Why More Security Tools = Less Security with Jonathan Poon, Zoom

Aaron Morin [0:00:01]: This is Patch Me If You Can™.

Aaron Morin [0:00:02]: A show about IT and security leaders rewriting the rules.

Aaron Morin [0:00:06]: Not just patching with broken, but building what's next.

Aaron Morin [0:00:10]: Every episode we explore replacing outdated ways of working with simpler, smarter and more strategic approaches.

Aaron Morin [0:00:17]: I'm your host, Aaron Morin.

Aaron Morin [0:00:20]: Today's guest is Jonathan Poon, Head of threat and Vulnerability Management at Zoom.

Aaron Morin [0:00:31]: Jonathan has spent his career deep in the world of security, but what sets his perspective apart is his focus on what happens beyond the tools.

Aaron Morin [0:00:39]: He believes that in today's environment, success and security isn't just about what you know It's about how well you can align teams, communicate risk and turn complexity into clarity.

Aaron Morin [0:00:50]: In this episode we impact why more tooling isn't always the answer how to simplify and without losing visibility and what it takes to make security actually work across the business.

Aaron Morin [0:01:00]: Jonathan, Welcome Patch Me If You Can™.

Jonathan Poon [0:01:03]: Thank you, Aaron.

Jonathan Poon [0:01:03]: Thanks for having me on the podcast.

Aaron Morin [0:01:06]: So, you, you know, you came into this conversation with kind of a provocation on paper, security has never looked stronger, more tools, more telemetry, more Ai powered automation.

Aaron Morin [0:01:17]: But you believe that complexity is actually out pacing our ability to understand and control what teams are responsible for, especially

Jonathan Poon [0:01:26]: with the...

Aaron Morin [0:01:28]: Well where are you seeing that gap show up the clearest right now from where you're sitting there?

Jonathan Poon [0:01:33]: I think one of the biggest signals the secretary, we are getting so much data points.

Jonathan Poon [0:01:37]: We for wafer for Ai being able to filter the, love the noise out.

Jonathan Poon [0:01:42]: That's just wait too many signals for humans to actually react to.

Jonathan Poon [0:01:46]: So as the whether there's a introduction of late...

Jonathan Poon [0:01:51]: Additional layers of cooling, they can have further ref refine and reduce noise, is also a challenge.

Jonathan Poon [0:01:58]: Right?

Jonathan Poon [0:01:59]: In that...

Jonathan Poon [0:01:59]: It also further as complexities.

Jonathan Poon [0:02:01]: Right?

Jonathan Poon [0:02:02]: And it just creates a lot of operational text for the the front engineers and the Tier two engineers to be able to really focus on their work.

Jonathan Poon [0:02:12]: Forced to drive things.

Jonathan Poon [0:02:13]: An example recently were that that my team was trying to do was to enhance our threat and intel information with our vulnerability information to say, hey, if something is now being discussed on social media, let's just get a quick signal where we have.

Jonathan Poon [0:02:29]: And then we we started to add more and more data points into it.

Jonathan Poon [0:02:33]: And then we're, like, we're just replicating what we already have.

Jonathan Poon [0:02:36]: No...

Jonathan Poon [0:02:36]: There's not the outcome that we want is just too much noise, and then we decided to just feel the it that back to that initial intent to give us a year on, and then we can then kick off our workflows.

Jonathan Poon [0:02:47]: So that that was a a very good realization for myself personally as well on my peers.

Jonathan Poon [0:02:53]: Go hey.

Jonathan Poon [0:02:53]: Instead of going way too deep.

Jonathan Poon [0:02:55]: That's just step back and figure go what's truly needed and get the right signals to then called drive directory?

Aaron Morin [0:03:04]: Yeah.

Aaron Morin [0:03:04]: Who would you say there's kind of a law diminishing returns when it comes to adding additional data points and and tooling into your team's workflow?

Aaron Morin [0:03:13]: Like, you know, what's the methodology that you use when it comes to figuring out if it make sense to introduce a new tool or new data feed

Jonathan Poon [0:03:25]: in my experience, we trying leveraging multiple tools of the the baseline tools sets that we have.

