Highlights:

• You’re responsible for your personal growth and development - your future is in your hands
• Your three motives and how they lead to a CEO path
• An organisation doesn’t have physical boundaries anymore
• Organisations typically have 100’s of cyber tools - but SaaS means you need to be a promise maker and a promise keeper
• How do you capture and sell the parity wedge?
• Security incidents were up 400% during the pandemic - how does Continuous Controls Monitoring (CCM) help manage the threat?

Setting The Scene

Jonathan ‘Jono’ Gill has been a student of personal growth and development ever since he held down four simultaneous jobs whilst still at university. It was great to sit down and chat with Jono as he talked about how his early career prepared him for the world of sales and how this, combined with the rise of the cyber industry, set him up for his latest challenge as CEO of Panaseer. The pandemic challenged many leaders on how to manage in the new remote world, and Jono talks about what lessons he used in leading a company where he had not even met many of the leadership team or company!

The world of cyber is growing fast, but it’s also crowded and noisy with many conflicting messages and tools vying for attention. Here, we unpick why the new category of CCM (Continuous Controls Monitoring) as pioneered by Panaseer, lifts them out of the noise and delivers demonstrable value. It’s fascinating to listen to a CEO plot the course of a rocketship company, delving into not just the sales and product direction, but also how effective leadership has the biggest impact.

‍

The world of cyber is growing fast, but it’s also crowded and noisy with many conflicting messages and tools vying for attention. Here, we unpick why the new category of CCM (Continuous Controls Monitoring) as pioneered by Panaseer, lifts them out of the noise and delivers demonstrable value. It’s fascinating to listen to a CEO plot the course of a rocketship company, delving into not just the sales and product direction, but also how effective leadership has the biggest impact.

The early days...

I feel very lucky doing what I do, and I've loved every job I've had. Going back to university, I did a placement year, and back home I had four jobs. One of them was in a local hospital, Day Case, doing a project for them. Then, I would go home in the evenings, eat, then get out of the house in 30 minutes, get into town and work with a local newspaper. We went door-to-door selling the delivery service of the newspaper. I learnt how important Predictable Revenue was to an organisation and commission sales at a young age. Then on the weekends, I went back to the same hospital I worked in during the week and worked for the company that cleaned the hospital, cleaning the wards and the theatres. Then, when I couldn't do my placement job during the holidays, I worked in a factory assembly line, where we would put Christmas cards and envelopes that came from two different factories together.

Out of these four jobs, it was really the newspaper delivery service that resonated with me because I was a shy introverted kid. I learnt about persuading people, business models and objection handling. Reflecting back on university, I had two life changing events. I met my wife Nicola in my final year, but my friends told me I was crazy to be distracted. But they were right- I was crazy about her and still am! The other thing I learnt about was this world of personal development, and learning from people who've walked ahead of you on the road, people like, Brian Tracy, Earl Nightingale, Dale Carnegie and Tony Robbins. I discovered this opportunity to take power in your future with expectation setting and goal setting. So, I decided to try the world of sales. I probably applied for hundreds of jobs in newspaper adverts, but I got my first job at a company called Wick Hill. It was inside sales now looking after distributors, and I absolutely loved it! Then they promoted me into field sales and I got a company car.

One of my customers was Intergralis, who then went on to become Articon Integralis now NTT, and they hired me to be a field sales person, then promoted me to be a sales manager. At 24-25, I was managing a team of 14 people, and I really loved the value of people management, selling, making customers into heroes and keeping promises.

Then I left the reseller to go and join a vendor, and I gave up my management role to get better at what I was doing to sharpen my skills as a seller. Over the last 26 years, I think I've had 13 jobs in nine companies, and eight of those jobs have been different. Today, I'm four months into my first CEO role, and this is the eighth time I've done a job for the first time. It’s usually almost always cybersecurity, but it wasn't called cybersecurity then.

