In this episode, Dr. Rebecca Wynn welcomes Jack Leidecker, Chief Information Security Officer at Gong. Jack shares practical advice on how to evaluate leadership roles, align security projects with business goals, and avoid burnout. Listeners will learn key strategies for making smart career moves in cybersecurity leadership.
Guest: Jack Leidecker, CISO, Gong
Website: https://www.gong.io/
LinkedIn: https://www.linkedin.com/in/jackleidecker/
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
In this episode of Soulful CXO, Dr. Rebecca Wynn sits down with Jack Leidecker, Chief Information Security Officer at Gong, a leading revenue intelligence platform. Jack discusses the challenges CISOs face in communicating cybersecurity needs to business leaders and how to select projects that deliver real business value. They dive into how to write effective business cases, navigate misaligned security strategies, and identify red flags when vetting leadership roles. Jack emphasizes the importance of understanding company priorities, managing expectations, and tracking progress to prevent burnout. This episode offers valuable insights for cybersecurity leaders looking to align their career moves with long-term success and business impact.
________________________________
Resources
Adapting Without Compromising Integrity: A Leadership Lesson in Security & Politics
Sustaining a Feedback Culture: Advanced Techniques and Real-Life Examples
How to Be Successful in Navigating a New Organization
https://www.linkedin.com/pulse/how-successful-navigating-new-organization-dr-rebecca-qgquc/
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soulful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Career Moves: Vetting Your Next Leadership Role | A Conversation with Jack Leidecker | The Soulful CXO Podcast with Dr. Rebecca Wynn
Dr. Rebecca Wynn: [00:00:00] Welcome to the Soulful CXO. I'm your host, Dr. Rebecca Wynn. We are pleased to have with us today, Jack Leidecker. Jack is the chief information security officer at Gong, a leading revenue intelligence platform, where he oversees security and compliance initiatives.
He's a highly sought after speaker at prominent cybersecurity conferences. Where he shares expertise and insights on advancing cybersecurity practices. Jack, welcome to the show.
It's great seeing you again.
Jack Leidecker: I appreciate that intro. It's great to be here and looking forward to the conversation.
Dr. Rebecca Wynn: It's always a challenge for us to try to align with executives, try to get sponsorship for, our projects and really get it out of cybersecurity techno babble. So, they can understand that. What words of wisdom can you share with us on how to try and do that successfully and how to pick projects that can be really beneficial to the business and not just something that we think is cool. [00:01:00]
Jack Leidecker: Yeah, so, I think this has been a challenge for a long time, but it's obviously still a challenge. We even hear the business sometimes complain about it. Back in the day, I went to get my MBA mainly because I wanted to be more strategic. So I did that to focus more on strategy and I wanted to talk to the business because I was having a hard time, especially early on in my career.
I'm like, we know exactly what we need to do. We explain it. But it's kind of technical, so it didn't really mean much, but it was like, why is there this just like, why aren't they jumping the, yeah, of course we need to upgrade our firewalls and we need to throw this new IDS in, right? Like it felt like it should be self-explanatory, but I think.
In being able to understand that, like, honestly, in some cases, we're not speaking the same language. Of course, that doesn't mean anything to them, right? Like, what does that mean? Is it reducing my risk? Is it helping me get new business? What's going on there? So, I think that was a good basis for me, but I also think whatever company you're at, as silly as this seems.
You need to understand how you make money, [00:02:00] right? Companies are driven. We're very capitalist society. Unless you're working for a nonprofit, you usually have a way of how does a company make money? And the reason why I say that is you want to understand how you make revenue and then how do your projects contribute or protect that revenue?
Right? Because if they don't, then there's a question of how much of a priority should it be or shouldn't be. I will say for me personally, this is where I would say I shifted more from retail into more B2B. I want customers to want us to have a robust security program, because then I think that's actually something where we can directly provide value.
Can't do that necessarily in the BC as well. Just don't get impacted with credit cards. Um, from my perspective and being in that industry. So it's hard to have that same type of ROI, find minds a bit easier where I'm like, Hey, look, when my team is involved, our SAO win rate. Is two X, right? That's something that a CRO can actually understand, right?
Oh, okay. Hey, why is that? To some extent, some people are a little skeptical of role. Of course, we know that we have to go through security because of this, but I will say when I started, that wasn't the [00:03:00] case, right? When I started, it was security is the number one thing stopping us from being able to get new revenue right now.
Security is the thing that's helping them close. So even just shifting that mentality was extremely helpful. But more importantly, when you're looking at different places, you want to understand. What does your company do and what can I do to align with it? Cause that just makes your discussions a lot better.
Because if I try and push again. This new software, this new thing that I need to do, hell, even a new certification, if I can't tie that back into the so what, it's a much more difficult sell, and this is why I think you also see a lot of CISOs, quite frankly, burn out pretty quickly, right? Because if you can't get that alignment where they're able to understand you and you understand them.
It's a really, uh, unfulfilling time.
