In security leadership, being right on a technical level only goes so far. How can we shift our mindset to embrace building consensus rather than winning arguments?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Jerich Beason, CISO, WM. Joining us is Pam Lindemoen, CSO, Retail & Hospitality ISAC.
Join the conversation on LinkedIn
Huge thanks to our sponsor, Alteryx
Full Transcript
Intro
0:00.000
[David Spark] In security leadership, being right on a technical level only goes so far. How can we shift our mindset to embrace building consensus rather than just winning arguments?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And joining me as my guest co-host, a regular appearance here on Defense in Depth, none other than Jerich Beason, CISO over at WM. Jerich, thanks so much for joining us.
[Jerich Beason] Thanks for having me. I think this might be the first time we’re talking about something I wrote as the main topic.
[David Spark] First of all, first time we’ve had you on talking about it, and then I’m shocked because we have quoted your posts many times on this show. So, I’m surprised it’s the first time I’ve actually brought you on to actually talk about it. So, that’s a shock to me.
All right. Well, we’re going to get to that in a second. I do want to mention our sponsor, and that would be Alteryx, where analytics, automation, and AI all come together, and we’re going to talk about that a little bit later in the show.
But first, Jerich, I want to mention that you recently shared a story on LinkedIn about a mentor who pulled you aside after a tense executive exchange, basically telling you all you did in winning a technical debate was create adversaries, not allies.
Now, as a security professional, when do we need to start making the shift to build consensus? The idea of, well, maybe the goal is not to win the argument, but to win the whole war, not the specific battle. So, from the responses, many people had a very similar eye-opening moment in their sort of career development.
This is, I think, key to you, and correct me if I’m wrong, in becoming a security leader, sort of change your mindset of sort of how you approach the business. Yes?
[Jerich Beason] Yeah, absolutely. There’s a turning point in any career for a security leader, and it’s when you realize that you’re not hired to be the smartest person in the room. You’re hired to make everyone else around you smarter about risk. And early in my career, I thought it was all about being the expert because that’s what got me to the level of leadership, until my mentor said what he said.
And that advice stuck because what I realized is I didn’t know I needed to make a shift. If you’re winning an argument but losing influence, people may nod, but nothing actually changes. And then what happens, there’s an attack, and all you can say is, “I told them that this needed to be done.” You’re not actually operating in a strategic way that builds the credibility to actually get things done, and that only happens when you’re focusing on bringing everybody along for the ride instead of showing that you’re the one that should be driving.
[David Spark] This is such a great discussion here. I love this because, honestly, nobody likes hearing the phrase, “I told you so.” No one goes, “You know, you’re right. You did tell me so, and I am an idiot.” [Laughter] Like, it’s just not the relationship that everybody wants.
But that’s a really, really interesting point. Anyways, the person who’s going to join us in this very conversation, thrilled to have her on, first time ever on any CISO Series program, and we’re lucky to have her, the CSO and VP of Strategy over at RH-ISAC, that’d be Retail and Hospitality, the ISAC, it’s none other than Pam Lindemoen.
Pam, thank you so much for joining us.
[Pam Lindemoen] Happy to be here. Thanks for having me.
What must a security leader be able to do?
3:17.198
[David Spark] Grant Sewell, CSO over at AHEAD, said, “Early on, I thought being the smartest voice in the room,” like what you said, Jerich, “Meant being the loudest. Turns out trust travels faster than facts, and people remember how you made them feel far more than the cleverness of your argument.” And Mike Wilkes, who’s an enterprise CISO over at Aikido Security, said, “There are habits and instincts that we need to shed and others that we need to adopt in order to bring the soft skills required for executive presence.
To be able to ‘bring the gravitas’ without fighting or shouting and to cajole, influence, and otherwise guide our colleagues on the path to building real security programs.” All right, here’s what I want to know. After you got guided by your mentor after that one specific incident, how did you handle the next sort of similar incident, Jerich?
[Jerich Beason] I realized that number one, organizational psychology’s important, and the more you understand how people think and how they operate, the more you have an opportunity to influence them. And this is going to sound completely cliche, but security isn’t a solo act, it’s a team sport.
When you realize you need finance to fund your controls, engineering to build them, and you need other people in leadership to champion them, and quite frankly, employees to embrace them, you realize that you need to find a way to get them to want to do [Laughter] what you need them to do and not feel like they’re forced into doing it because they’re going to try to circumvent it every single time or just flat out not support it.
And if you approach it that way, something really powerful happens. Security stops being the roadblock, stops being the people that get invited to meetings because they have to, and they get invited to meetings because people want you to. And that’s when you can truly be an enabler.
