ITSPmagazine Podcasts

Achieving Cybersecurity Velocity: The Role of Culture and Leadership for Operational Excellence | A Conversation with Kim Jones | Redefining CyberSecurity with Sean Martin

Episode Summary

In the latest episode of the Redefining CyberSecurity Podcast, host Sean Martin explores the importance of achieving velocity in cybersecurity operations with Kim Jones, a seasoned leader with nearly four decades of experience in intelligence, security, and risk.

Episode Notes

Guest: Kim Jones, Director, Intuit [@Intuit]

On LinkedIn | https://www.linkedin.com/in/kimjones-cism/

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/sean-martin

View This Show's Sponsors

___________________________

Episode Notes

In the latest episode of the Redefining CyberSecurity Podcast, host Sean Martin explores the importance of achieving velocity in cybersecurity operations with Kim Jones, a seasoned leader with nearly four decades of experience in intelligence, security, and risk.

Jones, who has served in various roles such as Army Intel Officer, CISO, and most recently, in Performance Acceleration at Intuit, brings a wealth of knowledge to the table. Jones stresses that cultural alignment is crucial for cybersecurity teams to move faster without compromising security. He highlights the importance of leaders setting clear priorities and fostering an environment where team members feel comfortable raising conflicts and collaborating to find solutions. “A good leader is going to push the organization 5 percent beyond what it thinks it can do,” says Jones, emphasizing the necessity of pushing teams beyond their perceived limits while ensuring they work cohesively.

One of the key takeaways from the discussion is Jones' analogy of velocity: “Velocity implies taking that motion in a given appropriate direction,” he explains. For Jones, mere motion is insufficient if it lacks direction. He believes that enterprises must align their resources toward a common goal to achieve true velocity, minimizing internal friction and inefficiencies along the way. Effective leadership, according to Jones, plays a pivotal role in this alignment. He argues that leaders need to create a culture where collaboration and conflict resolution are normalized practices. “Not every leader has to be charismatic, but every leader has to lead and set the tone,” Jones notes, adding that consistent and principled leadership is more impactful than charisma alone. Jones also touches on the real-world repercussions of failing to balance velocity with cultural alignment.

Drawing from his extensive career, he shares that misalignment often leads to burnout and inefficiencies. He underscores the importance of leaders making time for their peers and team members, noting, “Inaction is as reckless as acting without thought.” Jones advises that prioritizing responses and maintaining open communication channels can significantly enhance team effectiveness. For organizations aiming to boost their cybersecurity operations, Jones' insights offer a valuable roadmap. By focusing on cultural alignment, setting clear priorities, and encouraging effective leadership, businesses can achieve the velocity needed to thrive. Jones' approach underscores that achieving velocity isn't about making things move faster in disarray but rather about coordinated and purposeful acceleration toward shared goals.

Top Questions Addressed

___________________________

Watch this and other videos on ITSPmagazine's YouTube Channel

Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq

ITSPmagazine YouTube Channel:

📺 https://www.youtube.com/@itspmagazine

Be sure to share and subscribe!

___________________________

Resources

Inspiring Resource: https://www.linkedin.com/posts/kimjones-cism_velocity-simplified-activity-7201763704848175104-sprZ/

Velocity, Simplified (Blog Post): https://www.security2cents.com/post/velocity-simplified

___________________________

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: 

https://www.itspmagazine.com/redefining-cybersecurity-podcast

Are you interested in sponsoring this show with an ad placement in the podcast?

Learn More 👉 https://itspm.ag/podadplc

Episode Transcription

Achieving Cybersecurity Velocity: The Role of Culture and Leadership for Operational Excellence | A Conversation with Kim Jones | Redefining CyberSecurity with Sean Martin

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] And hello everybody, you're very welcome to a new episode of Redefining Cybersecurity here on ITSP Magazine. This is Sean Martin, your host, where I get to talk to all kinds of cool people about cool topics. And my ultimate goal is to help organizations operationalize a security security program that not just reduces risk but actually helps build and protect the revenue that they generate. 
 

Not an easy task for those that sit in the CISO you. Seat and the teams that support them in that role But I I think we have an opportunity to do some good stuff and I'm thrilled to have Kim Jones on again Kim How are you? I'm doing well. It's good to talk to you again, Sean likewise likewise my friend and That the topic is velocity and I saw this post on LinkedIn and then you wrote wrote a nice piece on security to sense And, uh, and it's like, let's, let's chat about this, Kim, let's, let's, let's understand a little bit about what you mean by a [00:01:00] velocity and, uh, how it can help teams, uh, do, do a better job of what they do. 
 