Applying skills from others that you learn along the way

The biggest thing for me was as I read about all of these authors who walked down the road ahead, I'm the only person responsible for my personal growth and development, and that my future was in my hands; I was steering the boat and driving the bus. I was entirely responsible for what happened to me and I remember a friend of mine saying, “if you don't like what you see in the social mirror, don't blame the mirror. It’s down to you, you're responsible, you're accountable”- that is both terrifying and empowering! Terrifying, because it means you have to take responsibility and there's nobody else to blame. If you fail, you have just got to look at yourself and see what you can learn, pick yourself up and move on. But, it’s also empowering because it's down to you to define your own outcomes, your decisions, thoughts, goals, dreams, both conscious and unconscious, and determine where you get to. To me that was liberating, because no longer did I feel the need to impress or be invested in how effective I was today; it was all about what I could learn today, so I could be more effective tomorrow.

I've been blessed by a lot of people on my journey, who've helped me learn. But, I suppose it's within the frame that it's down to me to learn from them and not for them to teach me. It's my responsibility to go get it. If I go back to my grandfather, who was a carpenter, I learnt to measure twice and cut once- it is an important theme in carpentry and I think in life and decision making. My mum was a nurse, and from them both I learnt about the importance of values, which has had a lasting impact on me personally and professionally. Then I've been blessed with some people who have placed a bet on me, invested in me and probably taught me the most, who are the people I've worked for. I remember when Simon Attfield hired me at Wick Hill in that first sales role, I learnt about strategic selling from somebody who was a master at it. I was then hired by Paul Golden, who's still a really good friend of mine and a wonderful leader of people. These people challenged me, gave me feedback, questioned me on what I was doing, whether my behaviour was getting the results I wanted and they gave me ideas about how I could do things differently.

I remember when I joined Arcot, Ram Varadarajan, a serial entrepreneur who was the CEO of Supersmart, had this infectious energy and persuasiveness, and was always on as a mentor. Bob Brennan, who ran Iron Mountain, and then was the CEO of Veracode. It's now worth $1B as a company and a $250 million revenue company, but at the time I joined I think it was around $30 million. One of the reasons I moved to the US was to be mentored by Bob, he truly is a great human being, a great leader of people, a friend and a mentor.

Another person who comes to mind is Susan, who is a coach, a friend and a gifted teacher. She knows more about human behaviour than anybody else I've ever met, and I've worked with Susan for years to turn the lights on to why people do what they do and why we behave in the way we do. There's an even longer list of people I've worked alongside and who've worked for me that I've learnt from over the years.

I just realise how blessed I am to have worked with some incredible people who've given me gifts I've learnt along the way. If you put those together you can't become the superset of all the people you've worked with, but if you can gather, like an arcade game where you pick up tokens along the way, you can gather those skills and apply them. I think early in my career, that's what I was interested in doing. I think at this point in my career now, and probably going back the last five or ten years, I felt a different compulsion, which is to give back and teach other people the things I've learnt along the way.

The psychological path to being a CEO

The path I expected was different. I remember sitting next to Steve, who in the first role I had at Wick Hill said to me, “within a few months of being there, you're going to be a CEO”. But I thought, ‘okay, you’re just pulling my leg here’. Early in my career, I actually thought I'd do my own thing, but never outside of opening up a reseller integrator, this entity was a great model for doing that. Outside of doing that I just didn't have the inventive idea myself.

A guy called David McClelland did some great work on motives, and highlighted that all humans have three motives to one degree or another:

• A motive for achievement: getting stuff done, outperforming other people
• A motive for affiliation: warm, friendly relationships
• A motive for power: a healthy power motive and a leader is influenced and doing work through others.

As I got to understand that work on motives, I understood why some people want to continue being an individual contributor, and some people become leaders. We're driven by our motives; they're like psychological needs in the same way we have physical needs for food and water. If you are driven by achievement, you're probably going to spend more time being an individual contributor because you can fill your bucket and you can meet your needs every day. I have a really high achievement need. I get out in the morning, I'll do my exercise, I'll bike ride, I'll learn and I'll work in the gym. I'll fill my achievement needs by doing things in work and outside of work, but my influence needs are really high. I get a buzz, I fill my bucket by influencing and affecting change and helping people become the best version of themselves. If you're more on the achievement side and less on the power and the influence, you can meet your needs by doing your own thing as you've got no people to manage and you're in control of your life- that's great!

