Reflections on securing Netflix, with Jason Chan

Jason Chan is the ex-VP Security at Netflix, and while he describes himself as “currently retired”, is also an angel investor and startup advisor.

Jason spent his whole 25-year career in security, with the final decade at Netflix. He witnessed the evolution of Netflix from a company that shipped DVDs (remember those days?) to a streaming service, and then a production studio. In the last three years, Jason not only managed Cybersecurity at Netflix, but IT as well.

Constant security is more stressful than an emergency

At any one moment, more than 90% of cybersecurity professionals are stressed, around half are feeling burned out, and more than a third are considering quitting their jobs in the next six months due to burnout (Deep Instinct, 2022). Jason believes that’s due to the always-on demands of being a cybersecurity leader. He compares cybersecurity to jobs such as a paramedic or a firefighter — stressful, but for the latter two professions, that stress will ebb and flow. It will be quiet, then there’s a fire, then it’s quiet again, and that break in between emergencies is an important part of stress management.

But security professionals have a different kind of stress, as they always have an incomplete knowledge of how secure their domain may be; a security professional never knows what might be happening that they don’t see. This means security professionals must always be on guard, can never really enjoy a break, and can be more susceptible to burnout.

We’re still in the stone age

Jason recalled a quote from friend Alex Stamos, former security chief at Yahoo and Facebook: “Being a CISO today is like being a CEO before accounting was invented”.

Jason believes cybersecurity leaders are operating in the equivalent of “the stone age of security”. But working in such a young field can make the job both exciting and frustrating, as many problems security leaders face do not yet have a standard answer. Like an early explorer in the Wild West, security professionals must expect the unexpected, and adapt nimbly to never-before-seen threats.

Because there are so many challenges still to be solved in cybersecurity, leaders are forced to be creative problem solvers. But with so many security leaders overworked and under-resourced, finding the time and space to be creative can be your biggest challenge.

Security is not “everybody’s job”. It’s yours.

When asked “How do you build a culture of cybersecurity?”, Jason gave an unexpected response:

Don’t.

Instead, the culture of your organization should be your starting point for your security approach. Netflix already had a well-established culture and values encoded into its operations when Jason came on board. Rather than trying to change the culture, he changed his approach to fit — even if that meant sometimes having to “work around” the culture.

Case in point: Netflix is well-known for its flattened hierarchy and trust in its employees. Its hiring culture was to recruit experts in their fields, and then give them full autonomy. Following this culture, engineers were expected to focus on what they were hired to do, not worry about security. So rather than following the manta “Security is everybody’s job”, Jason created a new mantra for the security team: “Let people do their job, and let us take care of security”.

In practice, that meant Netflix employees never had to do arduous cybersecurity training sessions or random phishing tests. Security was simply part of the fabric of the workplace — staff knew where to go for help but were free to focus on their job.

Jason was quick to point out that when he entered a different workplace, he would have to change his approach to fit that culture — there is no one-size-fits-all approach to cybersecurity. Which leads to the next point…

What you did there may not work here.

Working in consulting in the early part of his career exposed Jason to vast differences in risk tolerance across different customers. Witnessing such varying cultures and security risks proved there was no single approach to cybersecurity — what you did in one workplace likely won’t suit your next. While CISOs are hired for their experience, they’re not hired to simply replicate their past work.

“I hired people from different backgrounds — that’s how you solve difficult problems.”

People want to solve difficult problems

Jason believes a security leader’s job as people manager is to build a high-performance team — and that means bringing in the best. But how do you attract and retain the best talent in such a competitive industry?

At Netflix, Jason had the luxury of being able to pay people “decently”, but he knew that money alone wasn’t enough to retain the very best. Luckily, Netflix culture also allowed him to offer three additional workplace qualities:

1. Freedom and autonomy to solve problems their way, without micromanagement.

2. Surrounding the team with other world-class people.

3. New and challenging business problems to solve.

Without a decent salary, freedom, a world-class team, and “gnarly problems”, it‘s difficult to retain the best talent.

“For a commercial company like Netflix, at the end of the day we were entertaining people, not solving world hunger. We’re not NASA. So, when you start recruiting you have to think, ‘What is interesting about working here? What gnarly problems do we solve?’.”

TL;DR Jason’s underlying message was that success as a security leader often comes down to your people and management skills rather that your security expertise. Security experience is expected, but management skills set you apart. A sensitivity to company culture and what motivates people, the ability to manage stress and burnout, and the gift of creative problem solving are the 1% skills that ultimately separate the average from the world-class.