The Strategy Layer Live
The Strategy Layer Live helps CISOs and cybersecurity leaders rise above the noise and drive measurable business value. Hosted by Identient, this podcast explores how to lead with intelligence, influence, and clarity—aligning security with the priorities that matter. It’s not just about protection—it’s about performance.
The Strategy Layer Live
The Next-Gen CISO: Leading Beyond Risk and Certs with Jimmy Sanders
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode of The Strategy Layer Live, we sit down with one of the most respected and candid voices in cybersecurity today — Jimmy Sanders.
Jimmy is the CISO of Save Mart overseeing more than 200 stores across the West Coast, the former CISO of Netflix DVD, and the current President of ISSA International — giving him a rare, global vantage point on how the role of CISO is being redefined in real time.
But this conversation isn’t just about job titles. It’s about transformation.
Together, Steve and Jimmy dive into how the CISO role is shifting from technician to strategist, why governance frameworks often crumble under real-world politics, and what it takes to lead when budgets are flat, expectations are exponential, and trust is the only currency that matters.
What we cover in this episode:
- Why automation must come before AI — and how to prepare your team for agents
- The hidden costs of being “just the technician” instead of the strategic partner
- The politics of governance and why frameworks often fail without enforcement
- How to measure human-centered risk: burnout, fatigue, and decision friction
- Why trust and presence — not titles — determine whether you get heard at the board level
- The future of the CISO: from risk manager to Chief Trust Officer, or even CIO
Whether you’re leading your first security team or steering global strategy, this episode will challenge you to rethink what leadership looks like when the CISO’s true mandate is to create resilience, not just reduce risk.
Visit www.strategylayer.com for more episodes like this.
Welcome back to the Strategy Layer Live, where we cut through the noise to get real about the future of cybersecurity leadership. Today's episode brings you a conversation with someone who embodies the evolution of the CISO role, Jimmy Sanders. He's run security for Netflix DVD. He's the current CISO at SaveMart, overseeing more than 200 stores across the West Coast. And he's the president of ISSA International, giving him a rare global vantage point on where this profession is heading. So here's the question that we tackle. What happens to the CISO role when technical mastery is no longer enough? Jimmy and I dig into the hidden costs of treating CISOs like technicians instead of strategic leaders. We break down why automation and AI are no longer optional, but also why you can't layer AI on top of a shaky foundation. And Jimmy brings the kind of straight talk you would expect. If you want to lead, you can't just follow orders. You need to be the architect of solutions, not the executor of someone else's plan. We also go into the realities that no framework ever prepares you for. politics of governance, what happens when board members push their favorite vendor, how to handle burnout and fatigue in your teams, and why trust is the currency that separates leaders from scapegoats. And throughout, I'll introduce the Spire Leadership Model, a system designed to move us beyond the people, process, technology into a new era of signals, performance intelligence, reframing, and execution. So if you're a CISO, an aspiring security leader, or just want to understand what it takes to thrive in this high-stakes role, this is an hour you won't want to miss. Thanks for listening in. And thanks for suiting up for the occasion. I appreciate it.
JimmyMy new role is I wear a suit almost every day now. Oh,
Stevecongratulations. You did just get a new role. What is the new role?
JimmyYeah, so I run the security for SaveMart, which is for Lucky, SaveMart, FoodMax, and Roth's and Chuck's. We have over 200 stores throughout the West Coast.
SteveVery cool. So, you're no stranger to my podcast series. You know that I have the Candid CISO as well, and you were the last guest on the Candid CISO in 2024, and it was just, you know, given your background as the CISO of Netflix DVD. And of course, you were the director for the San Francisco chapter of the ISSA and more recently president now of the ISSA Worldwide, which I think gives you a very interesting background and a purview into the topic today that we're going to talk about, which I believe is going to be around the evolution of the CISO role and and leadership beyond what I'm calling it, beyond the certifications. With that background and that context to me, let's get things kicked off. I think the framing today is in conjunction with the announcement of a leadership model that I'm referring to, Spire, that I've shared with you and I've also put a link out to the chat for folks who are interested in reviewing it. And What I am seeing, and hopefully we can discuss a little bit, is that the people process technology pattern is outdated. And it's a model that looks good on paper, but it's difficult to execute. And what I'm hoping is that given all things AI and intelligence, that we can begin thinking and talking about leadership practices and patterns today. for this AI era or this intelligence era. And I hope to get to that with you during this hour. But let's start off here, the leadership evolution of the CISO and talk about how the role is changing and what's being asked of CISOs now. And no doubt you're in this role. You talk to a lot of CISOs through your work with the ISSA and CISOs are being told to get more out of their people. And that's actually a quote.
