Celestine Jahren of Censys On 5 Things You Need To Know To Optimise Your Company’s Approach to Cybersecurity
Every business, big or small, has got to start with the basics, and one of those factors is your identity perimeter. We’ve all heard the stories of companies with their passwords printed out or on sticky notes. There was a French news agency that famously did an interview after a security incident. And in the background of the shot, behind the reporter, there was a desktop with sticky notes for credentials. Set aside insider threats or disgruntled former workers for a moment, you can probably guess how many passwords are repeated.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Cybersecurity”, I had the pleasure of interviewing Celestine Jahren.
Celestine Jahren is the Director of Strategic Alliances at Censys — the internet intelligence platform. Censys empowers governments, enterprises, and researchers with the most comprehensive, accurate, and up-to-date map of the internet to defend attack surfaces and hunt for threats. With a background in identity and access management and attack surface management, Celestine’s insights focus on emerging threats, CVE trends, Zero Days, and how organizations can protect themselves.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Sure — my upbringing has undeniably shaped the person I am today. To start, I was born in Norway but raised in the United States. Like a lot of kids in multilingual households, I can follow a conversation in Norwegian or Danish but only respond in English. In fact, there’s a running joke that my “party trick” is learning and then forgetting languages. I studied Spanish, Turkish, and French at different points, but I can barely say “Hi, how are you?” in any of them today!
Growing up, I was raised by my mother in a single-parent household. My mother managed to make it to all my sporting events and school field trips, while also building her corporate law practice from the ground up. I can’t tell you the number of times that I’d wake up as a kid late in the night to see or hear her still working. And even though we were physically far from our immediate family, she surrounded me with a loving extended community, so my family never felt small.
That experience of navigating different cultures, with roots in one country while growing up in another, definitely influenced my worldview. I ended up specializing in international affairs, studying in the Middle East when I was 19, and moving overseas for work in my early 20s.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Growing up, my career aspirations changed depending on my mood or my latest interest. At any given time, I wanted to be a veterinarian, a writer, a teacher. The cybersecurity industry — or really anything related to computers as a career — wasn’t on my radar until college.
That’s when, one evening, I ended up in the hospital. I was severely dehydrated from a nasty flu, needing an IV and some medication. After a long night, I left the hospital, and I really thought that, except for the invoice, that was the end of it. However, not long after, I received a notification that the hospital had a security incident, and their patient medical records were exposed online.
It made an impact at an important time for me — transforming cybersecurity from an abstract concept into something tangible that affected personal privacy and safety. Back then, I didn’t know many people who had experienced an incident, unlike today, where data breaches in hospitals or financial institutions are a staple of our news cycles and SEC filings. That moment definitely shaped the journey I took to get here.
Can you share the most interesting story that happened to you since you began this fascinating career?
All of the ones that immediately come to mind, I can’t put on record! I’ve definitely had a few moments where I’ve thought, “Who let me in this room?” or “Did that really happen?” Then again, some of my colleagues’ stories make my whole life sound boring.
Actually, as I’m thinking about this, the one common thread in everything coming to mind is that I don’t think I would have traveled or met the folks I have outside of working in the cybersecurity industry. For instance, last month took me from Germany and the Netherlands to the United States and Australia to meet with security folks. I met with people whose insights and on-the-ground realities are rarely visible to the public eye. What we see in the news is just the tip of the iceberg of what they face daily. Ironically, during that last trip to Australia, I ran into a colleague whom I had last seen in Aberdeen, Scotland. What are the odds? But those moments happen all the time in the cybersecurity industry.
I would also say that these adventures have been enlightening not just in a professional capacity but personally as well. They’ve allowed me to challenge my assumptions and my way of thinking and learn about myself as much as I’ve learned about anyone or anything.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Gosh, so many people.
Obviously, I’m very much modeled after both my mother and my grandmother. They both left their home countries in their early 20s, and I did the same thing — albeit in the opposite direction — moving to Europe.
From a work perspective, I’d say each manager has left at least one memorable lesson. For example, at one of my first tech startups, I had a boss react poorly to a question I asked in a team meeting. You could have knocked me over with a feather when she took me aside later to apologize and say that her reaction had weighed on her mind overnight. There was something about the way she said it, I almost cried. Okay, I definitely teared up a little. The fact that a manager could show such humility and vulnerability was revelatory to me. She would go on to sponsor so many milestones for me, but what I remember best is her genuine integrity and humility in leadership.