Jonathan Poon [0:03:30]: And I guess, the biggest challenge has always been about...

Jonathan Poon [0:03:34]: During the sales pitch and demos everything is easy to integrate, and, you know, all the data is all seem to be cleaner and and things like that.

Jonathan Poon [0:03:42]: But we are know in reality, C in the world is never clean.

Jonathan Poon [0:03:45]: Right?

Jonathan Poon [0:03:46]: It's always outdated in to varying degrees.

Jonathan Poon [0:03:50]: So a lot of the two sets, the assumption of quality of data that isn't there it actually just cost even more friction.

Jonathan Poon [0:03:58]: Right?

Jonathan Poon [0:03:58]: Where it's like, I can do we fix it in Seventy or if it's in the two or the we fix it in our baseline scanning too.

Jonathan Poon [0:04:04]: So that is one of those things where, like, We find that sometimes it's easier, and we have done that in my last couple of teams where we ended up just building a tool by ourselves, because we know the problem statement.

Jonathan Poon [0:04:18]: We understand the quality or the data that we have or do not have and we're able to work with the right teams to get it versus trying to fit a square pack into a round hole.

Jonathan Poon [0:04:30]: Like, it just couldn't get it to work.

Jonathan Poon [0:04:31]: And and having a couple of lessons left, and I wasted the investments on those.

Jonathan Poon [0:04:37]: Yeah.

Jonathan Poon [0:04:37]: That's kind of where we ended up up with

Aaron Morin [0:04:40]: Yeah.

Aaron Morin [0:04:40]: I think from my experience, it can be really hard to implement a tool to fold it into a stack that is already running pretty smoothly because there's there's always sharp edges during the implementation phase.

Aaron Morin [0:04:55]: Yeah.

Aaron Morin [0:04:55]: I think a lot of leaders that are maybe less mature?

Aaron Morin [0:05:00]: They always go to tooling as the answer.

Aaron Morin [0:05:03]: Why can't you do this today?

Aaron Morin [0:05:05]: Why don't you have this capability?

Aaron Morin [0:05:06]: Well, we need to get this tool in that tool.

Aaron Morin [0:05:09]: Anything?

Aaron Morin [0:05:09]: Not always the case.

Aaron Morin [0:05:12]: In fact, typically, it's not the case.

Aaron Morin [0:05:13]: You know, outside of the question of tooling and what the right tools are and the right tools to fold into your your stack, what components of a strong security program that, you know, you think about kind of the bigger picture?

Aaron Morin [0:05:27]: What are some of the components of a strong security program that leadership overlook or or commonly kind of under invested in?

Jonathan Poon [0:05:36]: I think the...

Jonathan Poon [0:05:36]: Well, there's there's two...

Jonathan Poon [0:05:38]: I I can't tell Alice two angles one is really about actually understanding what your current stack provides.

Jonathan Poon [0:05:44]: Oftentimes and in my experience even in talking to my peers across the industry.

Jonathan Poon [0:05:51]: We have tools in our control that are probably having, like, thirty to seventy percent overlap of capabilities and detection and data points.

Jonathan Poon [0:06:01]: None of us are even aware of it because a lot of the security teams are very silo in what they are focusing on.

Jonathan Poon [0:06:08]: So I think that's one of the biggest get where there's no...

Jonathan Poon [0:06:12]: I guess, maybe, like, a data over over oversight committee or whatever.

Jonathan Poon [0:06:16]: It's probably someone's gonna just be me that they hang up on the cards now.

Jonathan Poon [0:06:20]: But having a a team that can look across all the tooling, what other data that we have and being able to to to help support whatever security or engineering scenarios.

Jonathan Poon [0:06:33]: It's probably an exercise that a lot of companies to not put investment in.

Jonathan Poon [0:06:39]: The other thing is also with all the information that we have.

Jonathan Poon [0:06:43]: And again, that's kind of like, my sub box topic is we have all the data with all information.