Selling is really about:

1. Problem solving
2. Finding the root cause and seeking clarity
3. Understanding why someone's got a problem
4. Asking why it's important, why it's important now and who is important to them
5. Seeking that clarity and then understanding if you can bring some value to solve that problem
6. Then, seeking clarity around that and mapping those two things together

This is what you do in leadership all the time; you find the root cause of a problem, you look for clarity:

• Why is it happening? Is it important?
• Do I need to find out why that really happened, so I can stop it happening again?
• How do we learn lessons? And then how do you find a solution?
• How do you anticipate failure in the same way you might anticipate risk with assigning a deal? What might go wrong?
• If you're implementing a change and organisational change, structural change or programme technology change?
• If you're introducing leadership behaviours, introducing a sales methodology into a sales team?
• Or go to market strategy? What might go wrong? Where do people struggle? What's the resistance to change?

The more I read about becoming a CEO and becoming a leader, the better I got at selling.

The themes and trends in cybersecurity

We call it cybersecurity now, but when I was at Integralis, I remember when somebody came to see me at a trade show and asked me about  Firewall-1. I didn't know what a Firewall was, this was not a thing yet. Check Point invented the Firewall, and Integralis really launched that into the UK market. But, you didn't need all your fingers to count the number of security products that were being sold. It's gone from being relatively simple to being almost overwhelmingly complex. I think the cost of cyber breaches was 6 trillion in the last year, and they’re huge numbers.

It was just stuff you had to buy to run the place. Now, companies spend probably 10% of their IT budget on security, and it's gone from being a really small number of vendors through to 1000s and 1000s of products. From a customer point of view, I remember we'd have diagrams of fortresses and locks and the threat surface was servers and laptops, and there was a boundary. It was all internal and controllable, there is no obvious physical boundary anymore. I remember when everything was about avoiding a breach and stopping it happening. Now, there's a ‘minimise the damage, anticipate it and accept it’. Most organisations are not trying to entirely prevent a breach, they are accepting that it might happen and if it does are preparing to minimise the damage, minimise the loss and recover quickly. It's gone from being either the business being disinterested, almost insecurity to being business critical, and in some organisations a potential extinction event if there is a severe breach, because if you disrupt a service in a business that's cashflow intensive, and they can't trade, that business might not exist in a low margin, high volume population.

My daughter is just doing A Levels and there was a careers day and somebody came from the UK Government and from one of the big banks in the UK to talk to the students. They really made my daughter understand that the consequence of cybersecurity is not just loss of money or personally identifiable information, it's the cybercrime and the fuel that is fueling political blackmail and funding guns and drugs and people trafficking. So, it's not just losing intellectual property and data. Some of the bad stuff that happened in the world is partly funded by cybersecurity crime and reaches, so that is just a completely different world. When I joined security, who knew that that's where this thing was going, and it's great being part of the industry, but you almost regret that you need one, because it's such a harmful thing when organisations have attacked successfully. I enjoy playing my part on this side of the fence to try and minimise that damage and help customers be successful.

It almost feels to me that for each vendor to be heard above the noise, almost like with social media, you have to compete in a way that it becomes more and more claims. If you go to a trade show, you look at the words and all the standards of the trade show that are very similar. It's hard, I think, for customers to get through the ‘blah, blah, blah’, if everyone sounds the same with so many vendors. I get frustrated with this laziness sometimes when vendors describe the world as ‘insecure’, and say that they have a product, you should buy it, and link causes and effects together in a way where they're often not linked. Then, the customer is expected to take a leap of faith that you have the silver bullet that solves all the problems of cybersecurity. As vendors, we have a responsibility to be very precise about the problems we solve, what we can and what we can't do, and to be clear with customers when setting them up for success. It's one of the reasons I love the move from on-prem to SaaS. I love being a promise maker and a promise keeper, and when you're on a subscription service, you have got to keep your promises. I love that the customer is not paying up front based on the promise somebody made, and then that sales person is never seen. Again, I love the ongoing accountability. I feel as though the values I talked about earlier have really helped me build trusting relationships with customers over the years, and are even more suited to the world we live in now- keep your promises!