Similarly, when I was fairly new to people management, one of the members of my team passed away. It was awful on so many levels for their loved ones and colleagues because it was unexpected. In the wake of this tragedy, there was a leader who reached out every Sunday for what must have been a month to check on me personally in the midst of everything. His compassion and empathy underscored that we’re just people at the end of it all.
Are you working on any exciting new projects now? How do you think that will help people?
At the moment, I am working on a project around securing energy devices that connect to the Internet and the impact of their misconfigurations. These types of projects are super fascinating to me due to the broader implications: the various ways these devices are utilized, the translation of a cyber risk to a physical risk, and the downstream impact on other systems. When addressing these risks, you need to balance the probability of an incident against its possible impact. I worked with a security architect early on who would say, and who I’m paraphrasing, “We’re building for the one person who is just trying to get home today,” and I find myself reaching back to those words as a lodestone when the implications start to feel too theoretical.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Pursuing your passion, especially within a startup environment, can absolutely lead to burnout. It takes a toll on your wellbeing and derails your progress, even when you feel like you’re just trying to keep moving forward.
To start, I don’t have the requisite background to give any kind of professional advice, but I’d start by asking a friend or colleague some questions about who/what motivates versus drains them. On one hand, are you motivated by untangling a thorny challenge, learning something new, or doing a task really well? Knowing that about yourself, can you find more opportunities to lean into those motivations while still pushing forward on your objectives?
On the other hand, are there particular things, tasks or conversations that burn you out? When you identify those things, what can you automate, delegate, or even temptation-bundle to reduce their impact?
Lastly, in burnout, it can feel impossible to look up, ask for help, take a break, or find a creative solution. And that’s when you definitely need to. Try turning off your screens and stepping away from a structured work setting to either talk, write, or think. Personally, I find that when I’m about to fall asleep or on the weekend, my brain starts generating new ideas or trying to unpack an unsolved challenge. But then I feel guilty because I’m supposed to be resting or present in the moment with other things. Sound familiar to anyone else? I’ve learned to just give myself the grace to think about it for a little while, physically jot down the notes, and then set it aside until I’m ready to come back to it later.
For anyone who wants more structured advice, Dr Neha Sangwan spoke to our Censys team earlier this year about the signs of burnout and the phases of it. She’s got a number of burnout-related resources and books on this topic.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
At times, while in meetings or working on a project, I catch myself realizing that the issues our team is discussing are the same things I see in news headlines. It can feel surreal and reminds me of how much I’m energized by the impact of the cybersecurity industry.
What intrigues me day-to-day is the ever-changing nature of cybersecurity. For someone like me, who is motivated by learning and trying new things, I always feel like there’s a new use case or idea around the corner. Now, AI is the buzzword in cybersecurity, succeeding previous terms like ‘next-gen’ or ‘zero trust.’ And there’s a sense of awe when I learn about security defenders extrapolating new insights from AI, which then translates into tangible security improvements. But even setting AI aside, I spoke to a security person this week whose knowledge of geospatial devices, their security and impact made me rethink some of my fundamental perspectives. I hope he writes a book one day!
I’m also excited to see the increased level of executive prioritization on cybersecurity in the last few years. CEOs and Boards are placing cybersecurity at the forefront. While there are external compliance and regulation drivers, I believe cybersecurity is becoming more accessible. And that’s thanks in part to the cyber defenders before us who “translated” security into accessible business language. For example, I worked with a medical manufacturing security leader who needed to justify his budget to multiple high-level executives years ago. He conducted exercises simulating ransomware and phishing attacks in an in-person workshop, vividly illustrating the topics to his main stakeholders. Those examples helped him not just unlock the budget but also create sponsorship on his executive team long-term.
Another thing? When I look around, I see more women in cybersecurity and technology today than I did even a couple of years ago. And that’s not to discount any of the amazing trailblazers who came before us, but I’m so excited to see more progress in the diversity of cyber teams, from our leaders to our recent grads. We have a long way to go, but I love seeing progress!