Jonathan Poon [0:06:48]: If we kind of convince someone to could do something, that again, it's kinda of pointers.

Jonathan Poon [0:06:53]: So being able to find the right tooling, and and again, I I think more more tooling this is are getting better because again, leveraging Ai to translate vulnerability to a risk do a dollar amount to a asset impact that makes it easier for security, traditional like be in the right.

Jonathan Poon [0:07:14]: Frequency to direct people.

Aaron Morin [0:07:16]: I'd love to go back to something that you just said, what was it you referred to?

Aaron Morin [0:07:21]: It as the the data oversight committee?

Aaron Morin [0:07:23]: Is that

Jonathan Poon [0:07:24]: equal??

Jonathan Poon [0:07:24]: Yeah.

Jonathan Poon [0:07:25]: Yeah.

Jonathan Poon [0:07:25]: You

Aaron Morin [0:07:26]: know, I think typically, you made the joke, folks are probably hanging up now as we speak, because they hear committee and and this this one, Yep.

Aaron Morin [0:07:35]: Less thing that they wanna have to do, it's not sexy.

Aaron Morin [0:07:40]: Right?

Aaron Morin [0:07:40]: But, yeah the reality is that aligning people within the business is sometimes the biggest missing piece.

Aaron Morin [0:07:47]: Know for folks that are listing that are maybe saying, yes, like, we know that the data probably exists in organization.

Aaron Morin [0:07:54]: We don't know where it lives.

Aaron Morin [0:07:56]: We don't know who owns it.

Aaron Morin [0:07:57]: You don't know a lot of things.

Aaron Morin [0:07:58]: You don't know you don't know.

Aaron Morin [0:08:00]: You know, what's maybe a starting point that they can start from to build out this committee?

Aaron Morin [0:08:06]: What's the makeup of a committee like this typically look like?

Aaron Morin [0:08:09]: You know, how can someone be successful and in knowing what they don't know.

Jonathan Poon [0:08:13]: I think one of the best ways is to start from what you know, right, for each team.

Jonathan Poon [0:08:17]: Right?

Jonathan Poon [0:08:18]: We all know what our top to twenty use cases of data that that we need to to do our job.

Jonathan Poon [0:08:25]: Right?

Jonathan Poon [0:08:26]: Being able to do...

Jonathan Poon [0:08:27]: Also from those scenarios call out what are the key datasets sets that we need.

Jonathan Poon [0:08:31]: Right Share it across the security team And I, hey.

Jonathan Poon [0:08:35]: I have this twenty scenarios, fifteen of them them, I know I have hundred percent of data that I need.

Jonathan Poon [0:08:41]: I have five scenarios that I need certain data that I do not know where to get.

Jonathan Poon [0:08:45]: Right?

Jonathan Poon [0:08:45]: And being able to share every one another is a great way to start the conversation.

Jonathan Poon [0:08:49]: Oh, hey.

Jonathan Poon [0:08:50]: I have this in Blank, or, I this in elastic search.

Jonathan Poon [0:08:53]: Through another tool that someone's send this data into...

Jonathan Poon [0:08:57]: You can...

Jonathan Poon [0:08:58]: You can grab this and correlate with your data.

Jonathan Poon [0:09:00]: Right.

Jonathan Poon [0:09:01]: There we can have those conversations to go off.

Jonathan Poon [0:09:03]: Someone's looking for, installation, patches of, know, for of a certain utility.

Jonathan Poon [0:09:10]: And if the tooling is not installed in a proper manner how do we are able to find it end.

Jonathan Poon [0:09:16]: So again, we have creative ways to go get it from various teams.

Jonathan Poon [0:09:19]: So being able to go, okay, Are these your key scenarios, let's work together.

Jonathan Poon [0:09:23]: Let's get the data, and ideally make data automated fit in the future.

Jonathan Poon [0:09:28]: So those has been ways that we alice least table up the starting conversation, and then we can see like, okay, where are the absolute gaps that none of our teams are aware we have the data for, and is that truly something that we want to consider to get another tooling to gather the data or it's something that we want to just build on our own.

