After more than 25 years working across IT and cybersecurity, Jason Scanlon has developed a perspective on security that goes far beyond technology stacks and threat dashboards. As Chief Information Security Officer at Numata, Scanlon operates at the intersection of governance, client trust, operational resilience, and people management, helping organizations in highly regulated sectors navigate security without losing sight of the humans behind the systems. His experience spans MedTech, life sciences, and manufacturing industries, where security failures can have consequences that extend far beyond the digital world.
That people-first mindset is part of what makes Scanlon’s perspective particularly fitting for CISO Diaries, a series focused on the routines, habits, pressures, and leadership philosophies shaping today’s security executives. In this conversation, he reflects on the mental strain many CISOs quietly carry, the importance of empathy in security leadership, and why a strong security culture matters more than any individual metric. He also discusses imposter syndrome, alert fatigue, and his belief that the future of cybersecurity must include a healthier relationship between operational security and employee well-being, an issue he believes the industry still underestimates.
How do you usually explain what you do to someone outside of cybersecurity?
I tell people openly and honestly that it is my job to help protect our business from threat actors and to help our clients do likewise. Because we are a global MSP, having our house in order should give our clients and prospective clients confidence. I also like to mentor our younger team members and always be mindful of the challenges, both physical and especially mental, that the role and job bring. Empathy and understanding should be afforded to all, given the world we live in today.
What does a “routine” workday look like for you, if such a thing exists?
I suppose that is the beauty of my current role, no two days are the same. It could be policy review to assist in an incident with a client, mentoring our GRC team, security reviews with our SOC Manager, vendor assessment and research, and infosec guidance and recommendations to the business. The list goes on.
What part of your role takes the most mental energy right now?
I suppose worrying about whether we are ever really protected enough, given the changing pace of technology and new developments in AI (Mythos, etc.). Worrying about D-Day arriving at your business is something most CISOs worry about.
What’s one security habit or routine you personally never skip? (Work or personal.)
For me, it’s about protecting my online accounts as best I can, even if, at times of pressure, it can be cumbersome. But MFA, Password Managers, multiple layers essentially. Why? If one auth method fails, at least there is another layer to prompt (hopefully). Also, I tend to stay away from most social media, but when I do, I limit the personal details I share.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
I would have all of the above for my devices and accounts. Also, use biometrics as well.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
I think the Dark Net Diaries are a good listen. One of the first books I read in Cybersecurity was by Gary Hayslip, which I found very useful (The Essential Guide to Cybersecurity for SMBs). Also, I have been very fortunate to have great colleagues or mentors, perhaps too many to mention, but some would include Jakobus Koorts, our CEO, Martin Kelly, Dr. Rois Ni Thuama, Paul Delahunty, Shane Quilligan, Kieran Spillane, and Mike Cushen.
What’s a lesson you learned the hard way in your career?
A former boss of mine once told me the more work you do for free, the less people will value it and expect it from you as the norm. I believed that people would also see the work that I do in helping go the extra mile for their business. I suppose in an ideal world that would be the case, and part of me still believes that. However, in other scenarios, I believe my former manager was right. Nothing of value comes for free.
What keeps you up at night right now, from a security perspective?
I suppose, as part of the assume-breach mentality and as alluded to earlier, it’s when D-Day comes, in whatever manner it comes. I know we have great people and am very confident in the measures and controls we have in place, but like any CISO, there is always that nagging bit of your brain that says, “Hey…”
How do you measure whether your security program is actually working?
For me, operational metrics like MTTD, MTTR, MTP, etc. are very useful, but they operate at the operational level. I think for me, when we have employees reporting more or being encouraged to report more risk to the business, whether that be reporting potential phishing, or asking questions about policy ad procedures, or getting involved in improving security measures, to me is a sign of a good security culture. To me, this is the sign of a good security program, one that promotes reporting, encourages employees to report risks, and has an everyone-is-responsible approach. Culture is a key aspect of any security program.
What advice would you give to someone stepping into their first CISO role today?
Beware of imposter syndrome; in fact, acknowledge it early. Treat it for what it is. A state of mind. In all walks of life, there will be those better than ourselves, and, equally, there will be those who look up to us as role models/mentors. Furthermore, the CISO role has only been around since approximately 1995, and it is still evolving. Therefore, I would encourage a growth mindset, educate when you can, and be the best version of yourself. Remember, no two CISO’s will be the same, so don’t compare yourself to anybody else, only to the person that you are and can become. Be positive that you will make a difference.
What do you think will matter less in security five to ten years from now?
That’s a tough one, as I don’t have a crystal ball, but, joking aside, I hope it’s alert fatigue. I am hoping that AI can play a positive role in this regard and reduce this bombardment. I hope we will have fewer critical alerts for engineers to work through. I think this is very important from an employee health and well-being perspective.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Here is what I am hoping: that they are able to spend more time with their families and loved ones than they do today. I rely on the positive aspects of AI to help with triage, alert fatigue, vuln mgt, and IR, etc. Time is a commodity precious to all, and based on my own past experiences is something we don’t get back too easily. I would have spent large portions of my career working all hours and weekends, perhaps to the detriment of my loved ones.
What we need to understand as business leaders is that employees’ mental health and well-being are directly related to our cybersecurity strategy; you can’t have one without the other. I believe we have all heard some horror stories of how insider threats have wreaked havoc.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.