Jason Sachowski lives in Toronto, Ontario, Canada and is originally from Dryden in Ontario. He is the director of Security Forensics and Civil
Investigations at Scotiabank and has been an (ISC)2 member for nine years.
When you were 10, what did you want to be when you grew up?
So I went back into the "School Day Treasures" book my mother kept and found that I really wanted to be Spider-Man. Appears that when I found out superhero
training was not part of the elementary school curriculum, I gave up on that dream. The following year, I set my sights on becoming a police officer.
When did you realize you wanted to pursue a career in information security?
Going through high school in the mid-1990s, there weren't a great deal of technology-based courses being offered. As graduation approached, I applied for
both journalism/communication and film studies at a variety of university and college programs. After several rejections, I decided to go back for one more year of high school to focus on law and
policing. From there, I went on to study physical security management at Fleming College in Peterborough, Ontario, Canada.
In my graduating year, I was speaking with the program coordinator about career options, where I learned about a new program being offered by Fleming
College called Computer Security and Investigation. After doing some research, I came to learn what information security and digital forensics were all about, so I decided to give the program a try.
It was probably well into my second year of the Computer Security and Investigation program when I started to think that this could really turn into a career, but I was still hesitant because there
really weren't a lot of jobs in the market for digital forensics. It wasn't until my last semester when I was placed on my "work term" when I came to realize that this is what I wanted to do as a
career. And, well, the rest is history.
How did you become an (ISC)2 member?
I had just started in the first role of my information security career where I was doing a lot of hands-on technical work. I was looking around for ways I
could start making a name for myself and showing my peers what I know. While speaking with a colleague, I was told to look at the Systems Security Certified Practitioner (SSCP) accreditation. In
2008, I passed the exam and became an official (ISC)2 member, which I feel was the milestone that catapulted me to where I am today.
The financial industry is a prime target for cyber attacks and therefore a bellwether for both problems and solutions. What do you see happening
within the banking industry in terms of preventing emerging and existing threats?
There are really a few sides of the spectrum when it comes to emerging and existing threats. The first is centered on the global changes happening in the
way we conduct business. The digital transformation most organizations are experiencing is driving them to re-evaluate their business models and become more agile in finding new ways to meet customer
demands that don't tie them down to the traditional "brick-and-mortar" approach.
The second is how we - as security professionals and everyday users - go about making sure we protect our personal and otherwise confidential information
in an always connected and technology-driven society. With demand growing for organizations to provide their increasingly mobile customer bases with products that are accessible at any time and
from anywhere, the lines once separating the different types of information (e.g., banking, social media) are getting blurred as devices become "smarter" and provide users with greater
functionality.
Lastly, at the CEIC 2015 conference, I attended a keynote by Brian Krebs, where he was discussing his perspectives and insights into cyber crime and
cybercriminals. During the Q&A session, I was able to ask him, from everything he has seen to date, what he thought the future held for cyber crime. He responded by describing how today's
cybercriminals execute attacks independent of each other and with little knowledge of their victims. Soon, we'll see cybercriminals become much more coordinated in their efforts and have heightened
contextual awareness of their victims, which means that cyber attacks will be better planned, executed, and specific data targeted for exfiltration.
Why did you decide to become involved in Safe and Secure Online?
When I was growing up, technology was not as prevalent as it is with today's youth. We used physical interactions to communicate, which meant that all of
our actions, behaviors and words were done in real time and had a much more immediate impact. As a father, I'm watching my kids grow up with the infinite knowledge of the internet at their fingertips
but not truly understanding the inherent risks of how, through technology, we are becoming more dissociated from the traditional interactions of a society. When I was approached about bringing the
Safe and Secure Online program into Canada, I jumped at the opportunity to educate children about cyberbullying and cybersecurity. In 2011, I had the honor of presenting the very first Safe and
Secure Online program in Canada, which has not only helped to educate our youth but has also given me an appreciation of how important it is to include this type of curriculum in our school
systems.
And what have you done to help promote internet safety among children?
As part of bringing the Safe and Secure Online program into Canada, we partnered with the Toronto school board to bring this education and awareness to
thousands of elementary school children right from kindergarten on up. We focus on the importance of knowing what activity, information and content are appropriate for the internet. We also discuss
some elements of computer security so children understand what they can do to make sure when they or anybody else using technology are protected from computer or online threats. Aside from these, I
think the most important topic we discuss is cyberbullying: what is it, how it affects everybody involved, and what can be done to prevent it from happening. Even though cyberbullying is one of the
many topics being taught, it has been the most rewarding experience because of how we are able to bring such heightened awareness to the problem and make such a positive impact.
