TDL 024 | From Crisis to Prevention: Rethinking Cybersecurity Leadership | Philippe Johnston
In this episode of The Defender’s Log, host David Redekop sits down with Philippe (Phil) Johnston, a seasoned Canadian CIO/CTO and military veteran, to discuss the shifting paradigm of modern cybersecurity. Drawing from his extensive background, Johnston shares how navigating a major cyber crisis firsthand fundamentally changed his approach to leadership.
Surviving the Chaos of a Cyber Incident
Johnston emphasizes that a cyber attack instantly becomes deeply personal for executives, creating an atmosphere of fear that requires a swift pivot to calm, operational leadership. To survive an incident, he underscores the urgent need for highly specific, scenario-based playbooks. Crucially, these playbooks must include pre-approved executive decisions—such as the authority to cut the internet connection immediately—to eliminate costly delays when a live crisis hits.
Why Cybersecurity is a Core Business Problem
A central theme of the conversation is that cybersecurity must be treated as a core business challenge rather than an isolated IT problem. Johnston advises CEOs and board members that an organization’s brand reputation, financial health, and intellectual property are all at risk. This is especially true today, as the widespread adoption of AI and low-code applications expands data access and administrative permissions across modern workforces.
Shifting Focus From Detection to Prevention
To protect these assets, Johnston argues that the industry must shift its historical obsession away from simple threat detection and toward robust prevention, containment, and Zero Trust models. By disrupting the attack chain at its very beginning, organizations can successfully stop threats from spreading while dramatically reducing the heavy burden of false alerts on Security Operations Centers.
A New Chapter with ADAMnetworks
The episode concludes with the exciting announcement that Johnston has joined the ADAMnetworks team as Field CIO. Driven by a proud desire to safeguard Canadian businesses, he expresses his enthusiasm for the platform’s agentless simplicity and practical, network-level approach. This model allows organizations to secure their critical data while saving money that can be reinvested back into true business innovation.
Full episode of The Defender’s Log here:
From Crisis to Prevention: Rethinking Cybersecurity Leadership | Defender’s Log | Philippe Johnston
TL;DR
- Business, Not IT Problem: Cybersecurity directly impacts brand trust, finances, and intellectual property, making it a critical board-level business issue.
- Prioritize Prevention: The industry must shift from merely detecting threats to actively preventing and containing them at the network level.
- Granular Playbooks: High-level plans fail; organizations need scenario-specific playbooks with pre-approved decisions to prevent critical delays during a crisis.
- Reduce SOC Burden: Emphasizing prevention drastically cuts down on false positives/negatives, freeing up overwhelmed security teams.
- Target the Attack Chain: Disrupting the very beginning or end of a multi-step attack chain effectively neutralizes the complex threats in the middle.
- New Role Announcement: Veteran CIO/CTO Phil Johnston joins ADAM Networks as Field CIO, endorsing their simple, agentless, and preventative approach.
Links
View it on YouTube: https://www.youtube.com/watch?v=GLTOM3cZ4B8
Listen to the episode on your favourite podcast platform:
Spotify
https://open.spotify.com/episode/0CQkYhRjcJHxkheQGxqMEP
ADAMnetworks
https://adamnet.works
Full Transcript – The Defender’s Log Episode 024
Introduction
Announcer: Deep in the digital shadows, where threats hide behind any random byte, a fearless crew of cybersecurity warriors guards the line between chaos and order. Their epic battles, rarely spoken of until today. Welcome to the Defender’s Log, where we crack open the secrets of top security chiefs, CISOs, and architects who’ve faced the abyss and won. Here’s your host, David Redekop.
David Redekop: Well, hello, and welcome to another episode of The Defender’s Log. And I have with me today someone that fits the requirement of having been there, done that, and still doing it, meaning that this is a lot of work being in cyberspace. So I’m glad to have you here today. Phil Johnston, welcome.
Philippe Johnston: Thanks, David. Very happy to be here with you today as well.
The Journey into Cybersecurity Leadership
David Redekop: Phil, you have quite a background as a CIO/CTO, leading organizations within Canada. What originally drew you into cybersecurity at a strategic level to begin with?
Philippe Johnston: Very good question. I think my background being in the military. Back in 2001, if you can imagine this, I started the first deployment of Entrust PKI at the National Defense in securing our communications for Canada.
And it started there, and then ended up being at the Communication Security Establishment, where, you know, I had some very interesting and very rewarding roles to protect government of Canada infrastructure through cyber. And then evolving as a CIO/CTO, always having the cyber portfolio underneath me, and seeing it evolve, seeing the methods that attackers are evolving with, and then trying to come up with ways to stay abreast and on top of what they’re trying to do.