Um, before we get into the topic though, a refresher for folks who, who don't know who Kim Jones is.  
 

Kim Jones: Oh, Uh, Q Jones is an old security guy is probably the best explanation, but a little bit of detail, uh, security. Uh, yes, I hope this is my 30, just started my 38th year in intelligence, security and risk. Cut my teeth in the military, West Point grad spent 11 years as an army Intel officer, spent five years consulting, spent 13 years in the CISO chair in various organizations, most of which are in financial services. 
 

Spent a couple of years building a cyber degree program at Arizona state, went back in house on CISO staff at Intuit. The TurboTax, QuickBooks, Credit Karma, MailChimp company. And that's where I've been [00:02:00] for just shy of six years and into it. I've done various roles. My latest is called Performance Acceleration, which deals with how we attract, integrate, train, and retain some of the best cyber talent that the world has to offer. 
 

So that's me in a nutshell. 
 

Sean Martin: I love it, Kim. And, uh, Yeah, I do so many amazing things that this current role sounds fun, actually.  
 

Kim Jones: Yeah, this is a passion point of mine. I, uh, going down the tree branch just a little, uh, I believe that we as a profession have struggled as to whether we are an industry, a trade or a business. 
 

Or a profession. And many of us who came up hard scrabble, when we didn't know what this thing called cyber was, are struggling to figure out how we replicate within the environment, how we improve ourselves and how we create a method to [00:03:00] truly bring new people into the profession and raise the level of excellence. 
 

And that's been. A passion topic of mine for the better part of a decade. So I'm blessed that my day job and my passion have linked up so well together that I get to not only figure out how to do it better for into it, but then to use those methodologies to figure out how we improve the profession as a whole. 
 

And that's a nice place to be when you're pushing 60 and looking at retirement eventually.  
 

Sean Martin: Taking a, taking a step back and, uh, and helping the next generation. Amen. You, you, uh, I'm going to, I'm going to point this out. So you received an award for, uh, champion and security for collaboration.  
 

Kim Jones: Yeah. Uh,  
 

portal  
 

26. 
 

Um, this is apparently their second year offering, or, you know, putting forth the champions and security award, and they have. Different [00:04:00] categories, uh, you know, for recipients and a, uh, a friend of mine named Carolyn Wong, who is the chief operating officer at Cobalt. I think, you know, Carolyn as well, uh, much to my surprise nominated me and, uh, I was selected in one and it was, you know, The, the criteria there are the recognition and championing the idea that security is a team sport and that the objective is to lift all boats and to make it better for everyone, rather than being parochial or territorial regarding how we do this. 
 

So it was, it was an honor to be nominated. It was an honor to be recognized and it was, it was humbling. And, uh, I just, yeah, that's it. I don't like to talk about myself. So that's it.  
 

Sean Martin: No, it's quite the honor and I can see that and hats off to, uh, Carolyn for, for, uh, putting you forward for that. Well deserved my friend. 
 

Thank you. Um, [00:05:00] so let's talk about this topic. Um, and I don't know, maybe you can kind of get into how it, how it came up, but yeah, the title, the title of this piece you wrote is velocity. Simplified. And, um, so I want to get into it, but what was the catalyst behind you putting this together?  
 

Kim Jones: Yeah, it's funny. 
 

Uh, there's about a third of that post that is a rehash of something that I had written 15 years ago. Uh, what brought it back to the forefront, uh, was a couple of things in general, since chat, GPT came out, everybody, at least in Silicon Valley, and if not a lot of other businesses and verticals, et cetera, have been trying to figure out how to move faster and how, because they're anticipating rightfully so that the pace of change with the innovations of generative AI are going [00:06:00] to move faster. 
 

This is a particular concern among security teams, because as you are well aware, we are traditionally looked at as an obstacle or a roadblock or something that slows down the ability to innovate and achieve. In an environment where there is collective pressure to move faster. So in response to generative AI, coupled with an environment where CSOs have been and are being prosecuted, you know, for potential missteps in organizations. 
 