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Looking ahead, what especially concerns me is the rise of ‘cybercrime as a service’ models. Bad actors take cues from legitimate tech company models, forming highly profitable organizations, such as those offering Ransomware-as-a-Service (RaaS) or Phishing-as-a-Service (PhaaS). These bad actors operate with an enormous amount of resource efficiency. If you look at the Conti ransomware group, for example, their 60,000 logs were leaked back in 2022 and exposed the types of systems, internal discussions, commissions, and even talent acquisition models that these operators develop. These models enable cyber attacks to spread quickly and cause significant damage.
On the AI side, historically, the weaponization of technology required some kind of skills, resources, or tools. Today, if you’re one of more than 5 billion people with an internet connection and the ability to ask good questions, you can query your way into a problem. For example, I had a conversation with a financial security leader the other day, who was testing in his lab how bad actors might generate malware using AI. Sounds concerning, right? Well, researchers have already lab-tested Morris II, a generative AI worm that can spread between systems to steal data, and they forecast we’ll see actual generative AI worms in the next few years.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I worked with a global security leader who needed to decide which systems to secure first due to limited resources. They chose one system over another, downplaying the potential consequences of a cyber breach. Regrettably, not long after, I looked down to see my phone ringing. You can guess why.
It could have happened to anyone, and that’s the really important part here. To a lot of folks in cyber, this incident will sound familiar because it is the dilemma they face every day. In cybersecurity, many choices come down to Risk prioritization, and cybersecurity teams have limited insights (or sometimes too many insights with no context) and tools that do not integrate well. Meanwhile, attackers only need to find a single vulnerability or end-of-life (EOL) system to exploit. For example, in February last year, our research team saw a surge in ESXiArgs ransomware. But if you look closely at some of the hosts, the ransomware notes actually have origins in October of the year prior, which is when ESXi versions 6.5 and 6.7 reached end-of-life. The day CISA released the related decryptor and guidance, the bad actors made modifications. This emphasizes the round-the-clock nature of the threat landscape.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
I’ll skip the obvious answers — password manager, VPN, antivirus — and jump to the fun ones.
The first thing that comes to mind, of course, will be Censys. I use Censys to map different kinds of services online. If you’re a researcher, you can use Censys to study things like spyware targeting human rights activists, the scope of a new Zero Day, internet connectivity, blacklisted infrastructure in a region, the changes in a bad actor’s TTP, and so forth.
I’m also a fan of tools like GreyNoise and Maltego, which work neatly with Censys. Greynoise filters benign and malicious Internet scan activity so you can differentiate between targeted attacks and common background noise. Meanwhile, Maltego does link analysis to help analyze complex data relationships in cases of things like cybercrime.
Lastly, I’m also a fan of how some of the tools I use are implementing AI. In Censys’s 2024 State of Threat Hunting report, 75% of researchers found AI very helpful over the past year, which highlights its accelerating adoption among security professionals. If you’re reading this and not yet in cyber, there’s a host of tools out there that don’t have to be just for the cybersecurity industry. Ruqaiya Akbari recently spoke to our team about ways to leverage AI tools like Claude or Perplexity to not just improve your writing or research but also to make your life a little easier beyond just your next vacation itinerary.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
The first thing I’d say is that being part of a small security team doesn’t necessarily mean you’re dealing with small security problems. Consider disruptive companies in established sectors — like challenger banks or healthcare startups — that have valuable data that is very attractive to attackers. In fact, in the case of those challenger banks, I’d argue that their customer data is far more valuable than the actual money in their accounts.
The key is to help your executive and board teams see cybersecurity as part of their core responsibilities. At the smaller stage, it’s not uncommon to have a VP or Director of Security who may not yet report to the CEO or Board. If you’re reporting to the CFO, you have an opportunity to map the significant security investments at different stages in the company’s journey with them. This way, security is seen as a factor of business growth, not just a cost center.
For those in critical industries — think finance, healthcare, aviation — participating in strong information-sharing groups can have an added benefit. Information Sharing and Analysis Centers (ISACs), such as the FS-ISAC or E-ISAC, formed from Presidential Decision Directive-63 (PDD 63) in the late ’90s, specifically to ensure learning from cyber threats in critical sectors. So, the benefit for smaller or less mature teams is that they can learn from larger organizations with more resources.
A Managed Security Service Provider (MSSP), an outsourced SOC team, or a fractional CISO can also offer the capabilities or timezones coverage that you can’t afford to manage in-house, especially if your security team is also doubling as IT, TechOps, office manager, and general cat herder.
