Interview: Jim Gordon, Security Strategy Leader, Intel

Jim Gordon is the General Manager, Ecosystem Strategy & Business Development - Platform Security Division for Intel. He joined Intel in 1998, as a product manager and currently leads teams focused on security customer and industry engagement to improve the company’s core product market share. He was recently nominated for Cybersecurity Women Supporter of the Year, and is an advocate for more diversity in the industry.

He shared his trajectory with Cyber Security Hub, his thoughts on the state of cyber security industry, and how D&I can help organizations to be more agile and innovative.

CSH: The journey for Cyber Security Leaders seems to have many origins. What’s your story? And how did you end up where you are now?

JG: I most recently was a leader in security strategy at Intel, specifically in the area of preparing the security market (software companies / solution providers) to consume Intel technology innovations, companies that in turn enable CISOs around the world to produce better security outcomes for their companies. That said, my journey to this point involved many different stops in my 23 years at Intel.

Past leadership roles in product development, software industry enabling, marketing and business development – and even a meaningful stint as Chief of Staff to Intel’s then President Renee James (now CEO of Ampere Computing). All of those prepared me with a broad range of skills and experiences to meet the security role head on and deliver, I think, some unique value.

I believe the security industry, not unlike others, require a mix of long-time veterans in the discipline along with infusions of innovative individuals from other fields that bring new ideas, new approaches, new mindsets. That combination is powerful and frequently leads to new breakthroughs that could not be as easily (or ever) produced without that diversity of thought. It’s a great example of how diversity and inclusion can yield better results.

See Related: The Need For Diversity In A Cyber Security Workforce

CSH: What is the biggest myth about the enterprise CISO?

JG: The biggest myth is both that they have it all figured out, and are ahead of the curve – and that they are hopelessly behind it. The truth is that they are human, struggling to stay ahead, concerned that tomorrow will be the day that something happens requiring them to dust off their resumes. They are trying to balance efficacy, risk, cost and time to arrive at the best possible outcome. And I feel so sorry for them. It’s a role that requires an individual who “believes” – one that understands the greater good they deliver in protecting their organization (and its customers or constituents).

I know it sounds cliché but it’s not. Why else would someone want a job that involves such persistent pressure, a constant need to stay ahead, one that can end as the result of a single bad outcome which was never reasonably under their control? You have to want this role because you believe in its purpose. I feel sorry for them because they do all this with tools and solutions, from all manner of vendors, that all purport to be the best, be THE solution…but we all know they are not. How do you separate technology promises from reality, truth from fiction, truth from hope? I think it’s the toughest challenge in technology.

CSH: What motivates you to keep pushing ahead every day in the security field?

JG: This is a perfect follow-on to the previous question. It speaks to the reason CISOs specifically, and security leaders in general, persist with what can be viewed as a thankless, winless role. Deep down, you / they know they have a chance to make a real difference in the lives of people.

I could be wrong, but I’ve always viewed the role to be filled with one of two types of people. Sometimes a little of both types. The first type I will call the “cop” – the person obsessed with finding and defeating the bad out there in the world. Like police officers, clergy, doctors, soldiers – they are all after eliminating bad things and are intrinsically motivated to do so. They want to protect, cure, prevent, all in their own ways. The other half or type I refer to as the “competitor”. Deep down this is a game, one with the highest stakes possible, some might argue the highest stakes, period.

But, regardless, it’s a game in many respects – you are competing like an athlete every day, like a video gamer every day, to “win” by any means possible. Some are addicted to that feeling. Every time you think you have it figured out, a new challenge presents itself – you’ve “leveled-up” but know that you’re about to face something even more daunting. Anyway, CISOs are a mix of cops and competitors, each with their own unique composition of those two elements. I bet no one has described it that way before.

See Related: Cyber Security Is A Team Sport

CSH: Conversely, what concerns do you have about the state of cyber security today?