JimmyGet more out of your people through automation, First, and this is what I tell my team, first we do automation, then we do artificial intelligence. Because if you're doing things on a repetitive basis, we want to ensure that you find some way of automating that. I don't care if you're using PowerShell, Python, Bash, figure out your language of choice, figure out how to automate that. Because until you can put it and understand the cycle of automation, it's hard to actually... integrate an agent, an AI agent, or some form of AI into the circle. So I want them to understand that aspect of it. Because obviously you want to crawl before you walk and run. And for us, I want us to go towards an AI agent model, but we're, you know, first you need to understand the full things about automation.
SteveI like the model, you know, crawl, walk, run. I think that is, tends to be rudimentary and basic, but getting back to basics, especially in an environment where there are new roles, new technologies, and then absolutely that need.
JimmyAnd the thing is that even the AI models themselves are so new and they're so evolving that things will change on you so fast if you don't have a good foundation. So first establish a good security foundation, based on sound security practices, and then work on layering and making it as complex as you can handle.
SteveGiven the technology and the role is transforming equally, what are you seeing in terms of what are the potential unintended consequences or the hidden costs of treating the, and you briefly discussed this in the, I was reviewing my notes of what you talked about in the candid CISO, and especially in terms of your own being proactive about your own professional development. So I'm wondering, like, what do you see the hidden costs of treating the CISO role as primarily a technical role instead of strategic? And how do we move this conversation beyond controls and compliance and certification? Yeah.
JimmyIt's almost like you're the dog being led by the collar by the executives. If you're only the technician, they're telling you what to do. They're telling you in what direction to go. You're being dictated to and you're not being a partner of. And so hopefully we as the leader and if you want to be a leader, you have to actually lead and not just follow direction, because hopefully we are a risk and security expert. It's not that we don't take other people's input. Obviously, the business is going to move in the direction of the business. But hopefully, when it comes to your core competencies, that should be risk and security and compliance. You get outside of just being told what to do and you get in front of being able to do it. And the only way to do that is to show you're competent, is to show that you're not just a technician who can take risks. what's being told to them and do it because that's the role of a high price engineer. Hopefully we will actually architect our own solutions, present our solutions to the executives, to the CIOs, to the CFOs and show them various solutions and let them choose from you instead of them telling you what that solution is.
SteveWhen you're talking with CISOs through the ISSA and in your own experience, what level of preparedness do you see organizations really have to treat CISOs as a strategic multiplier or a leader at the boardroom level or in the C-suite? Or are we just still stuck in a technician-first mindset?
JimmyNo, I've seen a wide range of it. And to me, it depends on your reputation, how you actually got hired, and what how you present yourself in terms of your posture. You know, it's called like executive presence, if you want to call it that. But, and I've seen people who always wear t-shirts and jeans who had a great presence because are you able to articulate your vision or do you have a champion in your corner? Once I've seen those people, you know, it's the people who don't have the vision who don't want the spotlight, and that's great for them. You can be a CISO who's an engineer, but if you want to evolve your role, you need to. What I've seen from the winners is they've even been able to restructure their budget so that they had an R&D budget. And I thought that was amazing, the fact that you could have security as an R&D instead of a call center.
SteveI see that. And I see having them being more embedded as a CTO or into product. And a lot of it may be that either A, the role itself isn't consistent or well-defined across sectors or industries. So this could be a role definition problem. Or this could be CISOs themselves not evolving beyond their own technical background and choosing to stay within the technical domain, or it could be they're getting resistance and pressure from the C-suite or the board that they're just not invited. And I've seen a range of those as well. Like, how do you, you know, through your work at the ISSA, I'm really curious what perspectives you're seeing there. How frequently does this topic come up relative to the traditional protect, detect and mitigate types
Jimmyof... Every CISO meeting I go to, every executive meeting I go to, the question is, how do I get... Because for people who don't talk to the board, they think that they want to talk to the board more. Whereas some people who talk to the board, they want to talk to the board a little less. To me, it's not about talking to the board or not talking to the board. It's, can you push your agenda forward? whether it means you get board approval or you get board acknowledgement, as long as you can push your agenda for the company is that's what to me, because you could be going to the board and talking to them as much as you want. But if you present a proposal and you get knocked down and it doesn't get approved, then what's the point in consistently talking to the board when they're not listening to you? And so for me, it's not being heard, it's being listened to and actually being able to influence what's happening in that direction. And the other thing that I've seen is a lot of great leaders who understand the political situation, they not only become the CISO, they also become a CTO, CIO, or something of that nature.