Given all the ways children can now access the internet at school and at home, what is the most important tip you have for teachers, parents or
guardians in keeping children safe?
With the Safe and Secure Online program, not only have we targeted children but we've taken opportunities to educate teachers, parents and guardians about
internet/computer safety and cyberbullying. The most important thing we communicate during these sessions is the importance for teachers, parents and guardians to properly educate themselves so that
they can continue reinforcing the need for children to be safe and secure. One tip for parents and guardians is to establish a set of rules or guidelines for their children when it comes to using the
internet or any technology. A sample rule would be to have children write down all of their passwords (e.g., social media, email, devices) on a piece of paper, seal the paper in an envelope, write
their name and label as "password," and hang it on the fridge door. By doing this, parents and guardians will have access to the children's profiles if needed, and the children will know that they
are helping to protect themselves but also that the privacy of their profiles is maintained in the sealed envelope.
What else are you actively involved in at (ISC)2?
After I became an (ISC)2 member, I was looking for ways to further establish myself as an information security professional and also to network
with other professionals around the world. In speaking with a colleague, I learned about an opportunity to get involved with (ISC)2 as a subject-matter expert for the ongoing
development of the Systems Security Certified Practitioner (SSCP) exam. From there, I branched out and over the years became involved in exam development for the Certified Information Systems
Security Professional (CISSP), Information Systems Security Architecture (ISSAP), Certified Secure Software Lifecycle Professional (CSSLP) and Certified Cyber Forensic Professional (CCFP)
certifications. While participating in these forums, I got to network with other professionals, which eventually led to me getting involved with Safe and Secure Online and becoming a contributing
author in the former North American Advisory Board Executive Writers Bureau (NAAB-EWB).
I hear you released a book. What's it about, and how difficult was it to find the time to write it?
Yes! I'm pretty excited about it. The book is titled Implementing Digital Forensic Readiness: From Reactive to Proactive Process, which was
released in February 2016 through Syngress/Elsevier. At a high level, the book details how to proactively maximize the use of electronically stored information to reduce the cost of digital forensic
investigations. The book was written from a non-technical, business perspective and is intended as an implementation guide for organizations to enhance their readiness capabilities with regard to
managing business risks, such as validating or reducing the impact of cyber crime, supporting litigation matters or demonstrating regulatory compliance.
Prior to this book, I was writing articles and blogs for both the NAAB-EWB as well as DarkReading (http://www.darkreading.com), where the style of writing
is very non-academic and can be drafted in a matter of hours. When it came time to sit down and write this book, I found that following a similar approach did not work because of the how the
book content needed to be planned out, researched, and much more academically structured. Even though I had figured out my strategy to getting the book written, it still required a significant amount
of time and dedication to finishing it on schedule. Essentially, any free time I had was spent on the keyboard typing out 100, 200 or 300 or more words.
So you're from Canada. How do you deal with the long winters?
Growing up in Dryden, which is located about seven hours north of Minneapolis, winters were much longer and colder than here in Toronto. As a kid, I
remember my parents having to keep our vehicles plugged in to the electrical outlets so the engine would start. When it came to temperatures below -30ºC (-22ºF), we would tend to hibernate inside and
play with our action figures, Legos, etc. Now that I live in the Toronto area, winters are not as cold but are still Canadian winters in the sense that they are long. Since the temperature is milder,
we're not so confined indoors all winter and have more chances to get outdoors. There hasn't been a great deal of snow in recent years, so we've been spending our time outdoors by getting exercise
walking around the Toronto Zoo.
If members were to visit your country, what are one or two things they need to do or eat to have a truly Canadian experience?
Canada is so multicultural that depending on what region you visit or with whom you talk, you're most likely to get a different response. For me, growing
up in a rural part of Canada, having traveled across the country and back and later moving into such a suburban area, I've had so many different experiences and tried all kinds of foods. While I
think the staple of Canadian food culture is putting maple syrup on just about everything, I would have to pick the BeaverTail - which is hand-stretched pastry, shaped like a beaver tail, then fried
and topped with sweet confections - as the food to try. In fact, BeaverTails are so famous that even U.S. President Barack Obama stopped for one when he visited Canada back in 2009.
In terms of a true Canadian experience, there are always landmarks such as the CN Tower or Niagara Falls that come to mind. But to me, a true Canadian
experience doesn't exist within the cities or tourist centres; it's located in the wilderness. Combining fishing across multiple seasons, my summer experience would be a fly-in fishing trip to a
remote northern location, and my winter experience would be ice fishing in a wooden hut in the middle of a lake.
Print