I've really noticed that the industry is so big and organisations are overwhelmed by the number of security tools and all the data that these tools produce. You see reports that there are on average 50, some say over 100 tools, in an organisation. They're adding at least five tools every single year, there's this conveyor belt of new technology coming through, and people can't keep up to speed with it. These tools don't talk to each other and they're all different ways of looking at the world. Some look at IP addresses, some look at applications, some look at domain names, and then there's a shortage of skills. I think there are 4 million open positions in cybersecurity. You've got a shortage of people being overwhelmed by all these tools and you do so in a glass house because the stakes get higher and higher every single day. There's this spiral of ‘you buy more tools, people make more mistakes, there's more errors, breaches, regulatory scrutiny, more audit scrutiny, there's more internal risk and compliance scrutiny’. So, you buy more tools and then people are more overwhelmed and you make more mistakes. There's this really difficult position. Many organisations find themselves struggling with the overwhelming nature of the cybersecurity problem, but also the complexity of the solution. It's one of the reasons I joined Panaseer; we've got a way of helping take care of some of that and I've seen that need grow in the 20 years I've been doing this.

Understanding and learning from your customers is vital in a CEO role

I feel as though my career to date has just been practising for this. Whether that's GTM and scaling organisations, or leading people, I feel as though I've come to a junction where those two things have come together. I looked for an organisation where there was a Jonathan sized hole, to see whether I can bring some value. The first thing was to understand what we did and how we could serve our customers. I spoke with almost all of our customers as quickly as I possibly could, I wanted to see through their eyes and I wanted to understand. When I spoke with customers, they were describing this paradigm they lived in, which didn't match the way we talked about our product in a product company.

I want clarity to understand what their problem was, and what the world was like when they were living in that problem statement that before, if you like, compared with the after. To try and really understand why it was important and who suffered and what did it mean, and what did it lead to. Some of those things are business cases, things you can put into a spreadsheet around cost, and some of them are just around having credibility and having trust and collaboration with people.

There's a company called Corporate Visions, and they've done some great work around behavioural science, around messaging and why people don't buy, and understanding that from a behavioural point of view. A lot of vendors talk about what they do, and it's overwhelming about all the features and the capabilities they've got. There was a piece of work done by two economists, it was called Prospect theory by Amos Tversky and Daniel Kahneman. It's such a simple concept, which is we associate more perceived value with something we lose, compared with something of the same value that we gain. So, if you've got £1000 and you've already got it, and you've got ideas about what you might do with it, and there's a risk of you losing that, you'll behave differently to defend the £1000 that you've already got. Versus, somebody giving you £1000 that you don't have, and you lived without yesterday and life was okay, because you're not attached to it. Even though it's the same monetary value, you associate two to three times more value personally with something that you've already got that you might lose. Therefore, when I asked customers about the world they lived in before I was asking them, ‘why did you change? What are you risking losing?’ Because the benefits are great, but you didn't have the benefits on Monday, so you can live without them on Tuesday. There has to be something you're going to lose. You might fail an audit, or there's some reason behind why you're making a change beyond just the benefits often. Vendors tend to talk about the benefits, but if you understand what they might be losing, as well as what they might be gaining, you've now got the one time on what they might gain and the two to three times on what they might lose. You can contrast between those two spots.

I want to be very clear here that this is about advisory, consultancy and learning from customers, who've done it, why they've done it and sharing that knowledge with people who are further behind on the road. Stephen Covey taught me about a lot of lessons and his seven habits. He taught me things that I didn't know and made me aware of things I might struggle with. This is a data driven argument with customer testimonials to be able to explain to people who are on this side, in the ‘before’, how life might change and why these customers have moved. In terms of benefits, we've spent quite a bit of time synthesising these messages from customers and learning their observations and asking them:

• What value did you get that you expected?
• What value did you expect that you didn't get, that you thought that maybe we promised you or was implied?
• What did you find that you never even expected?

That last question often reveals things to a vendor. I think this word credibility and our customers talking about having a low resting heart rate and the ability to talk in the language of the business around security metrics, collaborate in a way they couldn't before. We know the product can do that, but what oozed out of them was just that human benefit of cybersecurity teams and CSOs being able to have a really credible conversation with the business in the language of the business. That brought an extra dimension to that beyond the feature itself, because it gave them a seat at the table and gave them the ability to contribute to the speed of change of the business, and be part of that. Not just the team that spends all the money and is at risk of a breach and can't explain what they do. Now, they can explain what they do, they can justify changes, they can show progress over time, they can have one set of data that everybody in the organisation can use who needs to access security data and the regulator and the audit, and they can give those regulatory attestations with confidence. We knew technology could do that, but just the level of human benefit to that. The benefit they got walking around the organisation with their heads high, and being able to contribute to it and not just be a cost, I don't think I would have got from just understanding the product. That's one of many things I learnt from our customers.