Aaron Morin [0:09:49]: You said before you came on that you've seen situations where someone has had extreme strength in the technical knowledge department, but that they've may been weaker in the relationship management, slash alignment department.

Aaron Morin [0:10:07]: When you think about someone who's really technically brilliant, but they need to go, build this kind of alignment in the business, they needed to have, you know, these go out on these conversations with other folks in the business.

Aaron Morin [0:10:18]: You know, what are the kind of skills that they need to work on to make the difference and to go from someone who's technically brilliant to also someone you who is able to develop a human side and build relationships in the business to make sure that works able to actually get done.

Jonathan Poon [0:10:37]: I think it's really important to build empathy skills to firstly to understand from the recipients perspective, how you see something to make them care about it.

Jonathan Poon [0:10:48]: Right?

Jonathan Poon [0:10:48]: If if you're just screaming zero days and remote exploit vulnerabilities abilities and to them, they are, like you are just talking random characters above my head.

Jonathan Poon [0:10:59]: I do not understand what that means.

Jonathan Poon [0:11:01]: Versus, hey, you know, this is gonna cause your product revenue to get impacted, your product reputation to get impacted.

Jonathan Poon [0:11:08]: Coming out with ways that will make their feel the hey.

Jonathan Poon [0:11:12]: This is important for them to to go focus on.

Jonathan Poon [0:11:14]: As far as being able to explain to build a a muscle that allows one to actually be able to speak at different frequencies to different levels or different segments of the company.

Jonathan Poon [0:11:27]: Right, speaking to a Pm on engineering we're gonna be different where might just speaking to the the sales and marketing leads.

Jonathan Poon [0:11:34]: Right?

Jonathan Poon [0:11:35]: But, again, chances are...

Jonathan Poon [0:11:37]: Those are the kind of teams that we typically have to work with, you know, they do their work as well.

Jonathan Poon [0:11:42]: I think it's important to build up communication skills.

Jonathan Poon [0:11:46]: The empathy skills as well as also being able to actually recognize that just having a technical good skills itself is not enough.

Jonathan Poon [0:11:55]: Right?

Jonathan Poon [0:11:55]: Like, yes, you can be on your Soft and your screaming and shouting thing.

Jonathan Poon [0:11:59]: But if no one else is listening stunning at all, the, which is the worst case scenario, what's the work of the skills.

Jonathan Poon [0:12:06]: Right?

Jonathan Poon [0:12:06]: So and I've seen that myself, early in the courier, so I've gone through that journey that learning journey, the painful learning journey, and I've seen really talented engineers on sub boxer, and I I'll always be like.

Jonathan Poon [0:12:20]: Can I have a chat with you after this call?

Aaron Morin [0:12:26]: What and what do you tell?

Jonathan Poon [0:12:27]: I'll share with them my experience.

Jonathan Poon [0:12:28]: Like, hey, No, I used to be the one that I was, like, knocking my head against the wall.

Jonathan Poon [0:12:33]: Trying to help protect.

Jonathan Poon [0:12:35]: Kind of like the put that the supply chain security when that phrase wasn't even might invented that yet, but wasn't able to communicate in the right way.

Jonathan Poon [0:12:44]: And for my own experience, it was a a very experience, program manager that that again, talk me to one side.

Jonathan Poon [0:12:52]: They say, hey, I I see that you are really struggling to communicate.

Jonathan Poon [0:12:57]: Why don't you, share me for a couple of weeks?

Jonathan Poon [0:13:00]: See how I'm communicating all issues and concerns and see whether you can learn from it, and I did.

Jonathan Poon [0:13:06]: And since then, I no longer have to, like, jam models of box.

Jonathan Poon [0:13:10]: I will try to say things as relaxed as I can, try to sure people can understand it.

Jonathan Poon [0:13:16]: As soon as verifying that they do understand it before we, you know, we move forward.

Jonathan Poon [0:13:21]: So sharing those pointers with other the newer engineers that that get work with, true throughout the years.