SteveThat raises the question, this next generation CISO, where do you see this next generation CISO coming from? Do they come from a financial background? Do they continue to come from the CISO legacy role? Or do CTOs move into the CISO role? I was talking with Andy Ellis in the last episode of this, and he actually came out and said the next-gen CISO is the CIO. So I wonder your take
Jimmyon this. Yes, I agree. I agree. Or I see you either come from a CIO or you show you that you're a technician and then you get an MBA or something that shows your business acumen. Going back to you think about certificates, not necessarily using your MBA as a certificate, but by either your body of work or by something showing you do have a business acumen. that you can talk, you know, quarterly results and revenue and, you know, capital expense, you know, and things of that nature. You know, being able to talk to finance in the financial language and business language, whether that's a CIO, whether they want to call you, maybe they just want to lump it together and call you the CRO, you know, chief risk officer, you know, because you do, or another thing that I see a lot of powerful CISOs become is chief trust officer. where you just have no trust overall.
SteveThe trend is, you know, I think it's an important one for CISOs to recognize the, you know, the one about the MBA to, you know, Jimmy, that I'm not a CISO, but I did pick up the training manual for the certified chief information security officer program and started reading through it. And there's a good amount on financial literacy within there. But what I'm seeing is that the training for this program is like, 32 hours or 16 hours. It requires a lot of on-the-job training and self-paced training. And having gone through an MBA program myself and knowing how many weeks and months and years I spent just understanding the financial aspects of the business, I don't think it's just something that you can take up over a weekend or go to a workshop and then become financially literate.
JimmyYeah, I mean, I agree with you, but that's the same thing as the CISSP, same as other degrees. It's meant to show your interest and your acumen, but nothing beats you being in the seat, actually doing the role because every environment is different, right? Like you may go to a company that has a high risk tolerance, that has an amazing amount of financial risk tolerance. where you have a crazy budget that you don't really have to mind too much. Or you can be at a cost conscience company where they monitor every single cent and you're having to fill out a PO for every single line item. And so you definitely have to, you know, so one CISO at one environment may be successful and not successful at another typical environment. So the one thing that I would always recommend for people is either do your homework in terms of talk to people who maybe had that role before, talk to other executives at the company and, um, dig in and, and just embrace what's happening because not every company is going to be the same. You know, you're not going to, you know, have a, be the most powerful CISO at every role you happen to be at. Right. Like sometimes humble pie is good.
SteveI like the way you put it. Um, so, um, You know, like, like, let me ask you, like, do you, in terms of evolving into the leadership role have, you know, how have your values evolved and stepping into a new role now? I'm going a little off script here. This one wasn't in the notes, but like, what is your vision now for your, your role, your, your, your career and how you're sharing and teaching within your capacity in the ISSA world?
Jimmybeing less nice, but more understanding. And what I mean by that is that I used to be nice and empathetic and people would provide me with certain reasons for things and I would accept it. But now I accept a lot less excuses. I do accept reasons for why something is the case. And I hate ambiguity. I extremely hate it, and so now, if you tell me something's gonna be done soon, you're gonna get a strong retort back from me, because I hate the word soon, I hate the word, you know, maybe whatever. Like, I need a date, because I can't build priorities off of, you know, vaporware. I need, and so as I'm working with ISSA, especially from an ISSA perspective, because almost everything we do, we schedule it ourselves. So if we're running behind, that means we did a very bad job of scheduling our own project. So I need strong days because I can't prioritize if I don't understand that.
SteveI tried to make it a point of not using the A word a lot in writing more accountability. I almost feel like there are many in leadership who want to avoid accountability.
JimmyI see it all the time. But that's the whole point about you being the leader. is that other people in your team and other people around you may try to avoid it, but you hold their feet to the fire, the same way you hold your own feet to the fire. We set dates as a team, and when something's falling behind, it's up to the leader to either pull it up to make it come in line or readjust the schedule, readjust the project so that things do fall in sync.
SteveAnd people follow your lead, right? As a leader, you're looked at for being the role model. And I have been in orgs where the leaders aren't especially the kind of role model that I would want to be now. And we could go much further down that, and it's not to really… dig up the skeletons in the closet or re-excavate our history, but it does provide some really rich lessons.
JimmyNo, because one of the things that I tell people is that not every company can be la-di-da, not every company you can do these amazing outings and things. But if you're the leader of your unit, you can do those things. So if your company culture isn't amazing, you can make your team's culture amazing. And it's up to you to try to work towards that. Because if you're not going to be the leader and lead by example and do that, then who will?