And once you’ve reached the status of enabler, you’ve reached the status of influence. And once you reach the status of influence, you can lead people wherever you need them to go.
[David Spark] That is some really, really good points. Pam, did you have an eye-opening moment like Jerich, or did you get schooled like Jerich did as well at one point?
[Pam Lindemoen] Well, it’s going to be a little boring because I completely agree with what Jerich’s saying, and I think that building consensus, it means listening first, understanding stakeholder concerns, and framing security as an enabler rather than a barrier.
And my experience in IT, not just security, really showed me that it’s about trust and influence, not dominance. And so, I was sitting in infrastructure at the time, and one of the reasons that the transition from infrastructure to security worked so well for me is I had built all of these really strong relationships throughout the organization.
And I understood their processes, and that allowed me to influence my new friends in security to help them patch, reconfigure systems with less friction. This helped both departments that typically ignored each other [Laughter] start working together.
And so, these connections, they created the foundation for all the collaboration and trust, which helped me drive all the alignment and the progress that we made together.
What would a successful engagement look like?
6:27.868
[David Spark] Chris Beckman of TaxBit said, “A great CISO I worked for once told me, ‘Put your ideas out there, create and foster a forum with stakeholders for discussion, and understand that if your idea loses, it loses.’ This was a reaction to my approach, which had been similar to yours, acting like every security decision was a battle to be won.” And by the way, just that line is a good line.
Not every security decision is a battle to be won. And Peter Dohm of Black Mesa said, “I said for over 20 years now, and it still rings just as true, if you’re into a nuanced technology and you don’t feel imposter syndrome every single day when trying to integrate this technology into a real business in the real world with people who rightly only care about the technology’s benefit to them, then I posit you’re doing something wrong.
You’re definitely not growing.” So, Pam, I got to assume there’s more cases of security professionals essentially not doing this, essentially trying to win every battle because, heck, how do you think we got the moniker of Department of No? So, what we’re talking about is sadly the outlier in security.
Yes?
[Pam Lindemoen] Yes, absolutely. You can frame it a different way. Stakeholders have to leave a security discussion understanding that they’ve made that decision and that they feel accountable for it. Not like they were teched to death, [Laughter] so to speak, right?
And if you’re interested in another story, I can tell you an experience that was really compelling. We had a colleague, they uncovered that our policy exception approvals were happening way low level at the analyst layer, and they were effectively making multi-million dollar conversations and decisions.
And when we went back and went through the data, we aligned dollar of values to those choices, and it came crystal clear that the process was being mishandled and it was misaligned.
So, we put governance around it. We brought in the VPs that had to explain the process and their department needs on their side so that we could make sure that the risk was being discussed, not the technology. And so, I feel like that’s what drives trust and sustainability throughout the organizations that we serve.
It’s not about compromising for our own sake. It’s about creating clarity, shared ownership, confidence in the process. And when security leaders focus on enabling the business rather than winning, we build influence that lasts, and it really does this ripple effect throughout the organization, and your organization starts bringing conversations to you.
So, it really makes it an interesting situation once you get that trust.
[David Spark] Jerich, I’m assuming now that you are in a leadership position yourself, you’re seeing others make exactly the same mistakes that you made. But let me ask this, is this behavior required of all security professionals? Meaning, and I’m just going to throw out some scenarios, is it okay for security professionals to argue with each other and one be right?
Within security professionals, not with the business? And then is it required for any security professional talking to anyone outside your bubble of just your community, is it okay for them to behave like this? Or no, they should never behave like this?
Just my question also ultimately is, is this required at all levels or only when you’re trying to build consensus with leadership within the business?
[Jerich Beason] I think that’s a really good question, David, because what happens is security professionals do argue amongst ourselves and technical accuracy is important, but then eventually when we leave the realm of dealing with other propeller heads like ourselves, and we’re dealing with people that bring briefcases instead of laptops everywhere they go, it’s a different type of conversation.
And you’re no longer judged on the technical accuracy, but you’re more so judged on the influence of your presence. In my career, I always wanted everyone to know every single detail, but what I missed in that was you’re not trying to prove something.
You’re trying to change something and you’re trying to change behavior, and behavior doesn’t get changed with those minute details. That type of energy creates tension, not clarity.
I would say that Mike made a good point in his, he was really spot on. The higher you go in leadership, it’s less about stacking skills and more about letting the things go that are no longer going to serve you in your role. The instinct to defend and correct and show expertise is great for practitioners amongst ourselves, as you’re asking, but at the executive level, it drags on influence and the real growth only happens when you replace instinct with intention.