Aaron Morin [0:13:28]: That's awesome.

Jonathan Poon [0:13:29]: And that allows them to also grow, and and what really energized me is also oftentimes, they will connect with me whether on Linkedin, or, just send me a text.

Jonathan Poon [0:13:39]: Like, hey.

Jonathan Poon [0:13:39]: I'm doing really well.

Jonathan Poon [0:13:40]: Know, your your pointers Still doing it day by day.

Jonathan Poon [0:13:44]: And this is getting me access to even more and more challenging work, which is all we...

Jonathan Poon [0:13:49]: We want to do.

Jonathan Poon [0:13:50]: Right?

Jonathan Poon [0:13:50]: We just want to know hector, hector bigger challenges to to fulfill out this.

Aaron Morin [0:13:55]: That's awesome.

Aaron Morin [0:13:55]: No.

Aaron Morin [0:13:56]: I I love stories like that where someone that was more experience and had wisdom that someone else didn't came in and and takes them under their wing and helps mentor them even if just for a couple weeks, and then you change that person's trajectory exponentially.

Aaron Morin [0:14:15]: That's that's.

Aaron Morin [0:14:16]: Right.

Aaron Morin [0:14:17]: One of the things that you...

Aaron Morin [0:14:20]: Had also mentioned was curiosity and the importance of curiosity.

Aaron Morin [0:14:24]: Mh.

Aaron Morin [0:14:25]: In many ways, it's more valuable than depth in a single tool or tool set?

Aaron Morin [0:14:32]: How do you instill that in your team?

Aaron Morin [0:14:34]: What are some of the ways you encourage folks to be curious, without tipping into trends chasing because that can be really easy to...

Aaron Morin [0:14:45]: Yeah.

Aaron Morin [0:14:45]: To mistake curiosity for just following the

Jonathan Poon [0:14:49]: following trend.

Aaron Morin [0:14:51]: And miss the thing that no looking at, you know, Have do you you folks on your team exploration focused.

Jonathan Poon [0:14:57]: So I do share how I'm keeping myself at pace all the industry developments and startups and whatnot.

Jonathan Poon [0:15:06]: So I do share all my information sources with them, and I do share with them in terms of I'm actually reading all this, and here's my takeaways.

Jonathan Poon [0:15:15]: And, now.

Jonathan Poon [0:15:17]: Here's the things that we're put on a radar.

Jonathan Poon [0:15:18]: We're not gonna work on it, but it's put on a radar.

Jonathan Poon [0:15:21]: It's something that we should start to think about.

Jonathan Poon [0:15:22]: Or, you know, here here are the hottest issues right now.

Jonathan Poon [0:15:26]: And it's gonna be significantly easier to do it these days with Ai.

Jonathan Poon [0:15:29]: Right, a noble error am, you just grab a bunch of papers and and stuff and let that is summarize for you.

Jonathan Poon [0:15:35]: But prior to that, I was already doing that, reading a lot of papers, a, a lot of white papers, customer success stories, checking with peers as well.

Jonathan Poon [0:15:44]: Right?

Jonathan Poon [0:15:45]: Is that, hey.

Jonathan Poon [0:15:45]: What are you guys using?

Jonathan Poon [0:15:47]: How how's the happiness level on your side?

Jonathan Poon [0:15:50]: Is something we're thinking of, and, you know, like, harry, whatever this is, like multiple times better than whatever the sales phone like gonna tell us.

Jonathan Poon [0:15:58]: The other thing is also like, the technology space is so big where security whereas it's Ai.

Jonathan Poon [0:16:04]: Right?

Jonathan Poon [0:16:05]: Friday a couple of niches and feeling comfortable to just focus on it.

Jonathan Poon [0:16:08]: And maybe letting the rest of the team go focus on other niches.

Jonathan Poon [0:16:12]: Right?

Jonathan Poon [0:16:12]: So, like, for me, really into, management Ai, especially around security, whether is also around risk based, product prioritization.

Jonathan Poon [0:16:24]: So I was trying to build my own understanding.