JG: I remain deeply concerned on several fronts. None of these are unique to me, none save maybe one. That is, the adversaries are better economically motivated, they follow no rules (whereas the good guys do), are often more innovative and in some cases work better together in a perfect black marketplace with full transparency.

Then there is the age-old cliché-but-not-really-cliché of “the white hats have to be right every time and the black hats only have to be right once.” Never in the history of societal investment – those big investment areas where industry and government stage an all-out effort to eradicate a societal negative (e.g. cancer research, fuel efficiency, anti-terror / physical security, etc.) – has there been a failure like cyber security. That is, year after year society invests more and more – yet the problem keeps getting worse. More money, worse outcomes. It’s unique in that sense.

Many might disagree, especially CISOs, but I think the data is undeniable. Here’s where I think a little differently, both on the assertion of a societal negative ROI – but also in the hope we can someday win. If big tech companies, those that control the compute stack from the lowest level transistor to the highest-level web service, can actually work together to integrate a real solution – they can do so where it would be nearly impossible for the black hats to win. If you can operate where they can’t operate, in ways they can’t operate then you CAN win. You just have to decide to do so.

CSH: You were nominated for Cybersecurity Women Supporter of the Year. What do you think senior executives can do to support women in our industry?

JG: I really don’t think it’s any different in cyber than it is in other industries. In cyber security it’s like it was in general tech during the dawn of Silicon Valley. That is, an environment of ultra-pressure, high risk, high rewards, dominated by companies who are always on the edge of success or failure. You’re talking about start-ups or…very mature companies comprised of people who were acquired from / through a start-up.

All that adds up to environments that are frequently harsh, non-inclusive and barely under control from an HR / legal standpoint. It’s better now than it has been in the past – and the future will certainly be better than today. All that said, what can executives do to support women? Do all the things they know how to do. Lead by example. Insist (in all ways) on an equitable workplace, ranging from behavior to compensation. Monitor metrics that matter, ranging from hiring to advancement. Talk about equality. Be transparent. The things they can do are so well understood that I am in no position to unveil some insight that others don’t have. People just have to do it.

We all have to insist on it. And the customers of cyber security solution providers need to play an active role in insisting on equality from their suppliers – not just on pure business metrics such as detection efficacy or cost.

CSH: Is there a shortage of female leaders in the cyber industry? What advice would you give to women looking to start a career in cyber security?

JG: There is. This is especially true at the leadership level. And, it appears to be a greater difference than in technology as a whole. The advice I would give is to network your way in via contacts that you currently may have in these companies. Each company of interest, particularly those that are more established, will certainly have formal programs through HR to diversify the workforce – so make contact there as well, either directly or through LinkedIn.

Really, this is the same advice for any person seeking opportunity in any industry. Most importantly though, my advice is this: try, persist. It’s good for you as wages are above average in technology, unemployment is lower than average, chance of advancement is greater than average (as these companies are growing vs. plateauing) and the work is interesting, worthy work. What else might someone want? And, not only is it good for you, the seeker, but it’s also good for the country and world as both really need the innovation and drive and inspiration of all genders, ethnicities and backgrounds.

CSH: What are some ways to prepare/contribute today for the next generation of security leaders?

JG: Three things come to mind. First, be honest about the failures, not just about the successes. It’s in failure that we learn the most. Second, be open about the need for new thinking. One thing is certain, none of us have it all figured out and, as I have pointed out, so far it’s been a losing battle. So we have to keep thinking of new things, thinking in new ways. Finally, be welcoming and inclusive to all manner of people because we collectively need them all.

This industry will only attract the best and the brightest, this industry will only have a hope to win if these people WANT to work here, want to stay here, want to do their best work here. That will only happen if people of all types feel wanted and listened to.

CSH: If you were able to give your younger self a piece of advice about the security industry, what would it be?

JG: Get in sooner. I waited too long.

Next: The Role Of Cyber Security In Compliance