SteveWell said. And I'll take your lead on talking about accountability and others leads who want to use the word because from an outsider looking in, it's maybe easier said than done. But I'm glad that you embody that value, Jimmy. I believe that happens to be so important. Yeah. to be able to say and that what you say and what you do are the same thing. So also through in my perusal of the CISO study guide, I've also figured out that there's a lot of talk about the right philosophy and it emphasizes that CISOs should define a security charter that evolves with the organization that demonstrates clear alignment with business goals and shows measurable progress. It even calls for measuring governance ROI and performance, not just controls and compliance. That comes straight out of the study guide for certified CISO. So I think that we don't give as much time and airtime and priority or focus to this, that there is governance as a consideration, but the way the certification reads, it's like it should be a a living document. And a lot of times it just seems like a document that sits, you know, quote unquote on a shelf somewhere. So you've seen the governance framework slide. The NIST CSF now has 2.0 now has a governance component to it. And, you know, what's missing from the, you know, the current models when it comes to the day-to-day leadership and execution that you see?
JimmyI don't think it's what's missing. It's understanding that every environment has very political ramifications because security is never doing anything in isolation. So the governance frameworks like the NIST are in a utopian world where budget constraints, where you don't have to do horse trading of certain things and understand that because, and the prioritization of attacks because You may think that your greatest attack is ransomware, and you can spend most of your budget doing ransomware, and all of a sudden they do an email compromise campaign against you. It's not necessarily that you did security bad, you happen to be focused on the wrong thing. And the other thing is you can't bore the ocean. And so these frameworks cover your entire security stack of an organization, including governance, but You may have a limited budget. You have limited resources and limited funds. So you have to pick what you're willing to take a hit at is what I would say. And so it's not that the frameworks are missing. It's just that in the real world, compromise has to happen somewhere.
SteveSo you have to pick, and I think you refer to it as horse trading. Those could just be like trade-offs, and there's a bit more of a science behind the decision, data-driven decision-making. I hope it evolves beyond simply horse trading over time. It
Jimmyis, but one of the other crazy things that I've seen a lot of executives experience, and unfortunately it happens, is that if you have a board, we were talking about the board of directors. if you have Microsoft on your board of directors, guess what products they want to see you use a lot of. If you have Google on your board of directors, Cisco, just name the company. And so even if they're not best in breed, you have to justify to the board why you don't use that product.
SteveHow does that make you feel as a CISO? Like where does the leadership model fit into that versus just being orders?
JimmyIt's to me part of, being in leadership is that you realize that once again, there's no utopia, there's no making every, it's only, to me, you fail when you can't, when you try to stick to your guns on every single thing. Like there are certain things worth fighting for, there are certain things worth dying on your torch for, right? Like if something's gonna compromise the end user, something's gonna compromise, but if something isn't the best of breed, You're not going to die on your sword because you got something that was A instead of A+. And so it depends on what type of leader you want to be and the realities of your environment.
SteveI agree with that. And when I decompose a lot of the data breaches that occur, oftentimes they tie right back down to human error, not technology error. It's not like, oh, if I had the… the latest version of the product, although sometimes that could be a root part of the root cause but then it's you know where do you place blame on not having the latest version of the product or to the leader or the CISO for not having upgraded to the latest version and I see this tension right it's like what are you know where are the intentions where's the shortcoming and you know maybe this comes back to governance right as living doctrine I wonder Jimmy like in an environment that doesn't prioritize it as much but now that you see governance as a major component of this ESF. How do you structure governance in a limited capacity in an environment that doesn't want or need a real formal governance structure?
JimmyYou have to get formal buy-in from the other stakeholders because you can have all the policy documents, all the governance documents But if they keep blowing past all the deadlines and all the regulations without any repercussions, then governance is just a slogan that's on some paper or a screen somewhere. So governance has to be enforceable and it has to be adhered to. Because that's my issue when I come to a lot of companies is that you may have a policy on patching. And the policy may say we'll patch in 30 days, for instance. And then you see patches that haven't been patched in six months. And they'll come up with some excuse and there's no repercussion for it. So governance has to be enforceable and there has to be some meat, something that actually hurts people. Maybe it's tight bonuses to governance enforcement or something like that. But it has to be something.
SteveAnd a lot of times there's... in areas where there aren't transparency, you know, those, you know, if those consequences that occur due to lack of enforced standards can often reflect on the CISO's effectiveness. And I wonder, you know, what do you see, like, maybe this is something that you knew and didn't report on, or a CISO knew, I'm not saying, Jimmy, that it was you. Like, how does a CISO balance that level of transparency, like there's a known gap or a known vulnerability, and I personally don't want to take the responsibility if something happens as a result of this. I don't want to be the chief scapegoat officer. How do you balance that? Balancing the visibility, the transparency, and the risk amongst your peers?