I would say this – technical mastery, it gets you attention, but the emotional discipline earns the influence. And at the end of the day, that’s all leadership is.
[David Spark] I’m going to kind of fire back at you, Pam, in that do you allow this behavior to operate in certain bubbles, like within the security team, but then as it bubbles up, it has to essentially fade away? And when I say behavior, like the “I got to be right” kind of a thing?
[Pam Lindemoen] I know this is going to sound a little bit off-putting to some people, but I think both sides of the argument can be right. And so, I think technical debates are necessary, but they absolutely have to be managed and controlled with clarity and definition about what the true outcomes are because we just get stuck in our own heads and we lose where we’re headed and why we’re serving the organization.
And there’s a lot of compromise. There’s a lot of mitigation to risk, not complete control of it. We have to make very hard decisions, and sometimes that comes with influence coming at you with these technical debates, and you have to make a call who’s right, and maybe for this situation.
So, absolutely, I think technical debates are necessary in certain forums, but just like Jerich says, is to level up the conversation and know who your audience is, tailor it to them.
[Jerich Beason] Can I add one thing, David, just to that? When it comes to the SOC and operations, technical accuracy is 100% the imperative because you’re not dealing with the business. But GRC, architecture strategy, that’s when you have to have that area of gray, and that area of gray requires nuance, and that’s a skill set that most technical people don’t have.
Sponsor – Alteryx
13:07.014
[David Spark] Now, we all know the business landscape is shifting faster than ever. I mean, with AI disruption, regulatory pressure, and geopolitical uncertainty, they’re all redefining how organizations operate. And to stay ahead, companies need agility, driven by data, analytics, AI, and automation working together, not in silos.
And I set that all up, stuff you already know, because that’s exactly where Alteryx One comes in. They’re our sponsor.
Alteryx One is the only unified platform that lets any team connect to data anywhere, prepare and transform it for analytics or AI, and automate processes end-to-end, all in a governed, secure environment that IT can trust. And simple enough for any analyst, yet powerful enough for the enterprise.
Alteryx One helps security, risk, and operations leaders cut hours of manual work to minutes, generate trusted insights at scale, and turn raw data into action faster than ever. With low-code, drag-and-drop workflows, organizations can deploy governed automation across finance, IT, HR, and supply chain without overburdening technical teams.
You’ll want to see how this is done, and the way to do that is just go to their website. Go to alteryx.com. Let them know you heard about them through the CISO Series.
What are they looking for?
14:44.601
[David Spark] Jason Black of Concentric AI said, “As a technical salesperson, I often felt the need early in my career to prove I knew what I was talking about. So, I talked too much.” Oh, my God. I think a lot of people are hearing that [Laughter] right now going, “Yeah, that’s me,” raising their hands.
All right, going on to what Jason said, “The best advice I got from my boss and mentor was, ‘God gave you two ears and one mouth, use them proportionately. Listen twice as much as you talk.'” Now we’ve all heard that line before. I believe it to be true too.
“Since then, I focus on listening to understand my customers’ challenges, and then, if possible, helping solve problems together instead of trying to force my agenda on them.” That is pretty much as straightforward as you’re going to get.
And Kevin Haft at BforeAI said, “The problem you’re focused on solving isn’t the only problem you should consider.” I like that. “Bringing your audience along in their understanding is just as or more critical than the problem itself.” All right, Jerich, I’m starting with you here.
Jason’s story is one I think rings true, and Kevin brings up a good point of there’s more than one problem here. And I bet you when you go in to talk to the business, they bring up a problem you’ve never even thought of. Yes?
[Jerich Beason] Oh, consistently, consistently, and that is why we cannot walk in with a monologue and expect them to just take it all in. That’s not what they’re looking for. They’re looking for someone that has questions. I’ve learned the fastest way to lose a room is to start talking before you’ve earned the right to be heard.
So, now I spend so much of my time listening. What are they worried about? How are they measuring? What’s blocking them? And when you start asking thoughtful questions and you sit in silence long enough to hear the real answers, something shifts. People start pulling information out of you instead of you pushing it on them, and that’s when your voice starts to carry weight because they’ve invited it.
[David Spark] Same thing to you. In fact, I’ll ask the same question I asked Jerich. I’m sure you’ve walked into many a room where they brought up problems that you did not even consider. Yes, Pam?
[Pam Lindemoen] Oh, absolutely. And I’ve worked with partnerships, service providers. I’ve sat in the service provider seat as well. And what I’ve always emphasized is something that’s real super simple. Solve the problem and show how you can help them, not how smart you are.