How do we move, not, not, not necessarily their missteps. I'm not, uh, Playing claim anywhere or doing anything like that, but the fact that CISOs are being prosecuted within the environment is part of the reality is how do we enable the business and enable the [00:07:00] environment to move faster while providing appropriate levels of. 
 

Control for lack of a better term within the environment that protects the organization and yeah, protects the individual sitting in the chair. So on one of the nights that I was at RSA, I actually left early to go teach sans course. Uh, I was sitting around at one of the many unofficial advances and five or six of us had gotten together and we found a quiet spot in a bar and we were doing work. 
 

Normally happens at RSA, Sean, we were catching up, commiserating, et cetera, and the topic of velocity came up. And one of the quotes I think I put in the blog post was, you know, we're expected to help people move faster yet. There's now additional risk in the environment as well as risk to us and us, and we were going back and forth. 
 

And I [00:08:00] was the only former, former CISO sitting in the group. So I was. Keeping quiet and listening. And one of my dear friends called me out because as you're well aware, I have an opinion about most things and my opinion forth. So that led to the conversation I had. And I recognized that I had been having variations of this conversation for several months and that it reflected back on conversations I had had years ago. 
 

So I said, maybe it's time to dust off that old writing, put something together and throw it on paper. So. That's what led to the post that you're referring to that I put online.  
 

Sean Martin: Yeah. And, and you, I guess maybe to start a definition of velocity. I mean, you say in quotes here, it's speed in a given direction. 
 

Um, from a business perspective, is it that?  
 

Kim Jones: I, I [00:09:00] think so. And we have a tendency within different businesses as well as particularly in cyber to try and invent new terms for things that have been around for a while. You know, velocity is physics, physics by definition says velocity is speed. In a direction, and I used to use the term motion versus movement, where, you know, I could sit in one place and just vibrate back and forth and jump up and down and be in motion and not get anywhere. 
 

So velocity implies taking that motion in a given appropriate direction. I think I used a dog sled analogy about 15 dogs going off in 17 different directions versus all pulling and mushing in the same direction. Um, At its core, that's a fairly straightforward concept. And I believe that any enterprise wants to create that level of velocity. 
 

If I can [00:10:00] mobilize the totality of my resources towards the North star of the enterprise, I can create not only success, but I can do it. So if I can actually pick the direction, mobilize folks in that direction, and you know, just take the brakes off and move that's velocity. I don't see a need. I, I, I guess the answer to your question, Sean is yeah, the concept is really that simple. 
 

It's the execution that gets problematic. Yeah.  
 

Sean Martin: Yeah. And I can, I can harken back to my days of, uh, where John Thompson came on as a, uh, As a CEO of Symantec and, and, uh, he rallied us all behind all the wood behind the arrow. Um, basic, basic, same concept where everybody is part of pushing that arrowhead to the target that we're all aiming for as an [00:11:00] organization that I remember, I remember that to be a very positive. 
 

Powerful time for the organization. I have comments for the later stuff, but I'll save it for another time. But, but that was, that was a moment, uh, when I felt there was momentum and velocity led by the executive leadership team and, uh, It trickled down into the execution throughout the, throughout the organization as well. 
 

Um, all the meetings were speaking to it and everything. So I guess the, use the word culture, your article as well. Uh, so speak to me about, it's one thing to say, to say a slogan, maybe put it on a poster. It's another to actually. Have a charismatic leader and executive team that supports that person. And they'd all come together in a meaningful way. 
 

Kim Jones: So I'm going to push, I'm going to answer your question to talk about that, but I'm also going to [00:12:00] push back on one of the phrases that you just used. You use the phrase charismatic leader. Um, a charismatic leader is a type. And. In some cases, maybe a luxury, you know, you think charismatic leader, you think Steve jobs. 
 

I think he's the classic example that's out there. Not every leader has to be charismatic, but every leader has to lead and every leader sets the tone and the direction for the organization. And what I think happens a lot, Sean, is we set direction Yet we don't focus on tone. You know, I, I think many companies will tell you, and they've gotten better over the years in terms of what their North star is, their guiding light is, you know, within the environment, et cetera, but understand that the tone necessary to create movement [00:13:00] in a direction at speed requires a culture that bluntly. 
 