Ultimately, it’s up to each company and its security team to discuss its risk and security appetite in order to know when to invest or hire resources. But at the same time, external factors like regulatory requirements (for example, DORA or SEC’s new cyber risk disclosure rules in 8-Ks and 10-Ks) or cyber insurance coverage requirements are shifting those security maturity models.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
So, imagine your phone pings with a message saying there’s an urgent tax refund or an unexpected package delivery. Just click the link for more information. It’s exciting, right? But here’s where you need to be extra careful. As a rule of thumb, if it’s unexpected and urgent — verify. Instead of clicking on any links or dialing numbers directly from the message, a Google search can get you going in the right direction before you react. It’s a simple step but one that’s really easy to miss in our day-to-day rush.
At work, if you start seeing unusual Multi-Factor Authentication (MFA) requests, it could actually be a sign of someone trying to breach your company’s systems. It’s tempting to “click to approve” to clear the notification off your phone, but it’s much safer to report the unusual activity to your IT and Security team. You might be one of several people spammed with notifications, so you could potentially help the entire company.
Speaking of accounts — let’s say there are alerts about strange charges or logins from unusual locations on your email or bank. This is often a hacker’s way of testing waters. They might even try to clean up their tracks, deleting any alerts if they’ve accessed your email. My colleague Dr. Ariana Mirian did some neat research on that kind of “hacker for hire” behavior a few years ago. But if you receive any alerts or see odd activities, contact the company to report and change your passwords in other systems, just in case.
Lastly, I was in a taxi recently, and the driver asked me if it was okay that he shared his hotspot with a previous passenger from overseas. Had he somehow made a mistake or trusted the wrong person? Honestly, it sounded like he’d done a really kind thing. If you want to share access to things like your Netflix, Wifi or hotspot with people you trust, I recommend simply making sure you give them unique credentials to prevent accidental misuse later. As a resource, I always recommend subscribing to Troy Hunt’s haveibeenpwned.com to alert you if you’ve been compromised in major data breaches like LinkedIn or Facebook. Yes, in spite of the name, it’s a legitimate tool to know if you might have been exposed.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
There are really good frameworks to lean on during a security incident, like the ones from NCIS and the Center for Internet Security (CIS). How a company deals with a crisis today really makes a difference. There’s an old adage — I think attributed to a former McAfee VP — that every company has been breached, and if they haven’t, it’s because they don’t know about it yet. So, it’s not the breach itself that matters anymore, but rather how you respond and handle the incident.
Take recent breaches, for example. What did those companies do well? They jumped on identifying the issue, containing it, and alerting folks fast with remediation steps. And when they needed more help, they didn’t shy away from bringing in the heavy hitters — experts like CrowdStrike or Mandiant (now Google) or the FBI. On that note, I thought it was really interesting that during the last Hive takedown, the FBI commented that only 20% of victims contacted the FBI, which might have been a missed opportunity for help or information sharing.
And then there’s the legal side of things. Regulations may trail behind, but they’re catching up, for example, with the SEC breach rules. Now more than ever, adhering to those requirements is key.
What are the most common data security and cybersecurity mistakes you have seen companies make?
A lot of what I see comes down to the pace at which businesses move today in order to stay competitive and scale. Sometimes, we’re moving so fast we don’t know the risks inherent in our third-party tools or software. Maybe there’s a crucial setting missed because it wasn’t on your radar, or two people overlapped on configuring a system and didn’t notice what the other did.
Of course, we’ve seen many examples of poor password management mistakes leading to a host of data and cybersecurity issues. Implementing MFA felt like a mountain to climb for many in the last 10 years. But honestly, that’s table stakes now. Nowadays, the challenge has shifted more toward identifying what “things” need securing in the first place.
The underlying issue is we can’t secure what we can’t see — those apps, servers and services floating around that companies don’t even know they own. This is reflective of how we operate today with remote workforces and the ease of signing up for services online. Some organizations discover a whole network of systems post-acquisition that they didn’t know existed. It’s a fascinating challenge, but, on the flip side, it perfectly highlights the importance of visibility, which is exactly what Censys is all about.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
When we all pivoted to remote work, it was like someone hit the fast-forward button on corporate risk appetites. The priority for businesses was to stay operational and online.
