sure that that has minimized. Any potential impact or best case scenario, stop 'em before they ever even get a foothold.
And you know, right now there's a lot going on in the government. How are compliance and regulation influencing the development of cyber insurance policies and what future changes do you foresee? There remains a lot of, um, evolving things happening in the regulatory [00:06:00] landscape, particularly, at least. And again, I, I run the risk of this getting outdated at some point, but the states are spending a lot of time and energy right now on cyber security regulations and especially so the insurance industry that we are in.
There is a, uh, national Association of Insurance Commissioners Model, data Security Act that states are starting to adopt if they didn't already have something that aims to bring some consistency there. There was recently a subcommittee in the house that met on cybersecurity and infrastructure protection that talked about the need to harmonize regulations and take some federal action.
That was an interesting watch. So I, I would say ultimately that cyber regulations have their place and they're helping to push organizations to make sure that they're doing the things. That their standards or practices have said for years now, it's creating a backstop there and those work in tandem. So if you, if you can point a lot of instances to your clear adherence on the regulatory side, that should help with the cyber insurance policy reviews that underwriters of [00:07:00] cyber insurance policies are executing because they're going through very detailed checklists to make sure that they understand the posture, the risk acceptance, the risk mitigation.
Of cybersecurity programs that they are taking a risk to on the right. And it seems like organizations are starting to better understand, uh, the importance of cybersecurity. But for those out there who maybe still haven't fully gotten on board, uh, what advice would you give security leaders on getting board buy-in or, you know, c-level buy-in on the importance of cybersecurity?
So I'll go back to something I said earlier, making sure that you have ongoing relationships that you're talking about. Not just the things that you're seeing internally, but the trends in the industry and how it maps to your organization specifically. So draw that line of context, but then if all you ever talk about is risk and you don't talk about how you help the organization securely achieve the opportunity that it's trying to get at.
A lot of business professionals are going to sort of be left going, well, what's the connect between A and B? And so really good chief information security officers and [00:08:00] cybersecurity organizations have to be able to do both really well. They have to be able to talk about what the landscape is, but also about how they manage those risks and help the organizations strategically move forward, securely and compliantly with its business imperatives that it's undertaking.
Yeah. You mentioned that, you know, that takes a lot of kind of balancing for good chief information security officers, but what other skills make cybersecurity professionals good at what they do? Cybersecurity is a discipline that you can spend your entire career continuing to hone. And one, I think that's wonderful.
That's, that's something that I love about this discipline. But there's some underlying things that I think serve somebody well in order to, if say they wanna get into cybersecurity or they want to continue to hone those skills after they get in there. Megan at, at an event that you and I were at last year.
You asked a question at the, at the end of the panel that said, you know, what advice would you give to cybersecurity teams? And after pondering it for probably what seemed like an eternity odd stage, my answer was, you're only as good as today. I. And my intention really [00:09:00] was, you've got to keep learning.
And so the underlying behaviors and skills that I think are really important are a strong problem solving capability. Can you, can you take things that are going to often be gray and decompose them into ways that help you solve and move things forward versus getting stuck strong? Curiosity, do you go and explore?
That's what attackers are doing. And so if defenders aren't thinking in that same way, that puts really, you know, individuals at a disadvantage. Yeah. And the last one that I generally highlight is high degrees of integrity and trust. Um, cyber teams are in positions that require organization, institutional trust, that they're doing the right things if they're helping to protect the organization.
And that means each of us have to exhibit those qualities in all of our interactions. Jesse, having kind of been in this profession for decades, it's very clear that you have a passion for cybersecurity. Um, like you said that one of the things you love about it is that you're constantly learning and you're constantly having to develop [00:10:00] a curiosity and try to, like you said, think like an attacker and try to find ways that an attacker would get into your systems.
But if you weren't in cybersecurity, what would you be doing? So actually one of the other things that I did on a volunteer basis for 17 years was I worked in emergency and disaster management at the county level, and that was another passion of mine. Yeah. And that involved responding to things like missing persons mass casualty incidents, say tornadoes hitting communities, providing incident planning for large scale and complex incidents.
Really enjoyed that. Yeah. Uh, that would probably be something I'd pick back up at some point. Yeah. Couple other hobbies that have atrophied over the years because I haven't had time. Photography would would certainly be something that I like doing and it'd probably be more on the nature and inanimate object.
Like I'm not chomping at the bit to go out and take photos at weddings. That's, yeah. Probably not my strength. Yeah. But spending time out in nature and, and just capturing its beauty for others to enjoy and photograph something I would love to be doing. Yeah. That's awesome. Well, thank you so much for your time today, [00:11:00] Jesse.
I loved chatting with you and reconnecting. For our audience, if you would like to be a guest on Speed Data, visit Varonis dot com slash speed data. Thank you, Jesse. Thank you.