Dr. Rebecca Wynn: How do you write that business case? Do we just write it from our perspective on we need it?
Do you try and do customer service? What kind of bottom line do you put up front and how do you write through that? Can you walk us through at least on a high level, how to do that more [00:04:00] effectively? Cause I think a lot of people out there struggle with that.
Jack Leidecker: Yeah. So I think some of it's going to vary a little bit by industry, but it's kind of the same concept, right? So for me, one of the things that I always love doing when I start in a new place, and I know we need to build up a program because it's something I've done a lot of my career. And what I learned is rather than me coming with a framework that I have to get alignment on. Why don't I start with what we've already agreed to simplistic as that is, it's actually super powerful. And it usually actually identifies where you already have gaps anyhow.
Right? So I can look at my contracts. What did we agree to whatever our customers expect? How are we doing? A lot of times, especially if they're a newer company, there's going to be some gaps, right? So being able to focus on that 1st. That's usually a pretty easy alignment where there's not a lot of debate, right?
I'm not having to go back and forth a lot. It's like, oh, shoot, we didn't realize that. If that's what we want to do, we want to do it. Then I would say the 2nd part, if you can, and again, not every industry is the same, um, sales sales is the one that honestly is the best one because they can help really [00:05:00] quantify it.
Right? So, for example, um. One of the things, and this was at a different company, they really wanted cloud providers, but it's like, what are we missing to be able to do that? So I'm like, Hey, this is what we're missing. This is what I need from a program perspective. This is what it costs. And then they're like, great.
Now I can give you a dollar figure that was really, really high for what they think they can actually get from a revenue perspective. And when those two actually go together and it shows that it works, it becomes a much easier discussion to move things ahead. So the more that you're aligned to what your key company initiatives are, the easier it is to kind of have those discussions and be able to make progress.
Dr. Rebecca Wynn: How do you dig through and find out really what that true security strategy is?
A lot of times you might follow a CISO and they say this is our security, initiatives, or you might have that in interviews, but once you get there, you find out that, no, that's not how they're really rolling. How do you navigate that, especially for people who are, Either being new CISOs because the company has never had a CISO before, or they're coming into new jobs.
I think [00:06:00] that's the reason when you talked initially about burnout, I think that's the reason a lot of burnout is you're coming in thinking that they're really set to be this one direction because you got that from all those interviews. And then you get there and you find out that it is, it's, you're not even on the same playing field at all.
Jack Leidecker: Yeah. Um, I think bringing reality back to the situation is the first step. Um, I would say maybe because I've always been skeptical, and again, kind of maybe starting on the other side where I feel like we usually were able to break something, I've never gone into a place expecting it to be perfect.
One, I think it was perfect. I'd probably be bored anyhow, quite frankly. Um, but I think a lot of it is just being able to understand where are we actually at? We said we're here. But we're actually here. Do we need to be there? Do we need to be higher? Do we need to be lower? Right? And lower may sound a bit crazy, but in some cases, hey, some of these controls may not be providing a lot of value.
It may not mitigate risk. You want to reevaluate what you're doing overall. But then again, I would still tie it back into what do we [00:07:00] have to do? Right? Because I would say, if you look at good security programs, a lot of the basics, quite frankly, sadly, are still the same things that actually prevent a lot of the risk, right?
How am I patching? Am I doing MFA and managing my users? Well, how well can I protect email? How well do I develop code? Like, these aren't really new concepts. So I think from that standpoint, it's being able to understand where do we think we are? Where are we actually, where do we want to go? And how do I build a plan to be able to do that and be able to include what some of those benefits are?
And again, looking at what do I have to do? Hey, if I'm a regulated entity, all right, I'm supposed to be. FedRAMP or FISMA, but I'm really not even close, but half my contracts are, well, shoot, that's a pretty high risk for us that we need to be able to fix, right? Or we're in healthcare and we need to go to HITRUST, right?
So you can use, I would say some of the compliance aspects to help a little bit. Uh, my only caution with that is I've also been at a lot of places where we have a lot of [00:08:00] certifications and we don't necessarily have the best security. So it's a good baseline to start, but you don't want that to be your destination.
Right. And I think that's the part that where people get tripped up a little bit where it's like, Hey, we have to do those. And if we do good security, they come really easily, but we want to make sure that we kind of know what our end point is. And what do we want our goal to be? And be realistic about it too.
Even though it may be painful and you'll get pushed really hard of like, no, I want everything good in a month. Awesome. It gets into like writing a really good book. I can throw a thousand people at a book. It's still not going to come together really quickly in a week. Right? So there's only so much manpower you can shift in an organization and so much change at once.
So you want to see what makes the most sense. And then I would say the most important thing is how do you track it? Because I think that's the part that makes it where it becomes real. We agree. This is what it is. We track progress every month, every quarter, whatever you want to do with it. And as long as you're doing better, that's really what you want to be able to focus on.
