"Resilience isn’t just about keeping the lights on; it’s about staying ahead of the curve, even when the ground shifts beneath you."

Signal to Noise: An Interview with Jamie Herman, CISO at Proskauer

In this edition of Signal to Noise, I sat down with Jamie Herman, CISO at Proskauer. With a career spanning private equity, legal, and private wealth sectors, Jamie has a unique perspective on cybersecurity’s evolving challenges. Our conversation touched on the complexities of threat management, the pitfalls of marketing buzzwords, and the delicate balance of prioritizing security in a fast-paced business environment.

I have to say I particularly enjoyed this discussion. We took it in a slightly different direction, starting with context and then moving on to our questions. I’m sure you’ll enjoy it, too.

A Career Rooted in Adaptability

Jamie’s path to cybersecurity was anything but traditional. He began his career on a trading desk in finance, later co-founding a company, and even spent time touring as a musician. His pivot to security was unexpected, driven by an opportunity to help a Fortune 100 executive office improve its defenses. From there, Jamie’s passion for building robust security programs took off, leading him to work with major global law firms, high-net-worth clients, and private equity firms.

His ability to adapt across industries has shaped his approach to cybersecurity. “In finance, everything is about risk tolerance. In law, it’s about preserving confidentiality and trust. You’re managing high stakes in both, but the strategies differ,” Jamie explained.

Threat Vectors: Understanding the Landscape

Jamie’s experience spans two distinct sectors: legal and private wealth. Each presents unique challenges, but both demand a clear understanding of threat vectors.

For high-net-worth individuals, insider risk looms large. These individuals operate within complex ecosystems involving assistants, social media managers, and financial advisors. Insider threats can emerge from disgruntled employees or associates, potentially leading to reputational or financial damage.

The challenge is different in the legal sector. “In law firms, everything is sensitive,” Jamie noted. Client data related to mergers, acquisitions, or intellectual property is a prime target for attackers. The sheer volume and variety of sensitive data make it difficult to prioritize. Maintaining continuous visibility and robust access controls is critical.

Filtering Signal from Noise

Jamie’s take on “signal to noise” is straightforward: it’s about maximizing the efficiency of your security team. In today’s environment, organizations are inundated with alerts. The challenge lies in identifying the few that truly matter.

He emphasized the importance of automation to reduce noise. “When teams are overwhelmed by low-priority alerts, they risk missing the critical ones,” Jamie explained. Automation helps teams focus on high-impact areas, improving their ability to detect and respond to real threats.

However, technology alone isn’t enough. Jamie stressed the need for processes that prioritize meaningful data. A well-tuned system filters out unnecessary noise, allowing teams to concentrate on what matters most.

FUD and AI Marketing: Cutting Through the Hype

One of the more heated parts of our discussion centered around the cybersecurity industry’s reliance on fear, uncertainty, and doubt (FUD), particularly in the context of AI. Jamie is wary of exaggerated claims that obscure the true value of a product.

“Slapping an ‘AI’ label on a tool doesn’t make it revolutionary,” he remarked. Vendors often tout proprietary AI as a game-changer without fully explaining how it solves specific business problems. This leads to misaligned expectations and wasted investments.

Jamie shared an example of a DLP solution with impressive AI capabilities but a critical flaw: it lacked mobile compatibility. “For a firm like Proskauer, where mobility is essential, that’s a deal-breaker,” he explained. The takeaway? Tools must align with business needs, not just technological trends.

Prioritizing Investments in Security

Jamie believes that effective security starts with aligning efforts with business goals. He recounted a striking example from his time advising a portfolio company in the health sector. The company stored biometric data on outdated systems. Fixing the issue would have required significant investment, but after evaluating the business case, leadership decided to shut down that segment entirely.

This example underscores the importance of tying security decisions to business priorities. “You can’t protect everything equally,” Jamie noted. Security teams must prioritize based on risk, value, and alignment with organizational goals.

For Jamie, long-term strategies like threat modeling and tabletop exercises take precedence over-reactive measures. These proactive approaches ensure that security is not just about responding to threats but anticipating them.

Advice for Security Vendors

Jamie offered practical advice for vendors looking to make a meaningful impact. The key is understanding the unique challenges of the industry you’re targeting. Generic pitches won’t cut it.

“Don’t come to a company pitching tools designed for a cloud-first environment when they’re predominantly on-prem,” he advised. Vendors must tailor their solutions to the specific needs of their clients and demonstrate how their tools address real business problems.

Metrics are another critical component. Vendors should provide clear, data-driven evidence of their product’s impact. Overpromising and under delivering erode trust, while transparency builds lasting partnerships.

Resilience: The Heart of Cybersecurity

Resilience, for Jamie, is the cornerstone of an effective security program. It’s not about avoiding incidents altogether but about how quickly and effectively an organization can recover.

“In a world where breaches are inevitable, resilience is what separates minor incidents from major disasters,” he explained. This involves building layered defenses, implementing redundancies, and fostering a culture of continuous improvement.

Jamie also highlighted the importance of adaptability. As the threat landscape evolves, so must the strategies and tools organizations use to defend themselves. Regularly revisiting and refining processes is essential to maintaining resilience.

Conclusion: Building a Secure Future

My conversation with Jamie Herman was a masterclass in balancing security with business priorities. His insights serve as a roadmap for organizations looking to cut through the noise and focus on what truly matters.

From proactive threat modeling to fostering trust-based vendor relationships, Jamie’s approach emphasizes resilience, adaptability, and continuous improvement. These principles are not just theoretical—they’re actionable strategies that can help organizations thrive in an ever-changing cybersecurity landscape.

Stay tuned for more Signal to Noise conversations, where we distill the insights that matter most. Stay secure, and stay curious, my friends!

– Damien