Isn't stabbing each other in the back has methods where it has methods where you are not criticized, more fearful of conflict where you're not fearful to raise conflict where negotiating and working and truly collaborating with your peers, wherever. Is considered the norm and that that level of clarity is such that if doing what's better for the company is not necessarily the best thing for me right now, right this second, I'm going to do what's better for the company. 
 

Because it's the right thing to do. And I genuinely and sincerely believe that there are a lot of organizations that have [00:14:00] decoupled velocity from the need to establish a culture where it's not only okay, but expected to collaborate. And it's not only okay, but expected to do the harder, right. And it's not only okay, but expected to raise. 
 

Tactical conflict to the appropriate level quickly, where it's not viewed as a weakness in order to succeed. And that bluntly it's okay and expected to truly operate as a cohesive team. And many organizations looking for velocity. Because they've decoupled that culture piece and that need for teaming. 
 

They're tactically solving for symptoms without getting to root cause. And I think more leaders, particularly within the cyber arena, where we are often accused of being a roadblock or a 50 foot high speed bump, need to be better about [00:15:00] this.  
 

Sean Martin: Yeah. And I think, um, to this point, you also mentioned the, the Yeah, I'm trying to think here back back to some of my own experiences because as a program manager, bringing a product to market product manager, bringing a product to market, there's a lot of ambiguity of how do you get from A to Z success on time on budget and all that stuff. 
 

It's no different for the bigger business. And. When there's a lack of information, whereas there's conflicting information, when there's a not easy path and an easier path, the short term, long term site, all this stuff, you start to come up with decisions that are hard, might take a long time to solve, or you can make a quick one, but then to your point in the article, you end up making That's a good point. 
 

Thank you. The decision over and over and over repeating something that is not best for the organization over and over and [00:16:00] over.  
 

Kim Jones: Yeah, I, I, I agree. And I also agree that, uh, a lot of the decisions that we're making obviously are hard remembering that I'm an XGI and I, what I used to tell my teams is nobody's living or dying based upon decisions I make now. 
 

And that wasn't true when I was 24. So, you know, I, I have a slightly different perspective on, you know, the impact of hard decisions without downplaying the, you know, the fact that they are hard, a good leader is going to push the organization 5 percent at least beyond what it thinks it can do. And is going to push his or her direct reports at least 5 percent beyond what they think they can do. 
 

Um, I'm. I tend to push my teams that way until they say uncle, and occasionally that creates conflict because I've said to you, person A, do these 15 things in this order, [00:17:00] and I've said to you, person B, do these 22 things in these order, not fully realizing that the things that I'm asking A to do and the things I'm asking B to prioritize are conflicting for the same resources. 
 

That's okay, that's where you can create levels of innovation. It's where you can create opportunities for unique solutions, but it doesn't happen if a couple of things haven't occurred. One, that those team members aren't comfortable talking to one another versus, well, if I don't do exactly what Kim says, my goals and objectives are going to be messed up. 
 

Therefore, I'm going to hoard this resource and focus here and the same thing for person B over here and that, okay. This is in conflict, I'm not necessarily going to raise the fact that there is a conflict here within the environment, and I'm not going to talk to my teammate to attempt to innovate, or as I used to tell people, and if any of my old teams are [00:18:00] listening to this, they'll recognize this. 
 

Look, the job is to make lemonade out of two apples, a grapefruit and a kumquat and make it look easy. So I'm looking to you guys to figure out how to deal with that within the environment, or it gets to the point where you've talked to one another and it's truly just, look, you just can't get there from here, being comfortable raising it to the leader. 
 

Who's put you in that position so that the leader can make the decision and that leader has to be comfortable making the decision and saying, okay, person a, I get it, I've listened to you guys. You've talked to one another. You're right. We can't get there from here. Okay. A. Your requirement is more important to me right now than yours be will prioritize a B. 
 

That's going to slip your requirement by this long and be comfortable standing on the fact that I'm going to adjust that time frame and that it will be impactful and that. That's okay, because we've looked at all the pieces and parts and [00:19:00] culturally lately, what I've been hearing a lot of speed and direction, we gotta go faster, speed and direction, we gotta go faster. 
 

How are we creating those cultural characteristics other than giving him lip service that says, I want you to talk to one another, I want you to be tactically innovative regarding how to solve the problems, and I want you to know that it's okay when you hit. That wall to raise it to the leader so that the leader can de conflict. 
 