The first thing I did was to understand that. Secondly, if you think of three overlapping circles in a Venn diagram:

• One circle represents the customer and what they need
• Another overlapping circle represents a competitor
• The other overlapping circle represents you

That competitor will do some things that the customer needs that you don't do when those two circles overlap and yours doesn't. That's the value wedge of that vendor's unique value that the competitor can bring to that customer. Then it’s thinking about; what's your unique value wedge? And then, where do they overlap? Where does the customer have a need that both a competitor and you do? We call that the parity wedge.

If you think what you do is important, you can try and change their mind by introducing information to them that helps them identify underappreciated, undervalued, unmet unknown needs and consult and advise them. But, if they haven't got that problem, they're not going to buy your products, and nor should they, because you don't solve the problem that they've got. Then you can decide to qualify because you understand, and doing that with the customer feedback in mind, rather than us as a company, what have you invented? It was what the customers needed that we've invented, and what does that overlap with? And, what do we do that nobody else in the world does? That is what I would refer to as becoming one of one, that you have a message that you share with customers and you share the benefits you can bring aligned with a set of circumstances. If they have those circumstances then you're a really good fit, but if you don't, you don't. Then, let's decide where to spend our time as part of the sales organisation on either changing their mind, influencing them, advising and consulting or accepting that it's not a fit and qualify out. But, it gives you a way of finding out whether you're a fit.

Then, the next thing is just to deliver outstanding value to those organisations who are customers and prospects, and to make sure that everybody in the company understands that ‘yes, we're a product company, that everything we do every day needs to lead to delivering value to customers, both personally to the people who trust us to deliver value against their projects and make them successful in their organisations’. To do that we need to be challenging customers, agitating them and disagreeing with them. We need to recognise that we are the foremost experts in the world on solving this problem with a data science approach. I don't mean, be arrogant or bullish, but don't do everything they want you to do, make sure we focus on their needs more so than their wants, and ensure we're aligned against very clear goals and success criteria, which we then hold our organisation accountable to.

For instance, I've got monthly calls with some of the CISOs who are customers going through implementations, and I tell them what our team's feedback is that we think their team can do better when we need some help. Then, they tell me, and it's a non-critical, non-judgmental, non-blame conversation. Our job is to tell you when you're tracking to the goal, what's going well and to thank the people and appreciate what they do. When we're off track, our job is to tell you we think you're off track and have a discussion about that. But, not just say yes to everything a customer asks for because we're accountable for outcomes and goals that need to be clearly defined. Usually the organisations I choose have got great intentions around customer value. But, sometimes we forget that we're the consultant and they're the patient if you like, and because customers have money that they must always be right and customers are always right.

We are accountable for their success and I want that in the DNA of the organisation. First, to do unnatural things to make them successful against the promises we made, and if customers need to beg me at the weekend, or when I'm on holiday to talk about problems, I'm available to them because we are promise keepers. But, that's not the same as doing everything that their team on the ground might ask you to do, which might actually distract from the goals that they have. I want to make sure we're accountable against clear goals and success criteria, and that requires a level of discipline to really understand what they need and why. Then, we have a call as a leadership team every week with every customer. I'm holding our organisation accountable to keeping those promises.

The team and culture at Panaseer is ...

It's a testament to the ingenuity, the hard work, the highly skilled team and the culture that has been instilled at Panaseer. It's really an honour to be able to join Panaseer and have the opportunity to help take the company and this incredible group of people to the next level- the team has come so far! Under this new category, CCM has been recognised for the first time in Gartner's risk management hype cycle in 2020. Technology is solving one of the biggest challenges in cybersecurity today. Enterprises simply do not know if their security tools and their security controls are providing full protection at any moment in time. Preventable breaches that happen because tools and controls you have simply aren't covering all your assets, or are not working in the way that you think they are. Panaseer will give you a single view of the truth across all of your security estate with that business context, and that organisational context to give automated prioritised data driven insights through what really is a decision support platform to help you make the most of all the people and all the tools that you have.

But, what we've done is synthesise down the views of the many, many customers I've spoken with. For them to describe the world before, which is overwhelmed by tools and fragmented data and silos of tools that sim