JimmySo, it once again depends on exactly where your level is in the executive board. Meaning, are you really in the C-suite? Are you a manager of what have you? Because, you know, you obviously sometimes do the CYA where you make sure that you send something in an email so that somebody formally shows that you notified them or you do something via change management. As you bubble up in your career and as the board, you first have a non-formal of conversation with different people, and you talk about the risk, you talk about that, and then you put things informal. Because for every risk, you want to have some kind of either not necessarily formal acknowledgement of it, but you don't want to show that you're being incompetent. So you need to have some trail, whether it's a ticket open or something, but... But when you start talking to the executives, the first time you send an executive of a vulnerability thing without letting them know beforehand, it's like blindsiding people. And so the last thing you ever want to do is blindside your boss or your boss's boss on any issue.
SteveGood advice. And let's take this even further, which is the known vulnerabilities, you know, the patches, the log files, et cetera. There are also people in environment, the human-centered environment, aspects, the communication, the trust that can be roughly associated with operational risk. How can CISOs start to map and measure this human side of risk, things like alert fatigue, decision friction, unclear accountability before it turns into a breach or a business failure?
JimmyTo me, that's where, once again, either an AI agent or some form of automated metrics come into play, meaning how soon, what's the time to Report on a ticket, fix the ticket. Is that trend going up or down? Are you actually polling your own internal team about their mental wellness? Meaning ask them or have a poll. Like you can be anonymous, but ask them, how are they doing? How are they feeling? Because burnout happens. And once people start burning out, their care factor drops significantly. So they may see an issue and they may respond to it slower than if they wouldn't have been burnt out. So understanding the mental fatigue. The other thing is like, let's say you're going through a big PCI audit and you go through this big PCI audit and you'll be doing it for two months. And are you giving your team downtime or are you jumping right immediately to the next project? Understanding that doing this big audit the response and awareness may be drawn away from other day-to-day activities. How are you compensating for that as a leader and understanding that, you know, once big projects happen, other smaller projects may take a tertiary role. How are you adapting for that? How are you planning for that? Because, you know, at the end of the day, once again, you are the leader. You are understanding your environment and you need to own that and you need to plan accordingly.
SteveAre you, so you mentioned, you talked about polling. Are there, um, you know, like, is this just like verbal polling or do you, you said it was anonymous? Like if your team is small though, how anonymous can it truly be? And
Jimmyso you can, you can, you know, you can easily establish, you know, the online, just easy things like how would you work today? And you can, you where it doesn't actually have people use their real username and you just establish a poll that way. You know, you can, you know, whatever polling system, whether even if it's a quick survey monkey or a Google doc, you could, you could do that if your team was big enough. But obviously if you had a small team, then if five people are doing the poll, you kind of know what's happening, but the ability to be empathetic and to let people understand that you understand that they may be running out. Give them the ability to let you know in some way without you having to grill them, maybe one-on-one. Because you may be in a one-on-one session and somebody may not feel comfortable telling you they're burning out. Or they may be, one of your managers may have a team member who's burning out, but they're scared to talk to you about it. So offer them some form of outlet to be able to Show that. The other thing, without being ostracized or repercussions behind it.
SteveYou make a really good point. And here I want to just take a minute to introduce the SPIRE model, why I think this is a better way to think of a leadership system than relying on people, process, technologies. The S in the name is about signals. And we've talked about that a little bit, right? And it's about what are we actually seeing? Whether it's the poll where people type in, if they say, hey, I'm great, but you walk by their desk and they are stressed and they never leave for a break and they can't breathe. Their body language says something totally than their lips or their survey results do. And I believe it's such an important aspect to leadership to be able to understand to see and listen about what's happening with your people and in your environment. These are things that you can't just look at your SOC dashboard and find out how things are going, right?
JimmyAnd I love the signal aspect because the other thing is that you may be a certain type of leader who can work 80 hours a week or 100 hours a week, but not everybody's geared that way. So hopefully understanding the dynamics of your team, And also not always thinking that you're going to get 100% effort every week, every hour, every day. Now, when the crush is on and you have to get it done, unfortunately, you have to get it done. But that's what I also said about being less nice is that when you need to get it done, I'm not trying to. I've been very empathetic. Previously, when you were going through your issues, but right now we have this major item. We need everybody on board. And so by showing the dynamic, a dynamic range of leadership, you can be empathetic when you need to be, but you can also be strong-willed and direct when the situation needs it as well.