And Oh, by the way, leader, I need you to lead, make a decision and de conflict because there are a lot of so called leaders there that are trying to manage instead of lead and won't make that call. And we've got to get better at that, particularly in cyber when we're the ones being perceived as speed bump. 
 

So, yeah. So  
 

Sean Martin: I'm hoping you can. Um, share some stories because I'm, I'm, uh, I'm looking back at [00:20:00] MBOs managed by objective and I can picture different categories of things that I'd be measured on personally for the team, for growth, for business and, and, um, and you're telling your story about the culture has to. 
 

Support, collaboration, communication and escalation when there's conflict. And all the stuff that I remember experiencing was how do I succeed? Cause there's going to be a bonus and 10 percent of people aren't going to get the bonus. I don't want to be one of the 10 that does it.  
 

Kim Jones: And what I would also make the statement is what you've just, what you've just hit the nail on is leaders having to set the culture that look, you know, Yeah, if I set the culture that says, Sean, you hit your objective and you hit your objective because I adjusted your timeframe and I adjusted your timeframe because I said this [00:21:00] thing over here that Kevin is doing right now is more important. 
 

So you hit your objective. It's not that you slipped your objective. You hit it. You hit the adjusted objective so that the cycle works continuously to say you're not being penalized because we collectively as a team made the decision that I need this done first versus this. Now, if you just come to me and saying. 
 

Well, Kevin is taking the resource. So I'm going to be late. Yeah, that's going to be a problem. And the story that I gave you in the blog is the second time I've had to do something like that regarding as virtual CISO. The first time was my last CISO gig. I had two direct reports walk into, this is. Weeks into the gig, walk into my staff meeting and one person say, well, I can't get this done because Michael won't give me the resource. 
 

I stopped the staff meeting and threw my pencil on the desk and said, the next time any two of [00:22:00] my direct reports come into my office and throw one another under the bus, I'm firing both of you. You know, your job is to talk to one another and make it better. And I'm going to keep pushing you. And occasionally that's going to cause conflict. 
 

If you guys can't figure out a way to make lemonade out of two apples, a grapefruit and a kumquat, then you come to me and I will de conflict. And it took them a while to believe that, but they understood it after a very short while that I was very serious about it. I expected them to talk. I expected them to be creative and innovative. 
 

And where creation and innovation was not going to solve the problem. They knew that their job was to let me know so that I could reprioritize. And there was one case. Um, during that timeframe where that reprioritization would have come into direct conflict with what my boss, the COO, the chief operating officer wanted, and I said, okay, this is the right thing to do. 
 

And I got, but the COO said, and I said, no, no, you worry [00:23:00] about what I said. I'll go deal with the COO. We need to slip this objective. And they needed to know that. I was going to do that and that it was okay to do that. And the COO had overruled me then. Okay. I'd go back and say, change number 917. We're going to flip the objectives from what I said we were going to do. 
 

Leaders do that. Leaders create that level of cultural safety regarding conflict, execution. And innovation. I'll give you one more from a cultural safety standpoint that relates to this, uh, had a, uh, young engineer. I'll just give you his first name. His name was Sean. Wonderful, wonderful human being. He'd been on the job for about a month. 
 

It was making a change in one of my environments. And inadvertently, Caused an outage within my environment when we realized that the outage was caused by security, you know, it's [00:24:00] near the end of the day. It's a Friday. I just put my head back on my desk and say, okay, I'll let the CIO know, buy pizza for all the guys and we just, we'll fight it through, you know, Stuff happens when I'm wandering away, his boss comes back to me and says, Hey, Kim, can you go talk to Sean? 
 

So yeah, why he is sitting there shaking like a leaf in his cube, thinking you're going to fire him. Now he'd been on the job for maybe two weeks when this happened. And I just looked at Steve. He says, look, I know he doesn't know any better. It's okay. So I wandered over and said, look. You were trying to make right, do right for the company. 
 

You were trying to do the right thing. So your weekend is shot because you're going to be the engineer who's going to be in here all week and fixing this. But as long as you're trying to do the right thing, you don't make the same stupid mistake twice. You'll always have a job here. And he became one of my best engineers because he operated not recklessly, but fearlessly because he knew [00:25:00] that the job was to make it better, creating that culture. 
 