And that lesson applies directly to security [Laughter] leadership. It’s all about creating confidence that you understand their priorities and you can help achieve them. I’m going to steal your line, Jerich, because that conversation that I have with partners today, I love, I’m going to steal it, “Cannot walk in with a monologue.” I love that because if you can’t answer questions that they have, if you can’t start that dialogue about their problems and answer them in their own language, you’re not ready.
You’re not ready to talk to them. And I would offer that you need to think through that whole listen before talk and open the dialogue and ask people what their problems are. It will blow your mind how much you have the skillset to help them. But the inner monologue, I don’t think people can get past it.
[David Spark] Let me ask because I have questions that I often ask in interviews, like what was the most unexpected outcome or what was the most unexpected benefit, or if you could look back X number of years and tell yourself something differently today, what would you advise?
Are there any, when you go into business dialogues, are there any generic questions that you’re like, “These always elicit good answers because it forces a certain kind of thinking”? Do you have some of those in your back pocket, Jerich?
[Jerich Beason] Yeah, I have a few. One of the ones that I always like to lean on is how are you measured and how is your bonus calculated? What are the things that impact your bonus? And then I immediately think of how I can immediately hurt their bonus, not help their bonus, and I point that thing out.
So, if we were to do this, that could be a problem, right? And just them hearing that builds trust because now you’re showing that you care about them more so than yourself. And at some point in time, you can start to introduce things that will not only help them, but help you, but you’ve built the trust to have that conversation.
So, always start with what matters to them and think through how you can influence that.
[David Spark] I love that. Show them where the weakness in what they want is. I’m going to ask you the same exact question, Pam. Do you have any questions loaded that sort of elicit a valuable, useful response?
[Pam Lindemoen] One of the things that I start with is what does success look like with us? What can we do to enable your project smoother, faster? How are you selling this to your leadership, your stakeholders, so I can understand where you’re coming from, right?
So, really digging into the business process.
What are the best practices?
19:40.372
[David Spark] Sohil Merchant of WM – probably someone you know, Jerich, yes?
[Jerich Beason] Just a little bit, just a little bit.
[David Spark] Did I pronounce that person’s first name correctly?
[Jerich Beason] You got it right. He’ll be happy to know it.
[David Spark] Awesome, “Early in my tech career, I saw things as simply right or wrong until Jerich told me so.” No, that part isn’t in there. [Laughter] By the way, I threw that in.
[Jerich Beason] It could be, it could be.
[David Spark] Sohil goes on to say, “Over time, feedback helped me realize there are degrees of right, and the real key is finding what’s right to the organization, but more importantly, what value that ‘right’ brings to the people in the room. When decisions create meaningful impact for the teams and stakeholders, that’s when true progress happens.” Well, Jerich, obviously, I’m going to let you respond to Sohil right away.
Were you possibly one of the people that sort of opened his eyes to the degrees of right?
[Jerich Beason] You know what? I was fortunate that when Sohil joined the organization, we were simpatico [Phonetic 00:20:48] in a lot of the ways that we thought, and it’s helped us really advance the organization. And what he said really resonates with me, and I think it’s on everyone’s leadership journey.
We go to school to learn how to click buttons and connect technologies where you don’t get taught the soft, squishy stuff like this. So, naturally, we’re obsessed with finding the perfect security solution, the one that checks every box, that follows every framework, meets every compliance requirement.
But what you learn is to do that, you really hinder the business, and the best security decisions aren’t that absolute. They always have some level of context. What’s right for a startup that’s moving fast may be different for a bank, may be different for an organization that’s in the energy space.
All three of those are [Laughter] experiences that I’ve had, and I can tell you there’s not one solution that would have worked in every single place.
And the real key is really asking the questions that help create value for the people that depend on us. Does it enable the business to move faster? Can they do the thing they’re trying to do to grow the business while we’re trying to help them do it safely?
And when you shift from what’s the right answer to what’s the right answer for us right now, you start creating that meaningful impact, and that’s when stakeholders start seeing you as a strategic partner and not the technical gatekeeper. Security stops being about proving you’re right and starts being more about making the right thing possible.
[David Spark] I love that. Now, I’m going to see if I can take you back to some of your first jobs, Pam, maybe first jobs in cyber, but just you’re very young, just entering the professional career. I know myself then, I knew I felt I needed to prove myself right, and I thought that was the only way to be acknowledged and respected.
And the thing is, all three of us are talking, we’ve all gone through the wringer a few times. We’ve had our years of experience to let others see. But when you’re so green and young, you don’t have anything to show or back up. So, is this relevant for someone very young in the marketplace as a cybersecurity professional, or is it it doesn’t even apply to them?
What do you think?