Jonathan Poon [0:16:28]: On how different tooling and providers are are doing their solutions.

Jonathan Poon [0:16:32]: And also no discussion with my principal engineers about it.

Jonathan Poon [0:16:36]: And again, assessing web, our gaps are, do we need to start look at things or do we not and just on Again, it's more of a.

Jonathan Poon [0:16:44]: I continue to share that every week, I'm learning in things.

Jonathan Poon [0:16:47]: Recently, we have...

Jonathan Poon [0:16:49]: Our team has been showing off to one another what we're doing with Ai, whether it's our internal Ai or or all the other ai provider So Like, hey, No.

Jonathan Poon [0:16:58]: That's this funky cool stuff that we can do.

Jonathan Poon [0:17:00]: That save us like this used to take us few weeks to prepare that.

Jonathan Poon [0:17:03]: Now it's done.

Jonathan Poon [0:17:05]: That's talking.

Jonathan Poon [0:17:06]: And, I know, it it helps people to go ahead.

Jonathan Poon [0:17:09]: You know, that's really a lot more things that we can learn.

Jonathan Poon [0:17:11]: And it also facilitates the different ways people length.

Jonathan Poon [0:17:16]: For me is I like to read and I like to see visual demos because those two ends will allow me to just pick it exam very very quickly.

Jonathan Poon [0:17:25]: While others might really need to sit down, try hands on and try things I I I'd rarely have to do hands on.

Jonathan Poon [0:17:33]: But, yeah, it's it's just the curious nature of, you know, Asking Steve, but...

Jonathan Poon [0:17:39]: Even if Fox slash, sharing links and what whatnot, I would also love to go through it.

Jonathan Poon [0:17:44]: Hey.

Jonathan Poon [0:17:45]: Well, no.

Jonathan Poon [0:17:45]: This is interesting.

Jonathan Poon [0:17:46]: Who can I talk to?

Jonathan Poon [0:17:48]: So it allows me to also view my network.

Jonathan Poon [0:17:50]: And also to to actually better understand why people feel certain things are important out there now.

Aaron Morin [0:17:58]: And we we just went through a hack here internally.

Aaron Morin [0:18:02]: And Mh.

Aaron Morin [0:18:03]: And were thirty projects in total.

Aaron Morin [0:18:06]: Most of them, Ai projects that individuals or teams worked on.

Aaron Morin [0:18:12]: And it's amazing when people get hands on, and you create the time for them to focus even just for two days Yeah on building something.

Aaron Morin [0:18:23]: Yeah and pushing the limits on what they think is possible and going and researching, it's a it's a total game changer.

Aaron Morin [0:18:30]: That's really where a lot of the unlocks come from, which is exactly what you're saying right, Encouraging folks to not just go and learn, but to come back and share, that's where you really get those compounding effects when you have folks sharing with the team.

Aaron Morin [0:18:44]: That's good.

Jonathan Poon [0:18:45]: As as leaders well, Things I shared for fellow leaders this is we also need to give our team members, the room to fail.

Jonathan Poon [0:18:52]: Right?

Jonathan Poon [0:18:52]: Because again, right now, this is like another brand in Huawei west, They try some new algorithm.

Jonathan Poon [0:18:57]: They try some new chrome and things work for a while, and they breaks...

Jonathan Poon [0:19:01]: That's fine.

Jonathan Poon [0:19:02]: We learn and we move forward.

Jonathan Poon [0:19:03]: But, no, don't have to feel of trying new things or learning new things.

Jonathan Poon [0:19:08]: That.

Jonathan Poon [0:19:10]: One of

Aaron Morin [0:19:11]: the big themes of this show is that the patch is just the star.

Aaron Morin [0:19:15]: Once you move from a tool heavy model like we've talked about, Tools aren't always necessarily an answer.

Aaron Morin [0:19:22]: Once you move from that to a reality that's more built around alignment and clarity and focusing on the human side of of the work that we do.

Aaron Morin [0:19:32]: And what does that actually unlock?