SteveYes. Yes. that dedicated resource or not, it's still important as a leader to learn how to function reading the tea leaves and looking at the signals. If you're an environment, and I did see this occur in a workshop I did earlier in the month where a CISO had just joined the company and changed his title on the LinkedIn and the CEO of the company reached out to his boss and said, why is he changing his title? Why is he the CISO? And that got back to him, right? Because it's like, on one hand, he might have thought that this is a director of cybersecurity, not a CISO. So it comes to this idea of CISO in name only, but not in responsibility or resources or endowment. But you have to be able to read those signals. That's such an important part of...
JimmyAnd that's what I was saying earlier, though, is right. You're new to a company. You're a little young to be having an understanding of what the executives are actually like, not what you think they're like, but what they're actually like. How is the CEO? Are there a hands-on CEO who wants to know, does she want to know every single thing that's happening with her executives and their staff? Are there hands-offs? Is the CIO, who are you reporting to? Because for me... you know, do you have a senior in your title? Do you have a director in your title? What was your really higher title? So, understanding that, because my other thing is, right, is that who even cares when you change your title on LinkedIn? You know, from whatever title to this title, because that still hopefully doesn't change what you're going to do on a day-to-day basis at your job. Now, it may be, you know, flexing and bragging to your peers, which sounds good, but At the end of the day, all I ever ask people when they tell me the title, my easy ask is, what do you actually do? Because your title may not convey what you actually do.
SteveThere are some who have the title and don't do the actual role of a CISO. They're risk managers with a
JimmyCISO title. Or some of them, we call them B CISOs, where their whole job is to, they have the title of CISO, but their whole job is to talk to customers. And they don't do any of the internal security or technical security. And I've seen those roles and people flourish in those. And so just because you have a title, that's not necessarily explaining what you do.
SteveAnd I guess I feel a bit more for those who do the role of the CISO but don't have the title. And I've seen those too. Oh, yes. I think that's where trust comes in. Actually, trust comes in a lot, right? Which is, do your peers, do your hiring manager, does your board trust you with the responsibility and the title?
JimmyI know. I love it because I tell people the story of like the person, you know this person, almost everybody knows this person. You will say something and they'll like look it up on Google and say, oh yeah, you're right. And then you say something else. The next time you see them, look it up on Google and they say, oh, you're right. Well, if you tell somebody you trust, I mean, who trust you, you know they wouldn't do that. Right. You already have the trust. They say, OK, Jimmy said it is true. And the same thing with the business unit. Right. You tell them something. They go and check their own facts. They go and check their own data. What I what I work and when I tell other business leaders is that in the beginning, you won't really trust me. You'll do your own Google meeting. You'll do your own research on something. But after the fifth time I'm right, you're going to be like, okay, okay, we get it. I don't need to always have to keep doing that. And so that's where the trust comes in at is that trust, you kind of have to prove and then you have to verify. But once you build that momentum and you build that trust, you try your best to, you got to keep that winning streak alive so you don't erode it.
SteveJimmy, I wrote the book recently and I sent you a copy, The CISO on the Razor's Edge, and I talk about the trust paradox. And in a nutshell, what that is, is you believe in zero trust, right? It's a great concept for architecture. Even the NIST guidelines has some insight about how organizations and CISOs should be implementing zero trust architectures or ZTA. But in this context of the CISO to board level, interface, what happens when you bring zero trust to the boardroom? You got what I'm saying, right? Like there is a paradox here and I'm not just imagining
Jimmyit. You can't bring zero trust to the boardroom because these are all VIPs. And to me, what zero trust never accounts for in the real world when the rubber meets the road is the VIP. Because if the CEO says he wants to go and do something, they get to do it. If the CIO, CFO, so you have, to me, zero trust is for regular interactions of regular environment, not for like boards of directors. If a board of director comes and says something, that's a different story. But also in terms of the trust, you can't have zero trust. To me, zero trust was created because you don't know that entity. Right. It's based on, you know, you don't know that. I don't know you. You don't know me. And to me, zero trust came because our environments got too big for me to be like, oh, hey, Steve, how you doing? Well, I didn't know everybody's name. I didn't know everybody's personality. And so I have to build these security solutions based on things that I don't know. But when you're dealing with the board of directors, hopefully everybody on the board of directors and the executive management team are knowing each other. They know the interactions. They know your personalities. They know your goods and your bads. You know, and so.
SteveBut coming back to your earlier point and, you know, just for illustration, like. If I walked by Satya Natal on the street, I would be a perfect stranger to him. Like, he doesn't know me, and I don't know him, even though I recognize his face. But if Microsoft's on your board of directors and Satya shows up into the boardroom conversation, you can't act like you don't know who he is. You
Jimmyhave,
Steveright? Yes. Yeah. Yeah, so interesting
Jimmyparadox. No, it's funny because the meetings I have, and this is from an ISA level and my current level, is that once you reach those rooms, those people do show up. If the deal is big enough, they will bring in their heavy hitters to make sure the deal is closed. So if it takes the CIO from name the big company to show up, even if it's just a Zoom meeting for 10 minutes, they will do it if the numbers make sense to them.
