The modern CISO role has expanded far beyond protecting systems and responding to incidents. Today, it sits at the intersection of business strategy, product development, regulatory pressure, and emerging technologies, none more complex than AI. CISO Diaries was created to capture how experienced security leaders navigate this reality in practice, not theory.
In this edition, we speak with Jason Loomis, Chief Information Security Officer at Freshworks, about what it takes to lead security at scale in a publicly traded SaaS organization. From guiding companies through M&A, IPOs, and rapid growth to shaping AI security and governance frameworks, Jason offers a candid look at how security leaders balance risk, velocity, and trust. This conversation explores how decisions are made when the stakes are high, clarity is incomplete, and security must enable (not slow) innovation.
About the Interviewee: Jason Loomis
Jason Loomis is a seasoned Chief Information Security Officer with deep experience spanning e-commerce, SaaS, healthcare, banking, and high-growth public companies. He currently serves as CISO at Freshworks, where he leads a 70+ person global security organization responsible for everything from application and cloud security to incident response, governance, M&A, and go-to-market security enablement.
In recent years, Jason’s focus has expanded into AI security and governance, helping organizations navigate emerging AI risks, compliance obligations, and ethical use. His work includes aligning security programs with ISO/IEC 42001, the EU AI Act, and NIST AI RMF, as well as embedding AI-specific risk assessments directly into product, engineering, and IT lifecycles.
While cybersecurity is his profession, Jason’s broader passion lies in leadership, organizational decision-making, and disaster relief efforts, interests he believes make him a more effective security leader. Known for his thoughtful, business-aware approach and his ability to balance rigor with pragmatism, Jason brings a perspective shaped as much by people and culture as by frameworks and controls.
How do you usually explain what you do to someone outside of cybersecurity?
Honestly, I don’t have to explain it much anymore. Cybersecurity has gone mainstream. When I say I work in cyber, I don’t get blank stares—I get nods, breach stories, and the occasional “so… should I be worried?”
If I do go deeper, I keep it simple: my job is to reduce risk so the business can move fast without stepping on landmines. I’m not the Department of No. I’m there to help the company make informed tradeoffs—and avoid the kind of mistakes that end up on the news.
What does a “routine” workday look like for you, if such a thing exists?
There’s no such thing as a routine workday—and that’s intentional.
The only routines I protect are outside of work: daily exercise before I start, and protected family time after I’m done. Everything in between is variable. One day, I’m helping a customer understand our security posture in the context of their implementation. Another day, I’m managing an incident. Another day, I’m building a deck to convince executives that encrypting data at rest is, in fact, a good idea.
If my days ever became predictable, that would be the real red flag.
What part of your role takes the most mental energy right now?
People.
“Politics” sounds harsh, but that’s really what it is—navigating personalities, incentives, power dynamics, ambiguity, and constantly shifting priorities. Technology is comparatively easy. People are not.
Security doesn’t fail because of missing tools. It fails because of misalignment, mistrust, or mixed signals. That’s where the real mental load lives.
What’s one security habit or routine you personally never skip?
The gym.
It keeps me sane. Healthy body, healthy mind. If I’m not taking care of myself, I make worse decisions, have less patience, and become less effective as a leader. None of those show up in a dashboard, but everyone around you feels them.
What does your personal security setup look like? (High level)
Boring. On purpose.
- MFA everywhere—no exceptions
- Password manager shared with my family
- Weekly backups to a FIPS-encrypted device
- File-level backups on FIPS-encrypted USB only
- Family safe words so we know we’re talking to the actual person
If security feels exciting, you’re probably doing it wrong.
What book, podcast, or resource has influenced how you think about leadership or security?
I’ll give you my top five:
- The Five Dysfunctions of a Team — Patrick Lencioni
- The Culture Code — Daniel Coyle
- Drive — Daniel Pink
- Switch — Chip and Dan Heath
- Ted Lasso — AppleTV
That last one isn’t a joke. There are more practical leadership lessons in that show than in most management books—especially around trust, accountability, and optimism without being naïve.
What’s a lesson you learned the hard way in your career?
Early in my first CISO role, I learned an important lesson—publicly.
In a board meeting, with the CTO present, I was asked about our security posture and took the “sky is falling” approach. I described real risks, but I failed to assess their materiality, and I failed to articulate a plan.
I deservedly lost the CTO’s trust in that moment. Risk is always there. The job isn’t to scare people—it’s to evaluate risk correctly, communicate it in business terms, and show a credible path forward. I only needed to learn that lesson once.
What keeps you up at night right now from a security perspective?
Supply chain risk.
I’m honestly surprised AI hasn’t already blown this wide open. My bet is that 2026 is when we see large-scale open-source supply chain attacks with real, cascading impact. The blast radius is huge, and most organizations still underestimate just how interconnected everything is.
How do you measure whether your security program is actually working?
I don’t think anyone has fully solved this—despite what the vendor floor at RSA might suggest.
My approach is pragmatic: focus on the fundamentals. There’s a core set of controls that, if implemented well and measured consistently, eliminate most real-world risk. Access control, asset visibility, vulnerability management, logging, detection, response. Do the basics exceptionally well.
Even with AI, the fundamentals haven’t changed. Access control, least privilege, and data governance still matter. Flashy tools come and go. Boring controls, executed well, compound.
What advice would you give to someone stepping into their first CISO role today?
For the love of Thor… Don’t DO IT! Haha. Kidding.
Ask. Your. Team.
Their collective knowledge will always outweigh your individual experience. Don’t make decisions in a vacuum. If you have a yes-person working for you, one of you is redundant—and it’s probably not them.
Your job isn’t to be the smartest person in the room. It’s to make sure the smartest ideas can surface without fear.
What do you think will matter less in security five to ten years from now?
Manual secure coding practices.
As AI increasingly writes code, it will also increasingly enforce secure patterns by default. Secure coding won’t disappear—but it will become more automated, more standardized, and far less dependent on individual developer heroics at 2 a.m or trying to convince developers why they shouldn’t hardcode secrets. Shift left is great marketing, but developers and product managers still don’t seem to buy it today.
Looking ahead 10 years, what will security teams spend most of their time on that they don’t today?
Supervising automation.
Security teams will shift from doing the work to overseeing the work. AI will handle much of the detection, triage, response, and even remediation. Humans will focus on supervision—understanding failure modes, validating decisions, and knowing when to step in.
Think less “hands on keyboard” and more “air traffic control.” The job becomes making sure the automated systems are behaving as intended—and that when they don’t, the consequences are contained and recoverable.