I just really enjoyed it. And, obviously, being in the government of Canada for a long time, I saw the impact of our adversaries or those people who wanted to get into our networks to gain advantages either in economics, negotiating positions, blah, et cetera, whatever, the importance of securing your information and your intelligence, and that has been something that I’ve been very much kind of like my personal goal.
Because the things that are digital, if they get out there to the wrong people, they’re gonna make us and Canada less of a competitive country around the world.
Surviving a Cyber Crisis
David Redekop: Right. Right. Now, Phil, you actually spoke at one of our events that we had in Ottawa called The First Movers Advantage, and you shared a little bit there about having lived through a major cyber incident in your lifetime, and what changes in your mindset happened after it becomes such a reality?
Philippe Johnston: Yes. I’m lucky it was only one. I’m happy it was only one. I had another minor one. But no matter what happens, if you’re the leader of an organization on the digital side and you’re responsible for cybersecurity, you instantly make the situation very personal. And what I mean by that is, what could I have done?
How could I have prevented it? What other tools could I have deployed in order to make this a non-issue for the organization? And, many people, you know, that are working in your organization in the IT department, they all go through this instant, you know, “What could we have done to prevent this?”
And feeling sort of scared and fearful once the situation kind of arises. Now, that’s normal, and most organizations, I think, and people feel that way. But really, you have to switch to an operational nature very, very quickly. And you, as a leader, then need to switch to getting things done, thinking about your employees, how to support them in this situation.
The IT employees in terms of, like, they not only need to deal with the fact that this happened, but now they need to solve it, address it, neutralize it. As the CIO/CTO, you need to work with the comms people in order to deal with your clients or your partners, and even internally to the organization. Very important to make sure you’re curating the message appropriately for the people within your organization so that it doesn’t appear like the whole world is falling and that you as a CIO/CTO are getting the team together, you’re addressing the situation, you’re creating a plan, and you’re addressing it. So anyhow, I just wanna say that being prepared in advance though, I mean, we might get that, get to another one of those, in terms of a question moving forward, but making sure you have a plan, a big plan, and you’re confident with the plan, you know, that also helps in ensuring that you could deal with the situation in a less stressful way than if you had no plan.
David Redekop: So, it would be fair to summarize that you’re going from wearing two or three hats to wearing 20 or 30 hats within a very brief moment, and you don’t wanna return to that.
Philippe Johnston: Yeah, definitely. And in a way, though, you know, whenever there’s a crisis, and there’s been a few crises in my life, I found that the organization and the humans and the people around you, they get together.
Like, they are now the focused; it’s a goal, we’re on the same page, we’re leveraging everybody’s strengths in terms of where they play on the baseball field. For example, you know, the first base got their job, the outfielders got their job, etc. And so everyone within your organization, from marketing, comms, business development, sales, etc
Actually, it’s the moment that brings them together. I won’t say that you need a cyber incident to do that, but the point is whenever you have stressful situations in an organization, the ability for a CIO/CTO to lead you through a cyber event with, I would say, the most ease possible, being calm, relaxed, but being organized and determined, and also not showing any pieces of, like, I’m falling apart, that really does help an organization be stronger in the future.
Cybersecurity as a Business Strategy
David Redekop: Right. Now, Phil, I have a number of CEOs and board members that reach out to me privately, that listen to The Defender’s Log, and what would you suggest that some of them might consider that they might still be misunderstanding about cybersecurity today?
Philippe Johnston: You know, the organizations that might not be able to deal with cybersecurity properly are the CEOs that think it’s just an IT problem.
It’s definitely not just an IT problem. Yes, implementing the appropriate safeguards and mitigating the risks through, you know, proper technologies and a proper architecture is definitely important, but in terms of the breaches that I’ve seen, a lot of the breaches occur not because it was an IT problem, but it was a human problem.
It was a process problem. It was a business continuity problem. These are business decisions. So what I would tell most CEOs today is you need to be involved in this particular problem because it can be very costly from a brand, from a money perspective. You need to be involved in terms of understanding how prepared your organization is to react to a cyber incident or a cyber attack.
And making sure you’re involved in supporting the CISO, CIO is what’s important, but also making sure that the rest of the organization understands how important it is to be better cyber hygiene, I would say, but also, involved as well in all of the recovery operations. So I view it as a business problem, not as an IT problem, so that’s what would be my advice to CEOs who might still misunderstand cybersecurity today.
