Ask Lemonade's Jonathan Jaffe Almost Anything (AMAA)

  • 16 July 2022
  • 2 replies

Userlevel 4
Badge +5

Greetings Secured Community, and welcome to our very first AMAA (Ask Me Almost Anything). We have an absolutely wonderful guest to kick things off and we’re excited to see what creative questions you come up with. Since this is our first AMAA, here’s the scoop:

AMAAs or Ask Me Almost Anything is designed to connect you with thought leaders, cybersecurity and compliance experts, IT practitioners, DevOps pros, and other awesome people in our industry.

  1. Submit your question (please keep it professional)
  2. We’ll curate your questions and chat with Jonathan
  3. The recorded AMAA will be shared back to the community blog
  4. Easy as 1, 2, 3!

About Our Guest, Jonathan Jaffe

CISO, Lemonade

Co-Founder of SVCI

Learn more about Jonathan


2 replies

Userlevel 4
Badge +5

What is the most challenging aspect of converting technical cybersecurity risks into business language?

Userlevel 4
Badge +5

Thank you for all the great questions we’ve received through DMs and email. We are recording the interview with @jonathan today and these are the questions we’ve curated:



  1. You have a diverse background. You spent a decade integrating large-scale servers and services, about six years practicing law, and for the last third of your career, you’ve become a well-respected security leader. 
  2. The square peg in this is the law degree. When did you become an attorney, and why?
  3. What drew you back to technology? 
  4. How’d you end up focusing on security?
  5. How has your experience as an attorney impacted your view of cybersecurity?
  6. You have two decades of experience with identity and access management. To this day, IAM remains a significant challenge for organizations. What has changed the most for IAM, and where do you see it going in the future?

CISO / Leadership

  1. How has your perspective of security changed since going from a security practitioner to a security leader?
  2. Earlier this year you chatted with our friends at Orca about embracing automation in security. In InfoSec and compliance, automation looks different than it does in cloud security posture management. 
  3. How do you decide whether InfoSec automation, i.e., compliance automation, is worth the investment, as opposed to hiring people with specialized compliance skills?
  4. Lemonade is turning “insurance” from an unsavory epithet, into a word synonymous with fun and positivity. You have great design, and as a certified B-corp, Lemonade holds itself accountable to shareholders not only for profits, but for social and environmental good.
  5. As a security leader at Lemonade, how does your role contribute Lemonade’s mission?
  6. Our landscape is always changing. How do you stay ahead of the curve? Through blogs, podcasts, articles, conferences, or other means?

Compliance and Infosec

  1. What role do you think compliance, risk management, and governance, play in building a foundation for cyber security?
  2. As a service with personal and financial data flowing through its systems, what role has compliance played in how you’ve scaled offerings?
  3. What are your thoughts about building trust (brand reputation) through cyber security?
  4. How important is it to have an outward facing display of trustworthiness? For example, some companies like to show their SOC 2 attestation badge, and others ensure they have vulnerability disclosure policies public visible. How important are these things?

Current Events

  1. Is today’s buzzword, ZeroTrust, fluff, repackaging of established concepts, or something still on the horizon?
  2. What are your thoughts about the recent string of social engineering attacks making headlines?
  3. Do you see a future where we phishing attacks are a historical footnote?
  4. If so, what will have been the cause of relegating this chapter history?
  5. Outside of work, how do you find balance? How do you disconnect?