[Pam Lindemoen] Oh, I definitely think it applies. I mentor quite a few young people today, and one of the things that I distinguish early on are the people that ask me questions, and do they start off with empathy? Are they learning for the sake of learning?
Are they there just to check a box [Laughter] and move on and get back to the technical depth that they want to be in? And I’m often asked, like, “Should I go the technical route or the leadership route?” And do you struggle with not having your hands on the keyboard anymore?
And it’s really what you want to define.
But I think throughout your career, even at a young age, you should understand empathy, and you should really think about these, what Jerich said, I think you called them soft skills. Sometimes people call them soft skills, right? And you have to understand that it’s all about relationships.
It’s all about driving influence. No matter where you go, you kind of have to understand how to communicate with people. And so, one of the things that I still struggle with is stopping, making sure that I’m asking questions, I’m translating it appropriately for my audience.
You have to practice what you preach, right? [Laughter] And so, it can be difficult sometimes because we’re moving so quickly, we’ve got a lot of priorities, the speed of technology is incredible right now. And so, that’s something that I explain to people, you’ve got to slow down, you’ve got to think through it, you’ve really got to have a business sense too these days, and relationships matter.
They absolutely matter.
[David Spark] Very good point.
Closing
24:27.235
[David Spark] Well, that brings us to the portion of the show, and I’m going to start with you, Pam, I want you to look at all these quotes were mentioned earlier, and I want you to pick one out, your favorite. They were all good, actually, I liked them all.
But which quote was your favorite and why?
[Pam Lindemoen] Grant Sewell over at Ahead, the CSO over there, mainly because it’s teaching people how to be good people, and I think we need more of that. I think we need to teach these soft skills along with the technical skills, and we need to help the younger generation get there.
And this just exemplifies it, in my mind, the entire discussion.
[David Spark] Very, very good point. Jerich, I want to know your favorite quote here. Which was it?
[Jerich Beason] I’m going to go with Kevin Haft. I’ll read it real quick, it was one of the short ones. “The problem you’re focused on solving isn’t the only problem you should consider. Bringing your audience along in the understanding is just as or more critical than the problem itself.” And for me, that really talks to the fact that results move faster when you win the minds of the people you’re trying to influence first, and that creates clarity.
And clarity’s a force multiplier. And that clarity will build trust, which will build influence. And end of the day, that’s all leadership is. And without that influence, you won’t have the outcomes you’re going for.
[David Spark] It’s a really good point that both Kevin brings up and you reinforce here, is that we all feel great when we sort of can figure out a tough problem together that works for everybody. To just win a battle, even when you win and the other person loses, that doesn’t make anyone feel good.
Not at all. And it’s definitely not going to help the next time, I can tell you that much. [Laughter]
[Jerich Beason] Yeah. The last thing you want to do is win something and leave some carnage in the wake.
[David Spark] All right. Well, this brings us to the very tail end of the show. I want to thank you again, Jerich, for writing this post. We will have the post up on the blog post for this very episode, so we’ll be able to link to it directly. But this is such a great and critical conversation to have.
I do want to ask you, are you hiring anyone over there at WM?
[Jerich Beason] I am hiring. If you go to our Careers page, you’ll see a few roles out there. We’re looking for a combination of junior and senior talent.
[David Spark] That is awesome to hear. Well, guess what? I believe if you reach out to Jerich and let him know that you heard him on the show, that may help. Will it help someone?
[Jerich Beason] It will. And [Inaudible 00:26:44] my LinkedIn inbox. Thank you, David.
[David Spark] Yes. We will have a link to his LinkedIn profile as well.
[Laughter]
[David Spark] I want to thank our sponsor, and that is Alteryx. Remember, go to their website, alteryx.com. That’s alteryx.com, where analytics, automation, and AI come together. And when you go to Alteryx or any of our wonderful sponsors, you let them know that you heard about them through the CISO Series.
Now, lastly, I want to thank our first time ever, definitely not our last time guest, Pam Lindemoen. Pam, thank you so much for coming. I greatly appreciate it. Let’s get a quick little plug about RH-ISAC, Retail and Hospitality ISAC. What can you tell us?
[Pam Lindemoen] We’re a retail and hospitality member organization, and we believe in collective defense. So, it’s an organization where you can come and get started. I tell people it’s like you’ve got over 350 phone-a-friends [Laughter] in any type of situation.
And so, we would love to have you and reach out to us at rhisac.org.
[David Spark] Thanks very much. We will link to just that on the post for this episode. Thank you very much, Pam. Thank you very much, Jerich. And thank you to our audience. We greatly appreciate your contributions, That’s key to Defense in Depth, and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.