The Anatomy of Recovery
David Redekop: Right. And I’m wondering too that given that we have such a wide range of recovery methods and successes and failures, what would you say are key differentiators between those that recover well and those that don’t?
Philippe Johnston: That’s a great question, David. So from my experience, having dealt with a few of these strong playbooks that have been executed and practiced with the entire organization, helps definitely, like, 100% in terms of if it does actually happen to you.
People are not feeling like this is something they don’t know what to do. You know, it helps reduce the amount of panic. It lets people get organized. Executive alignment at all levels across the business is critical. You also wanna have clear communications, clear communications protocols during one of these events.
Make sure you’ve put those in place, and you understand who’s talking to who about what, when, and where. Those, again, will make it so much easier when you’re dealing with the situation to make sure that you’re controlling the information. Not hiding it, but controlling it and making sure it’s being shared at the right time to the right people.
One of the things that I wanted to share with your listeners, David, that we learned at one of our big incident we had is, we had all of these things that I just spoke to you about. That being said, when we drilled down a little deeper, we felt that our playbooks, comms, and responses were too high level.
In fact, they were not specific enough because, as you can imagine, there can be so many different variants of a cyber incident or attack. And so what we ended up doing is losing a lot of time reacting to the incident because I had to go and ask different people to make a decision. You know, “We need to turn off the internet now.”
Well, the CEO was in meetings, the business people were in meetings. I know it took me two, I wasted two to three hours trying to get that decision, and they said, “Yeah, why didn’t you make the decision without us?” I go, “Well, because turning off the internet is a big deal.” I wanted to make sure that I had that.
So the point I’m making is for those playbooks to be really useful to people, go down into various scenarios of what ifs. If this happens, then this is our response. If this happens, then this is our response. And having those pre-approved decisions, for example, if your internet, you find out that your active directory has been compromised, well then CIO has the decision right away to turn off the internet.
You know, like, go down to those specific detailed scenarios so that you can react as fast as you can during that time of crisis. Although we had the playbooks and we knew what we had to do, we coulda saved a lot of time had we gotten scenarios pre-approved and decisions pre-approved prior to the incident happening.
Prevention vs. Detection
David Redekop: Right. So I’m gonna put you on the spot then, Phil, because I know that playbooks have a tremendous amount of effort and detail into the scenarios that you talk about. Is there enough in the area of prevention and containment today? Or are we still focused too much on detection instead of prevention?
Or where detection carries inordinate amount of attention, whereas prevention gets insufficient attention. Where do you sit on that?
Philippe Johnston: You know, yeah, I’ll answer it this way, David. You know, prior to my retiring as CIO/CTO last year, in all previous 10 years as a CIO/CTO, I put a lot of energy into detection.
Detection’s important, but it doesn’t stop attacks from spreading, and it doesn’t allow me to say with confidence as a, I mean, in fact, I couldn’t say it. I couldn’t say, “I’m guaranteeing you that we will be protected from ransomware or command and control or data exfiltration.” My best response was, “I’ll detect it, I’ll react to it, and I’ll minimize the impact.”
And, you know, actually, I was surprised many board members and organization accepted that as a response. In my life, it just doesn’t appear to be the right response. So, wouldn’t it be better if you could prevent the communications that allow the establishment of those attacks I just mentioned to actually occur?
And the ability then to isolate the infected system so that it doesn’t spread to three, four, five, 100 servers or computers, and so that can help you dramatically reduce the impact of whether you’re doing that. So to me, that would be a much, much better answer, the prevention piece. And I think the boards and organization businesses, of course, why wouldn’t you want that?
A cyber incident or a cyber attack can have so many negative impacts on your organization, from, you know, having to pay, like the average payout, I think is in the millions of dollars for ransomware. Your data being exfilled and then losing your business because no one trusts you to hold their personal information or their private information.
And just generally, your brand, you know, somebody you trust. If you’ve gotten attacked and you didn’t handle it well as well, there’s obviously some organizations that showed how they tried to hide it and didn’t handle it well, and then all of a sudden their businesses went under ’cause no one had trust in their business anymore.
So from a brand perspective, it can definitely kill you. So prevention, to me, is the far easier solution than spending lots of time and effort to find different ways you can detect it, only to then, if you did detect it might be too late, and you then have tostart investing in those recovery efforts that I mentioned earlier in the conversation.
The Attack Chain Advantage
David Redekop: Right. And, it’s not like we get a lot of NIMDA’s and CodeRed’s one-shot attacks anymore, where it’s because you had a specific vulnerability in a public-facing service that was attackable. Almost all attacks today are in an attack chain that numbers any number of steps, right? And so one of the cool things about the industry in 2026 is that you have cybersecurity companies that are actually using the display of understanding the attack chain as marketing material.
