Playing Defense: Jason Haddix on Red Team Tactics, CISO Challenges, and the Battle for Gaming Security
Introduction
In this episode of Breaking Badness, Jason Haddix dives into his unique journey from red teaming and pentesting to leading security teams as a CISO in high-profile organizations, including a top gaming company. Jason unpacks the distinct challenges of securing a gaming company, where risks come not only from state actors but also from clout-seeking young hackers. He shares valuable insights on building scalable security programs, secrets management, and the importance of radical transparency in corporate security cultures. Tune in to hear why, in Jason’s words, “gaming saved me from a misspent youth,” and learn about his latest ventures into offensive security training and AI-driven security solutions.
From Red Team Roots to CISO Roles: Jason Haddix’s Security Journey”
Jason Haddix shares a fascinating progression from offensive security roles like red teaming and pentesting to managing global security operations as a CISO. With over two decades in security, Jason discusses the highs and lows of navigating from technical roles to leadership in large organizations, including his time as CISO at Ubisoft. Jason explains, “I wanted to see if I could do the big CISO role…the answer was I could do it, but I didn’t really like it a ton.”
Double the Threat: The Unique Security Landscape of the Gaming Industry”
Gaming companies, Jason explains, face a “double” set of threat actors—from nation-state adversaries to clout-chasing young hackers looking to break into systems for attention or to alter game mechanics. He shares a shocking view of the scale and variety of these threats, describing how younger hackers might attack game companies purely “for the clout.”
“You have nation-states trying to break into you because you’re a successful busess…but you also have these young kids who all they want to do is hack your games… for the clout.”
Securing Secrets: Why Secrets Management is a Must-Have in Security Programs
One of Jason’s “soap boxes” is secrets management—a crucial part of any security program that, surprisingly, many organizations overlook. He highlights the importance of securing API keys, passwords, and other credentials, as these are often targeted by attackers as easy entry points. At Ubisoft, Jason spearheaded a secrets management initiative that proved essential in reducing risk.
“At any given time, your developers, your tech people, even your users are sharing secrets and potentially leaking secrets all over the internet… attackers don’t waste time looking for technical hacks if they can just buy credentials.”
The Power of Radical Transparency: Changing Security Culture
Jason advocates for a culture of radical transparency within security teams, especially during incidents. During his time at Ubisoft, he involved the entire tech team in post-breach analysis calls, which led to a better understanding of security needs across departments. This transparency, Jason shares, helped foster collaboration and build trust within the organization.
“I’ll be damned if doing it that way didn’t make it so much easier… just being honest with everybody.”
Attack Surface Management: Knowing What You’re Defending
For any security leader, understanding the attack surface is critical. Jason emphasizes, “You cannot defend what you don’t know you have.” This episode dives into how Jason prioritized attack surface management at Ubisoft, from identifying assets to implementing proactive strategies to protect them.
Empowering Security Teams with AI: Jason’s New Frontier
Now the founder of Arcanum, Jason’s new venture involves training and consulting for cybersecurity professionals with an innovative course that combines red teaming and AI-driven security techniques. Jason’s class, Red, Blue, Purple AI, explores how AI can scale and empower security operations without replacing human expertise.
“AI can scale your security people instead of replace them… give them superpowers.”
Join us next week for another insightful discussion on Breaking Badness!
Watch on YouTube
This episode is packed with insights and best practices from Jason’s extensive experience. Listen in to hear about the challenges, solutions, and bold ideas shaping the future of cybersecurity. For more information on Jason’s work, you can follow him on X (formerly Twitter) @JHaddix or visit his website at https://www.arcanum-sec.com/
*A special thanks to John Roderick for our incredible podcast music!