Jon Zeolla is co-founder and CTO at Seiso, where he works with companies to secure their use of cloud native applications and environments, including contributing directly to open-source projects and industry standards on their behalf. In 2021 he was awarded Start-up Innovator of the Year by the Pittsburgh Technology Council. He is heavily involved in the Pittsburgh cybersecurity community in various ways, is an IANS faculty member, and a SANS Associate Instructor for SEC540: Cloud Security and DevSecOps Automation.
What made you choose to work in security?
Back in elementary school and throughout high school I was really into video games, and extremely competitive, which meant that I was always looking to find an edge. Initially, that was just abusing the browser-based gamed we played in school, but it evolved into finding issues with other systems. Fast forward to high school, I was able to exploit a few vulnerabilities in my school’s systems. Since I was responsible with my disclosures they decided to hire me my senior year to work half days improving their security. Security also works really well with how pedantic I am. 😊
What was your first SANS course and GIAC Certification?
In 2011 I was doing a combination of what we’d call DevOps work today (automated code scans and deployments, PKI/certificate work, etc.), as well as network security (firewalls, proxies, etc.) for our corporate applications, so I took SEC502 and the GCFW (GIAC Certified Firewall Analyst (GCFW)) which was later renamed to the GPPA (GIAC Perimeter Protection Analyst) before it was officially retired.
What course do you teach?
I love teaching SEC540: Cloud Security and DevSecOps Automation because it’s such highly sought-after set of skills and increasingly valuable as companies either migrate to the cloud or reinvent their applications to be cloud native. We need to find the right balance between ensuring that our applications and systems are properly protected without using the traditional, high-friction methods.
Why do you teach, research and practice information security?
I am passionate about implementing low-friction, cloud-native security that enables companies to collaborate more safely and effectively. At the end of the day, our economy requires that companies specialize in order to realize massive efficiency gains. This is where mature security programs and certifications/attestations come into play; they are a key way to inform companies on the security posture of their vendors.
To make that a reality we cannot have manual processes and teams regularly engaged in the toil of filling out a security questionnaire, clicking around in a console, or perpetually living on phone calls to appease auditors. Development and technology teams need clear, effective, automated feedback regarding what is acceptable to the security program vs what is not. They cannot be expected to read, understand, and interpret all the security requirements of an organization every time they implement a new feature, nor can they schedule a meeting with an already oversubscribed central security team.
Policy as Code and cloud-native security/automation is how we can make sure we deliver security as a service to our company, and making sure those companies are aware of their risks and make informed decisions, instead of burying them in the sand until an attacker comes knocking. I love this stuff.
What tips can you provide newcomers to cybersecurity?
Stay passionate and keep learning. Find something that interests you and make time to poke around and understand “why.” Why it’s important, why it’s designed a certain way, or why now, regardless of what “it” is. It’s okay to reinvent the wheel from time to time; in intentional, controlled ways, and especially when understanding the “why” or “how” of a given approach better. Make sure there’s always a part of your life where you’re working on something that you enjoy.
Who has influenced your information security career?
The biggest influence on my career has been my wife. She has made so many sacrifices in order to allow me to focus (or, as she would say, obsess) over my passion for security. Nobody else even comes close.
That said, I’ve also learned a ton from my local Information Security community in Pittsburgh, PA through organizations like PittSec, BSides Pittsburgh, and Steel City InfoSec, as well as open source communities including the Cloud Native Computing Foundation, the Open Source Security Foundation, and the Apache Software Foundation.
What do you want people to know about you?
As much as I’m here to share my experience and knowledge, I actually love to learn from my class. Getting to hear about new environments, constraints, or different (especially contradictory) experiences is a blast for me. We live in such fast-moving times, we all need to be open to share and learn from each other to get better.
Favorite quotes, songs, or books?
I’m currently listening to a lot of Apashe and Parov Stelar, but I love all kinds of different music, from Metal to Reggae, and (almost) everything in between.
The most eye-opening book I’ve ever read is “Thinking, Fast and Slow” - Daniel Kahneman.
Tell us about things you enjoy that people may not expect.
I love to weight lift, mountain bike, and play chess. But you might know that if you’ve ever seen my laptop lid :)
Read Jon's full bio.