Aaron Morin [0:19:35]: What are the kinds of work that become possible that wasn't before?

Aaron Morin [0:19:39]: I'm guessing one of the things that unlocks is more time for curiosity and creativity in discovery.

Aaron Morin [0:19:46]: But what are the the some of the things internally to that unlocks?

Jonathan Poon [0:19:50]: Well, it builds stronger alignment.

Jonathan Poon [0:19:52]: Right?

Jonathan Poon [0:19:53]: Because again, it's like, hey if a security is not hammering on engineering.

Jonathan Poon [0:19:57]: Go, hey, Go patch go cash bill fix bill fix, but it's like, hey, we notice you have this class of problems or this class of vulnerabilities abilities that we believe comes through from a gap in your processes.

Jonathan Poon [0:20:08]: Why don't you go fix the process one time so that you...

Jonathan Poon [0:20:13]: We don't have to hound you for the rest of your life?

Jonathan Poon [0:20:15]: Every single week every single month, and you showing them the trade off because again, devops engineering cycles are expensive product the engineering cycles are expensive.

Jonathan Poon [0:20:25]: Right?

Jonathan Poon [0:20:25]: So it's, hey, we wanna help you save your time, and we believe this is one of the causes of why we're nagging at you every week.

Jonathan Poon [0:20:35]: Right?

Jonathan Poon [0:20:35]: And being able to it at that level, making their understand.

Jonathan Poon [0:20:40]: And and once they do try those things out and fix it and go, hey.

Jonathan Poon [0:20:44]: Yeah.

Jonathan Poon [0:20:44]: You you guys are right.

Jonathan Poon [0:20:45]: You route really no longer harassing singers out of monthly basis.

Jonathan Poon [0:20:48]: And, yeah, our factories now looks cleaner as well, which is a great thing for for all those organizations to.

Jonathan Poon [0:20:55]: So it helps build that positive cycle, where, again, it builds a trust.

Jonathan Poon [0:21:00]: It builds alignment.

Jonathan Poon [0:21:01]: We are helping, the company get more bandwidth to do more important stuff than just, you know, reporting machines and whatnot.

Jonathan Poon [0:21:08]: And it again, frees up that space for us to even align even longer.

Jonathan Poon [0:21:13]: And so one of the things that we often will also talk about is also about finding more signals that we have at the tail, I always consider Tv and to be at the tailwind and almost like a a soccer Teams go.

Jonathan Poon [0:21:26]: Right?

Jonathan Poon [0:21:27]: If you...

Jonathan Poon [0:21:28]: Everyone expects the go to prevent and go from Being Scott, your coach is bad.

Jonathan Poon [0:21:32]: Yeah theory is bad.

Jonathan Poon [0:21:33]: Right?

Jonathan Poon [0:21:34]: But it's the head, left rank done all the rows on on the pitch and make sure that everyone has a strong role to play and note ish of their rose, why it matters.

Jonathan Poon [0:21:43]: And us being able to find the right data points again just to add callback and share that information, maybe not...

Jonathan Poon [0:21:52]: It could also just be on our own security engineering processes that might have some gaps.

Jonathan Poon [0:21:57]: Right?

Jonathan Poon [0:21:57]: Being able to showcase that to help one another team to also improve has always it's been a a massive improvement too.

Jonathan Poon [0:22:03]: We're not pointing out that they feel.

Jonathan Poon [0:22:05]: But, hey, you know, this help us reduced noise for everyone.

Jonathan Poon [0:22:09]: Let's find a way to get this done together.

Jonathan Poon [0:22:11]: And I all always like to...

Jonathan Poon [0:22:13]: Offer our software engineers resources to help facilitate that as well.

Jonathan Poon [0:22:18]: So it's like, hey, we find this problem.

Jonathan Poon [0:22:19]: We can also offer, you know, part of the solution as well.

Jonathan Poon [0:22:23]: So it's not just point finger because Say you you guys go fix fit,

Aaron Morin [0:22:29]: Yep.

Aaron Morin [0:22:29]: That'll make so much sense.