SteveSo in the SPIRE framework, I also have performance intelligence, which to me is like the track record, right? Yes. If you're looking at this from a data analytics perspective, like you mentioned the word five, does Jimmy have a good track record? Like the last five times he came into the boardroom, what he said and what he did were in perfect sync, right? He's not losing credibility. And that can be a measure of a CISO's performance, but it could also be a measure of how do your stakeholders perform? You talked at the beginning about granting exceptions to policies. How many quarters do we go granting exceptions to policies? And is that a reflection on the CISO's performance or a reflection of the culture? I
Jimmywould say it's a reflection of leadership.
Steveof
Jimmythe CISO and the team themselves. Because as the CISO and as a security leader, you are not really touching systems anymore. You're not the one implementing patches. You're not the one rolling up our walls generally at a big enough company. But you are the one who needs to ensure that these things are getting done. Whether hook or crook, you got to figure out how to be a leader to execute your vision.
SteveI mention and I talk about in the book that I wrote and subsequently that I believe that misalignment is the breach before the breach. And the good news is that we can diagnose this and detect it well before a breach occurs. And here, I'm not a CISO. I don't think I ever want to be one, but I would love to enable and empower the CISOs to be able to bring a data-driven story to say, hey, look, this is the mirror. This is our track record, not just mine. This is our company leader's track record. We went three quarters without patching. Come on, guys.
JimmyYeah. And to me, what you just said was spot on for what I was talking about in terms of we're talking about governance and the frameworks that we have is that it's not that we don't understand the frameworks. It's that we focus our priority in this direction and we were misaligned. You know, and it's understanding the gap areas And that's where, to me, also understanding the current trends and reports is a great thing to do. Whether it's, you know, read the latest, whatever report you have. There's so many companies out now that provide security leaders with trends. But if you're not a security leader that's actually trying to absorb external information and to try to improve your posture internally by looking at what your peers are doing and standing on the shoulders of giants to make things better.
SteveI love that. I love that. The R inspires about reframing an organization that's maybe lagging, that needs some help with their culture, and it depends on the leader to be able to reframe the psychology of just the status quo to exceeding targets. And this next question for you, Jimmy, is about the future vision and the organizational impact. the importance of a CISO cybersecurity leader having the strategic foresight and long-term views. So how do you think about this responsibility to reframe to elevate organizational performance? And what advice do you give to CISOs who are trying to evolve from playing defense to driving enterprise value and business alignment?
JimmySo for me, this is the reason why they actually have hired you as a CISO. is because they weren't happy with the status quo. They wanted something better. And so your job is to maybe not quite revolutionize, but evolutionize the company to bring in some of the latest trends and techniques and to uplift your team so that you may not be the smartest person in the room, but you ensure that your team members become smarter than they were before you got hired. you work to empower them to be a better version of themselves through maybe automation, through artificial intelligence. Because the old notion of we're going to do two times the work of our peers has went out the window now with the advent of AI. They want to see you doing 10 times the work of your peers or more. And so by you being the new security leader, you have to understand that is your mission now. You need to provide that value and not through I think, I hope, but through metrics and numbers based on projects completed, based on whatever other performance data you wish to utilize.
SteveIt sounds like your role may even be evolving to become a... You know, it highlights the need for intelligence design and the need for a decision, you know, a system of action that sits on top of your systems of record. So you can track because there are so many things, right? Like, how can you keep it all in your head? I
Jimmymean, to keep it in your head, right? Obviously, hopefully we don't do that. But it goes back to your thing where you're talking about from defense to proactive, right? Before you can even go to proactive, you got to be able to anticipate your defense, your basic items, meaning the team, the IT team, the executives will want certain basic things for you to provide. You need to be able to build those because they're going to be telling you what they want as soon as you get in because they have their visions. you need to be able to complete that list and to satisfy them as soon as possible so that you can start leading them off and being in front of them so that now that they come to you with some suggestions instead of with tasks. Because as long as you're just being given tasks, once again, you will never ever really evolutionize your environment because you're just constantly having to trill off of them.