Right. And sometimes you have to shift based on the business, but that [00:09:00] gives you a roadmap that you can work with. Um, because without that, you kind of jump around trying to do this, trying to do that, saying, Oh, we have to do this. This new risk popped up. You jump around at a bunch of different places and then you ultimately don't usually make progress, which I think is also where you see a lot of burnout where it's like, Hey, I was there for a year.
Couldn't get anything done. This sucks. I just need to get out, um, which I've heard from some of my peers that sucks and sometimes that happens. And I would say, I think there's the other side of it. The company that you join may not always want to do what you need to do. I know even I've said some fun things in the past that some people look at me a little strange where I've told CEOs.
Hey, if you want checkbox compliance. That's awesome. You can actually probably do that twice as fast as I will. I am the wrong person to hire. You really should not hire me because if that's what you want, I'm not going to do it. You're not going to be happy. I'm not going to be happy. Let's just not get through that.
And I think trying to set those expectations as difficult as they are up front. Usually makes it a little bit easier down the road because you never want to find that after the fact. [00:10:00]
Dr. Rebecca Wynn: I agree. I tell people if your framework is going to be "Hope and pray that it's going to be okay." I'm not the CISO for you. And if you just want to be reactionary all the time and not think about process improvement and taking that stress off your people so they can do the mindful work you need to do.
I'm not the right CISO for that situation. .
How can we better do analysis of those positions so then we can better align with what's going to resonate with us as CISOs and not hopefully take that wrong position.
Jack Leidecker: Yeah, so I can't say I've always picked everything that worked out the way I wanted and sometimes it's good and then you grow out of it.
Right? Like I would say, I've typically been a lot of growth. And then after a while, if it becomes too stable, it may not still be the right thing. So I think it's also where are they doing? How are they aligning? But also, I think sometimes people don't always push as hard as they probably should during an interview process, right?
It's going both ways. They're interviewing you. You should be [00:11:00] interviewing them just as much because simply. It's going to be disruptive if you're not going to be able to be successful and vice versa. And sometimes that's hard because it's like, hey, I need to get the job or I want to leave my previous job
you really need to take a step back, right? Like, I think being very up front of this is some of the expectations I have. Now, I would say at the same time, I never really go with a budget number, though, because I don't know enough yet. Right. But what I can say is, Hey, I have an idea that what it is, but depending on what we want to do, it's going to change.
Right. And then we should be able to have that conversation, decide, do we want to do this, not do this, et cetera. Right. There's some other people that don't like building. Right. So if you're going to a place that's more stable, maybe they're more compliance oriented, been doing it for a long time, it's more static, and they just want someone to kind of carry the torch.
That's great. Right. If that's what you want to do, then you want to kind of seek that out. Or if again, if that's not what you want to do, definitely want to make sure you understand what you're kind of walking into. And I also think what helps is what are the reasons why they're looking now, [00:12:00] right? Is it.
Someone left, someone got fired, they had a breach, they had an incident. They're going in a growth phase because now it's like, hey, we've had all this business, but we know we need to up level our program as we're expanding industries. Those triggers are probably going to be more telling than most of the other areas.
They kind of help you understand if this is really what you want to do and whether or not that's a challenge that you like to do. Because I think for me, security is a field that obviously I love and I've been in a long time, but I could say, If this isn't something you like to do and you want to dig in details and go through stuff all the time, you'll be very, very bored and hate your life.
And that's not so fun, right? So, because I think people are jumping in going, Hey, it's this great career, which I think it definitely is, but it's also one of these because it's not so defined as some of the other ones. You have to constantly want to learn and dig, uh, otherwise you fall behind.
Dr. Rebecca Wynn: What are some of the things that, that cause you pause when you look at a possible position?
I know for me, you end up having job description that's six and 10 pages long. There's nobody [00:13:00] on the planet who can do that. That's a warning sign for me
the other thing is, is your first mandate is there absolutely could be no breach on your watch. I help manage risk. There's a lot that's not under my control and the other thing, I just tell people looking over the turnover rate, when they end up having a CISO that's leaving every 18 months, which means that usually that CISO was looking within four to five months.
Those are really big signs for me. What do you think people should probably pause and do, at least be a flag to do a reevaluation?
Jack Leidecker: Yeah, I mean, I think some of the ones you mentioned are probably good. Um, I don't know. I would almost say maybe from my perspective, what I'm typically going for is I fully expect whatever job description they have not to actually be reflective of what I'm probably going to do.
So maybe I'm a bit more unique in that one, because again, over the last four or five positions, I've been either the first one or rebuilding entire teams. Right. So from that one, it's more of like, Hey, I understand you're looking for all this. Why are you really looking for it? What do we want to accomplish and then kind of [00:14:00] redefining it.
But that's not necessarily the right approach for everyone. Right? And it may not be what you're even looking to do. But I think, um, utilize your network as well.
Dr. Rebecca Wynn: Unfortunately, our time is totally flown by. Jack. It's been a pleasure having you on the show.
Jack Leidecker: I appreciate it. Thank you so much.