Aaron Morin [0:22:30]: Jonathan, we always like to close the show by asking our guests.

Aaron Morin [0:22:36]: This one last question.

Aaron Morin [0:22:38]: If you could instantly patch something in your world, personal or work related, what would it be?

Jonathan Poon [0:22:46]: Mh, I want to patch success clarity, Yeah.

Jonathan Poon [0:22:52]: The, like, oftentimes, like, the biggest struggles has always been the success manager, the K arise, o chaos for different teams under the same.

Jonathan Poon [0:23:02]: But in reality, I think every single that no one goes to work to go hey, I'm gonna piss our security and not do all this work.

Jonathan Poon [0:23:10]: It's because they have more urgent schedules to deliver features that maybe executive will be announcing in a conference keynote, you know, things like this so.

Jonathan Poon [0:23:21]: Being able to actually understand and have easy assessed to that clarity it's important.

Jonathan Poon [0:23:27]: And that's the hard problem to solve.

Jonathan Poon [0:23:30]: You know, we can always say, oh, we assume with positive intent.

Jonathan Poon [0:23:35]: But it's also hardware.

Jonathan Poon [0:23:37]: Like, hey there is...

Jonathan Poon [0:23:39]: There's so many moving landscape right now, and again, Ai speed is just crazy.

Jonathan Poon [0:23:44]: I enjoy the energy that this whole momentum is is creating, but it's also very scary to see as well.

Jonathan Poon [0:23:51]: So it's...

Jonathan Poon [0:23:52]: Yes.

Jonathan Poon [0:23:52]: Yeah, finding a way to have that clarity and making it very...

Jonathan Poon [0:23:56]: I will say easily understandable by all organizations and all that that's probably my my dream patch.

Aaron Morin [0:24:05]: That...

Aaron Morin [0:24:05]: That's a good one.

Aaron Morin [0:24:06]: Goal alignment, you know, setting goals for a year, much less several years.

Aaron Morin [0:24:13]: Yeah.

Aaron Morin [0:24:14]: It's with Ai, and I quickly everything's moving, It feels like a daunting process.

Aaron Morin [0:24:18]: Yeah.

Aaron Morin [0:24:19]: How how do you know where we're gonna be a year from now with last a couple months from now.

Aaron Morin [0:24:24]: Right?

Aaron Morin [0:24:24]: Yeah.

Jonathan Poon [0:24:25]: Oh, yeah.

Jonathan Poon [0:24:26]: I think yeah this...

Jonathan Poon [0:24:27]: Always like...

Jonathan Poon [0:24:28]: Yeah.

Jonathan Poon [0:24:28]: It's no impossible.

Jonathan Poon [0:24:29]: Yeah.

Jonathan Poon [0:24:30]: Impossible.

Jonathan Poon [0:24:30]: What one of my friends was the recently mentioned, Hey.

Jonathan Poon [0:24:33]: It looks, reset it has been a bunch of CEOs that us, voluntary voluntarily stepping down because they can't see past the next twelve to eighteen months.

Jonathan Poon [0:24:42]: Mh.

Jonathan Poon [0:24:43]: And if folks at their level can see...

Jonathan Poon [0:24:46]: Yeah.

Jonathan Poon [0:24:46]: It's gonna be craziness as for for for us as well.

Aaron Morin [0:24:50]: Yeah, interesting times ahead.

Aaron Morin [0:24:51]: Yeah.

Aaron Morin [0:24:51]: Well, well, big thanks to you, Jonathan for joining us on this episode of Patch Me If You Can™ and for sharing what it looks like to stop reacting and start architect and in building out human teams that are, working with other teams in more effective ways.

Aaron Morin [0:25:09]: If you like this episode, hit follow and share it with someone who's ready to lead It and security from their front, and we'll see you next time.

Jonathan Poon [0:25:17]: Thank you.

Jonathan Poon [0:25:17]: Thanks for the opportunity to be on the short.

Aaron Morin [0:25:21]: Great having you.

Aaron Morin [0:25:21]: And take care.