SteveI love the progression of your thought because I haven't even said what E is yet, inspire. And I'm getting to that. And I hope that this makes it clear for those listening and also for this conversation, like people, process, and technology is static. The E, inspire, is execution. And so when we attach an execution model to our planning function, that we can begin to systematize it and we can begin to scale it. ourselves to 10x without burning out and that's why I believe we need to evolve from this people process technology mindset to aspire mindset with intelligence design and systems of action and execution built in and that you know on this last question here and we're getting close to the top of the hour if you could design the ideal leadership system for the next generation of CISOs one that doesn't just check boxes and but builds capability and resilience, what would it look like for you?
JimmyIt would look like I had 100 hours on my hands because I would be constantly taking classes on the latest technology. I would constantly be taking classes on leadership. I would be mentoring my team. about what I'm learning. I will be bringing in guests such as Steve and other guests to my team nonstop to let them know about what's the latest greatest technologies. I will be the charismatic leader who could get the budget I needed to go buy the A-plus tools that I wanted. But to me, that's like the utopia, right? I would have the $100 because one of the things that I'm seeing is that A lot of the technology that we're experiencing right now, we're going through a hyperscale of technology. Things that the loop cycle from intention to design is almost instantaneous. Now that you have AI writing a lot of your low-level code or your level one code, that used to take two months to do, now that cycle is 30 minutes or less. So understanding that and being able to grasp and absorb that. And the big thing is not only being able to grasp that, but also to weed out the slop. Because with all of that new code, not all of that new code is going to be elegantly designed.
SteveI wonder, what agents do you see involved in your approach? Agents as in AI? Do you have any ideas right now about... where you're high value, high leverage opportunities for AI. Can you share your thoughts on that?
JimmyYes. So one of the best ones is like you have a policy. Let's say you want to formulate a company policy. Have the AI integrate with certain templates to help formulate your policy so that it's in adherence to what is seen from your company's culture and your company's previous documents. Have the AI automatically review your firewall policies and have it do automatic changes or automatic, not commits, but change controls to constantly update your firewall policies on the top 100 threats it's seen in the last hour. Top 1000 threats you've seen in the last month. Automate that process using AI to read through all of those logs faster than any human could.
SteveThere's, I've reached out to a few CISOs about a model for a system of action and how it can play a role in a boardroom interactions. And so I wonder, what role do you currently leverage AI in the boardroom for cybersecurity leadership? What are some of the constraints? We're not going to transcribe everything. conversations and put the board on record for what they say. I see some resistance to doing that, but what opportunities, high value opportunities do you see for IA facilitating improved CISO and leadership interactions at the boardroom level?
JimmyBeing able to take a large policies and large documents and to take and to put that into an artificial intelligence that's been trained on your voice, and to make them bring that document into a concise, either PowerPoint or concise presentation that's a one pager. Where it may take you 20 hours to do that, an AI can do it in 30 minutes. And you present it to the board, and obviously if it's a one pager, you get to review it yourself, or you can have your team review it. understanding that because to me, when I'm talking to leaders, they don't want to see the numbers. They don't want to see lots and lots of data, like 20 pages of data. They want to see a page of data. But if you can have an AI that can grasp all that data and present it in a human-readable, easily consumable fashion.
SteveI love it. I love it. I also like the I mean, this isn't, you know, preparing the chairman and the board for the agenda and, you know, policy is one area, but, you know, preparing agendas and using AI to take a, you know, dozens of priorities and distill it into the top three to create like recommended action plans, right? I might call it the predictive task engine, right? That's intrigued me. There's so many. We could talk probably for the next hour about other uses, but I won't. Jimmy, it's been great catching up with you. I wonder any parting remarks as you think about the next year ahead, like your vision for how cybersecurity has to evolve and what your priorities will be in your current
Jimmyrole. The headwinds in terms of getting more personnel will continue. Mm-hmm. We keep seeing companies that are making billion-dollar profits, laying off tens of thousands of workers. Once again, my advice, and this is advice I tell my team as well, is that the days of 2X are gone. Now we want 10X. I was reading about this one AI person saying how now they'll do 100x. Everybody's going to bombast and do all kinds of outlandish things, but you need to be squeezing that lemon because right now it's going to be hard times for a lot of security teams.
SteveAre you bringing this into your teaching and agendas for ISSA International?
JimmyYes, yes, because of ISSA International, we actually have a staff that we pay as well. But because spending is down overall, our budgets are flat or down as well. So we have to work as a team to do more with less that we may have coming in. I
Stevealways feel inspired. I can do this after I talk with you. And I feel like I've learned some stuff, which is exactly why I invited you to be here today. So Jimmy, thank you so much. I appreciate it. No,
Jimmythank you, Steve. It was great to be here. And, you know, I love you, Aspire Model, you know, and I wish you the best.
SteveThank you so much.
