The security community lost a special person this week: Jerome “Jay” Combs, longtime Senior Examiner at the Federal Reserve Bank of Minneapolis. Jay was a leader who worked with banks throughout the nation. He was passionate about security and cared deeply about the communities that he served.
Jay impacted my work before I ever met him. When I was a much younger penetration tester, working for banks, my clients would hire me because he was going to audit them. Although I didn’t know it at the time, Jay would also review my reports. Clients would often say, “Our examiner says we should be using the Critical Controls. Can you help?” I found out later that this was Jay’s guiding hand, pushing our banks to improve their security, one step at a time.
Like so many people in security, Jay was a Renaissance man. He was a professional bassist in San Francisco for many years. He lit up whenever anyone played Motown or mentioned the Funk Brothers. Once a professional DJ, Jay had wide and varied musical tastes, and he relished in sharing his latest favorite albums and songs.
Jay was also an avid photographer. He delighted in taking photos of nature and the people he loved. My favorite of Jay’s photos is a portrait of the highway leading to the Mission Mountains in St. Ignacious, Montana. In order to capture just the right angle, Jay laid down in the middle of the highway at dawn, rolling the dice that no cars would come along while he snapped the shot.
Professionally, Jay was a security evangelist. He knew instinctively that security was overwhelming for everyone— smaller banks in particular. He had a knack for breaking complex topics into bite-sized pieces, so that even non-technical folks could understand. Jay also developed his own, simple model: “5 Things— a Nontechnical Approach to Cybersecurity Risk Management.” These guiding principles are still beautifully relevant today.
A few weeks ago, when Jay decided to stop treatment for cancer, I asked him, “So how’d it go? How was life?” He reflected, and answered, “It was okay. Looking back, I wish I had taken more risks.”
Life, like banking, was all about risk for Jay. In the same way that he assessed banks, he assessed himself, and evaluated his own risk appetite. From Jay, I learned that security isn’t always about reducing risk. It’s about balance. You have to take risks in order to make progress.
Jay: thank you so much for everything. You were a friend and a mentor for me, as well as for our community here in Montana, and for the countless other people whose lives you touched. We love you and miss you. May you rest in peace.