Is a leadership challenge and leaders have to set the tone. We have to set the tone. So if I want my guys to go faster and innovate, I need to set a tone that says that's okay, and it's okay. When you hit the wall and say, boss, we don't know what to do. And it's okay to say, well, excuse my language. Well, crap, I screwed up and you know, it's let's reset and do it again. 
 

And we collectively talk about doing that. But my question to leaders, not just in cyber, but anywhere, is what have you done lately to set that tone? And I would contend that if you look hard, the answer is probably not as much as you think.  
 

Sean Martin: Now I want to touch on another point related to this. Now, Granny, you told the story, it was a Friday afternoon, evening, um, had to be dealt with over the [00:26:00] weekend. 
 

But you make a point here, it's a question of how many leaders make certain they don't go to bed at night without answering a peer's email or Slack message. Oh my goodness gracious, yeah. To me, to me, inaction is reckless. Just as reckless as it is reckless. Acting without, without  
 

a  
 

doubt.  
 

Kim Jones: Yeah. But that point, Sean, for me is less that it's more of the, and I referenced Lansione's first team principles, et cetera. 
 

It's more of the, my peers are my first team. We tend to as leaders, particularly intent to say, okay, my team are the people working for me. And they are, and I care about them. I support them. I edify them wherever possible, but my first team are the ones around me. They are my brothers in arms. They are the ones at the same position in the failings that I am right now. 
 

And I used to have a habit, still have a habit. I do it on Slack now instead of emails. The first thing that I used to do in emails is I'd sort by name. And the first people I would answer are my direct reports. Why? Because they probably have the information that everybody else is asking [00:27:00] me for. The second people that I answer. 
 

Are my peers, because they can't do their job better or as well as they need to, unless I answer their questions. And the third person's my boss because collectively we, as a first team, we're trying to do right by the company and do right by our collective boss. So these are my brothers in arms. These are the people in the phalanx next to me. 
 

And. I'm going to just going to put it plainly. Most teams suck at that. Okay. Most teams in cyber suck at that. Most teams in tech suck at that. It's that let's look out for my need right now. You know, I have been bringing my inbox of a hundred, excuse me, of 850 emails or more when I was a CISO to net zero, at least once every two weeks, because if someone has something in my inbox, they're looking for me to action, I never. 
 

Let a slack or an [00:28:00] email from my peers go more than a day, because in order, they're asking me something that they need to succeed. Part of my job is to support them to succeed. And I genuinely believe that if we. Better enhance those teaming principles. It'd be easier to go faster because I wouldn't get surprised by what's happening with, by my peer over an X. 
 

And if my peer had a question regarding something that was happening, they would know they could ask and get an answer. But when your own teammates, when you say, Hey, I need you to do X and can you get X done and either a, you blow it off because it's not as important to what you're doing today, or. B, you just don't answer, and then C, when you do answer, say sorry, didn't have time to get to you, and don't prioritize making that time next. 
 

You're saying that your team doesn't matter. You're saying that your team is unimportant. And if we're going to go [00:29:00] faster, we have to make sure that not, am I just not, I'm not just meeting my own parochial needs, but I'm, Meeting the important needs and things that my teammates need so that we can collectively go farther and faster together, because that is the only way we can do it. 
 

And got to tell you, I'm really sick and tired of hearing about lots of folks talk about how important velocity is, and then decoupling that from. What are you doing about your culture to truly inspire that ability to move faster? And Oh, by the way, that translates to what are you doing to build stronger, more capable teams with stronger, more capable leaders. 
 

And as I told the CISO's wrapping back to, um, Where, where we started when I think I put a list in the blog, you know, how many of you, you know, let your peers, you know, messages go unanswered. How many of you [00:30:00] have a backlog of emails? That's more than a week old. How many of you just ran down the list? How many of you double book your calendars and fart off your peers? 
 

When the time comes, how many of you have taskings from your peers, even little things like, please do this for the staff meeting that the chief of staff is asking you to do that you don't. Do in time for the staff meeting and try and hobble together remotely, you know, just before the topic comes up, that's not operating like a first team. 
 

You asked me to do this. That's my priority to make sure it's done on time. And if you want to move faster, think about if everybody did that. If every first team did that, I guarantee you, you know, and this is a made up statistic, but I believe it to be minimally accurate, the minimal piece of it. You get 10 percent more velocity out of what you're doing if everybody did that. 
 