I remember chatting with IT directors who were in the thick of it. Picture this: an IT director trundling across the country in his old car, seats and boot stuffed to the brim with laptops, to get devices in the hands of employees who had never worked from home. And this director was one of the lucky ones. Others told me they couldn’t get the budget approved in time during the first waves. They’d miss out on buying devices because their executives authorized the spend an hour or two late.
Fast forward to the past couple of years, and we’re seeing the pendulum swing back. Businesses are dialing up those security practices for a distributed workforce that’s connected to the digital world from anywhere and everywhere. One striking thing today is how much our personal and professional digital presence has started to merge. You’ve got folks checking personal services on their work laptops or connecting to work from shared home networks that, let’s face it, might not have the security you’d hope.
What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why?
Every business, big or small, has got to start with the basics, and one of those factors is your identity perimeter. We’ve all heard the stories of companies with their passwords printed out or on sticky notes. There was a French news agency that famously did an interview after a security incident. And in the background of the shot, behind the reporter, there was a desktop with sticky notes for credentials. Set aside insider threats or disgruntled former workers for a moment, you can probably guess how many passwords are repeated.
Next is empowering and educating your people. The thing is, most folks just want to do their work, so how can you make security as standard as their daily coffee? Let me give you an example: I worked with a company that gamified stopping ‘tailgating’ — people slipping in unchecked by shadowing a legitimate employee with a badge. They had people dressed up in big alligator suits approach the entrance to the buildings, and it was eye-opening how many walked in because an employee held the door out of politeness. The costumes were hilarious, but the message stuck after they showed the pictures and told the stories to the team.
Then there was the company that played ‘donut roulette.’ Leave your laptop unlocked and step away from your desk? Congratulations; you’re bringing donuts for the next team meeting. You bet people were on high alert, looking for any chance to catch an unlocked laptop because nobody wanted to be “that person.” I had to do it once, and believe me, you only forget once.
Then, there is the sneakiest of them all — shadow IT. Risk management is all about calculating the odds and the impact. If you’re missing an expiring certificate or outdated software because it’s slipped under the radar, it’s impossible to manage or truly know your organization’s risk level. In Censys’s State of the Internet report from two years ago, we saw that 88% of the exposures online are misconfigurations — unencrypted services, self-signed certificates, database exposures, exposed credentials, API keys, you name it. Basically, things that you would fix if you knew about it, or you would at least prioritize fixing them, if you at least knew they existed.
Last couple of things, I would say, data compliance is a living, breathing activity. Many teams navigate the world of compliance with legacy spreadsheets, endless email exchanges with snapshots, bouncing between tickets. If your policy mandates that certificates need to be refreshed or your AWS credentials have certain variables, then you need tooling that can take your program from “paper” and “should have” to something that you can verify in time to make those operations work for you instead of against you.
This nicely leads to the last critical piece of advice — stress-test your program for when an incident occurs, which covers everything from rapid response to clear communication channels to regularly tested data backups. The last thing you want is to build that process while it’s happening or realize your backups are missing critical information. There are numerous groups out there offering stellar and often free training exercises. Take, for instance, the City of London police’s Cyber Griffin team, which provides complimentary training sessions to local businesses free of charge, equipping them with the skills to handle cyber incidents based on their experience with such incidents.
Ultimately, every company finds itself at a different stage in its security journey, equipped with a various number of tools. But, at the very least, being proactive in your preparedness strategy positions you to better navigate whatever challenges may come your way.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
Well, I certainly wouldn’t call myself a person of enormous influence. But out of all the things that we could be doing that come to mind at the moment…
Call someone you love today. Life is really unexpected, so let them know you love them, that you appreciate them, or how they made a big difference in your life. It’s something that’s super accessible, right? You never know what that can mean for somebody on the other side. I should take my own advice, honestly.
How can our readers further follow your work online?
I’d be remiss if I didn’t say to check out the research from Censys — our research and rapid response teams are tracking some important threat landscape and incident trends. If you’ve never met the Censys folks on those teams — people like Emily Austin, Himaja Motheram, Mark Ellzey, Aidan Holland, Ariana Mirian, Matt Lembright, and more — follow them. You won’t be disappointed — they’re the authors behind a lot of the research I mentioned today. For me personally, you can always reach out on LinkedIn.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
Thank you — this was a fun change of pace for me.