I, I, I believe that wholeheartedly, I proved that back when I was a CISO and did that for my peers and had my [00:31:00] directs do that for one another, we were demonstrably immeasurably coming up with better solutions faster to support the businesses. So I believe it works.  
 

Sean Martin: Yeah, I can, I can see it. I can see it working and I believe you and the thing that comes to mind, um, is prioritization. 
 

So there's, uh, my experience has always been the list never shrinks. It always grows. Right. Yep. And, uh, the stuff that was important yesterday either becomes. Double important today or, or it's no longer an issue because the team, the first team figured out another way through it, right? Without, without your response. 
 

Um, but the point is that especially when if there's a big team and a lot of stuff going, it can be overwhelming. And I'm just wondering, we talk about burnout in this industry as well. And [00:32:00] so I can see if you get your. Act together as you describe it, you probably operate with less chaos and less stress and things like that too. 
 

But how, how do you get to that point?  
 

Kim Jones: Um, that's a great, that's an absolutely great question. And it's not the first time I've been asked that question and I have. An advantage and a disadvantage here in terms of perspective and that advantage and disadvantage is that statement that I made nobody dies based upon the decisions I make and when I was a much younger man, that wasn't always the case. 
 

So I came into this profession with that perspective and most of my background, by the way, sitting in the chair, what I used to call a cleanup on aisle five work, uh, [00:33:00] one CISO had been let go. The second CISO had left shortly because the job was problematic and. A lot of what I got asked to do was to bring order out of chaos and move the organizations forward. 
 

So, whereas typical CISOs are moving the organization 5 percent a year, I had 15 25 percent movement a year every year for 3 4 years just to get us back on an even keel. So, in those type of environments, It's a matter of, as you say, it's a prioritization and you, General Bruce Clark, he was the first supreme ally commander of Europe. 
 

He was, uh, Patton's, um, I believe chief of staff at the time. I actually had the privilege of going to school with his grandson. So I got to meet the man, um, used to have a saying, he said, a unit does well with the commander checks or causes to be checked. So you. As the leader, get to determine what your priorities are. 
 

So my first priority in any organization that I had [00:34:00] was no burnout. And in many cases, and in many cases that meant reminding my team that you're not expected to be Atlas. And if you try to continue to work that hard, you're going to get sick and I'm going to lose you for a month as opposed to taking the day off. 
 

Or your family life is going to go to crap and I'm going to lose you completely. And I had very dedicated individuals. There was a time where, when folks took vacation after I forced them to take it, they were going to work online. So I was temporarily suspending their access to the network to force them to shut down. 
 

Now that's a good problem to have, but it's the, the world isn't going to fall apart. And oh, by the way, I can't justify getting you more resources. If the organization as a whole doesn't feel pain, if the business feels that I can do this with the two bodies I have, because they're getting the response because you're working 22 hours a day, I'm never going to get the third body. 
 

So you're actually hurting me and [00:35:00] hurting you. It's a leader willing to actually take that on and take on the pressure of the org. The second thing is for me is again, you know, not after no burnout is family. You know, when I took my first CISO gig, I made a promise, uh, to my son, who was eight. Eight, eight at the time that I wasn't, I travel for the military. 
 

I traveled as a consultant. I won't miss any band concerts or soccer games. And I traveled about 25 percent of the time on the road, about one week to 10 days out every month overseas, et cetera. I never missed a band concert. I never missed a soccer game. And my boss was supportive of that. And the. Third thing for me, and you've heard the old anecdote is big rocks philosophy is really what it gets down to, you know, the, the old consultant, you put the big rocks in the jar first, and then you put the pebbles in, and then the sand, et cetera. 
 

The lesson being is that you can't make it all fit unless you put your big rocks in first. So. My big rocks are first team. My [00:36:00] big rocks are family. My big rocks are when I was practicing martial arts to train for martial arts, my big rocks are my kids, band concerts, my big rocks, or I take, everybody takes their full vacation for the year. 
 

And that includes me. You put your big rocks in first and you stand on those. You don't move those. If you do that, everything else becomes noise. And surprisingly enough, everything else fits. So you know, it, a lot of it gets from that perspective that nobody lives or dies based upon the decisions I make today. 
 

So make the decisions that I believe are appropriate for the org, ethical, match my moral compass and stand on them. And if I'm not comfortable standing on those decisions, then I'm probably working for the wrong organization. And guess what? You know, my background's in cyber. Somebody will pay me to do something somewhere. 
 

I'm sorry.  
 

Sean Martin: I love this. And I feel [00:37:00] like I'd talk to you for, for hours, of course, him. Um, I want to close with, with this question. Maybe it's an observation. that you can elaborate on.  
 

Kim Jones: Sure.  
 

Sean Martin: The, everything that I've heard, I'm, I'm visualizing not as measured success for the cyber security program, which I think we talk a lot about. 
 

What is it? What does the cyber program look like? How do you measure success there? What I'm hearing is operational fitness in the cyber program with good leadership generates Benefits and measurable outcomes for the business.  
 

Kim Jones: Yeah. And I want to push on that last point because it's important. I think that's where you're going because I believe doing these things generates measurable success.[00:38:00]  
 

So instead of worrying about the measures and the metrics and the KPIs, which are the, what, Worry about the how, because if you do these things, you will not only achieve those things, you will achieve them quicker, more efficiently, and more sustainably than just focusing on the measures and metrics. You know, uh, I, I, I take pride. 
 

This is where I do take personal pride in, you know, I never set out to have diverse. Cyber teams, every team that I've ever run has been the most diverse team in the company, just because it's been, look, the standards are simple. You like hard work. You like whipping up on bad guys, come play with me. I will give you every opportunity to succeed just like everyone else, because I genuinely don't care about any of the other stuff other than those two things. 
 

And we were able to not only have very diverse [00:39:00] teams, but very cohesive teams. Very effective teams within the environment so that when we take a look at the measures, metrics, and KPIs, we were able to show that those things are actually moving better and faster than we had anticipated. And I also take pride in that. 
 

I believe now. Uh, there's one who's still in contention and I'm not going to call her out, but, uh, in 25 years in the civilian sector, uh, been pushing folks internally since 2003, I've had, now it's 15 CISOs come up under me and create that level of consistency. The one that's in contention is. She's waiting on an offer, but, um, and she should get it if the company's smart. 
 

Um, but that's what we're supposed to do. We're supposed to create [00:40:00] opportunities and create, you know, work ourselves out of a job so that we can create succession. We're supposed to create cohesive teams that will, by definition, move faster. Diverse teams tend to be more innovative and creative. So let's create environments where that happens just because we're looking for the best people that we collect. 
 

If we don't give, excuse my language, don't give a good God damn about anything else other than you like hard work. He liked whipping up on bad guys, creating environments where we're happy, uplifting and edifying and training and creating that level of momentum in the environment. You do that. 
 

Collectively and any metric that you put up, I will hit, and I will hit it faster than you think it can be hit and I'll hit it sustainably. That's what it's all about. And I think in this race to, I know we're close, so I'll be quick in this race to achieve, achieve velocity in this fear of failure. That [00:41:00] exists within the environment. 
 

We have forgotten the basics. And you know, what I also say in the article is this is simple stuff. It's not easy, but it's really simple stuff. I would really, and if you're really serious about velocity, let's do the simple stuff. Let's just do the simple stuff. It works off the soapbox  
 

Sean Martin: off the soapbox. 
 

Well, you're welcome to bring that soapbox back anytime Kim. And, uh, yeah, so many, so many powerful things that you've said and examples you've shared. Um, I'm so happy we had to have this chat. Um, it is always good to talk with you, Sean. Thank you for having me. I really appreciate it. Uh, it's my, my pleasure. 
 

Thank you for writing that. Post, uh, of course I'll be linking to that so everybody can, uh, can read that on their own and, and, uh, reference some of the things you mentioned here. And, yeah, I mean, blessed are the ones that get to work for you. I say . [00:42:00]  
 

Kim Jones: Well, thank you. Greatly appreciate that, sir.  
 

Sean Martin: Yeah. Not I, I know. 
 

I've had, I've had a couple of my time and a good leader makes all the difference, makes all the difference. And, uh, yep. Good leadership to the rescue and focus on what matters, but the big rocks first, keep yourself and your family and your team healthy or else to fall in place. Kim, thank you. So much. And thanks everybody for listening to this. 
 

I hope you're as inspired as I am. And, uh, please do stay tuned to more redefining cybersecurity here on ITSB magazine. Thank you. Thank you.