And so what we see as a result of that is that so many of the attacks have such a long attack chain. So the idea of prevention is actually now becoming favorable for us as defenders, where attacking it in just one spot is all you need. You know, the longer the attack chain, the more advantages the defender has, and you could also argue the less secure the network has been where it was successfully able to execute, so.
Philippe Johnston: And as the CIO/CTO, or, you know, individual, in order to do the detection right or to deploy, you know, the right virus protections or the malware-stopping, the executable malware-stopping tools, et cetera, this is true for life, period, not just cyber. You’re only as good as your weakest link, and your weakest link can happen everywhere, anywhere, anytime. And it’s just either a lack of attention, you know, we forgot to patch this device, or we, you know, for some reason this device got in the network, we didn’t even know it existed.
There are so many opportunities to, I would say, not be 100% deployed in all of your, you know, detection or mitigation responses, that, you know, the attackers are just looking for that one weak point, and they will exploit it once they’re in. So, you know, that scares me, and that’s why prevention, you know, would make a lot more sense to a lot of people.
David Redekop: Yeah, absolutely. I had a chance to speak to BSides this past weekend in London, and one of the topics that came up in conversation was the MITRE ATT&CK framework, which is, you know, too much print to even fit on one slide on a big screen, right? But I said, “Okay, let’s look at this like an actuary,” because that’s my background.
Let’s look at it like the beginning of a life and the end of life are the two key elements. Why don’t we focus on the beginning and the end? So, it turns out that if you focus on those two areas, a lot of the issues in the middle are become non-issues. A lot of them. So I find it really interesting that no matter how we slice and dice the industry today, that there is value in shifting our paradigm a little bit to say, “How can we take on a defender’s advantage where the offender used to have the advantage?”
Joining ADAM Networks
David Redekop: So in that vein, what made you interested in ADAM Networks, specifically after such a long career as an executive?
Philippe Johnston: I think, you know, I’m going to say two words. What got my attention with ADAM Networks was, A, the simplicity, and B, the practicality of the approach. I’ve seen many complex cybersecurity deployments over the years that cost a lot of money. They taxed our operations teams immensely, networking, server, whatever.
And then the amount of time it takes to keep it up to date, to make sure it’s doing what it should be doing in the first place, you know, having to hire more people to manage cybersecurity, you know, that’s not where I think organizations wanna go, even though cybersecurity is very important.
Businesses and organizations view that as a cost. And there’s not much value or return on that type of a model. So from a simplicity perspective, you know, ADAM Networks focuses on prevention, containment in a way that is at the network level that stops the major attacks, and the major attacks that I’ve seen over my years, is always the same way.
Somebody outside your organization needs to establish a connection somehow, some way to spread the attack or access your systems or your data. And the simplicity of it is that back in 2001 when I was, you know, in IT at that time as well, when we sorta were starting to try to figure out how to defend ourselves, the idea of whitelists, and I remember that even at DND, we were trying to figure out like how to keep our whitelists up to date.
And it became impossible, like, very, very quickly. We just had no way of doing this at scale and in real time. So the simplicity of what ADAM Networks has put in place at the DNS level to use machine language or AI, or however you wanna say it, to do this at speed and prevent the attackers from establishing those communication paths, I thought was just very simple and easy, and exactly what I was gonna, you know, be looking for.
And then second of all, the practicality of the approach. Practicality meaning, the fact that ADAM Networks has set up policies that are, you know, general enough to support most organizations, meaning the deployment is easy from the perspective of a, you know, deploying whichever policies that we work with our customers on in terms of then adjusting, doing a break-in period and adjusting.
And then the fact that these are updated by the system, not by users and operators, and very rarely do networking or firewall people need to go in and redo all their whitelist or whitelists for certain users, etc. So that practicality of the deployment from an operations perspective, you know, just definitely as a past CIO/CTO, that would be, like, a winner for me in terms of a deployment approach that would make sense to me.
David Redekop: Yeah, it’s not that DNS filtering is new, right? It’s the approach that we take to tie it to a network firewall, where the two are one and the same that’s our differentiator. And this is not a vendor presentation here or anything like that, but I really enjoyed meeting you the first time and seeing your enthusiasm.
You know how it is if you ever develop something, that’s your baby, and then you find someone else that lights up with the same kinda smile as you feel. You’re like, “Okay, this person gets it.” So, you’ve seen many tools over your career. What specifically really stood out about our approach?
Philippe Johnston: Well, look, I said simplicity and practicality. I also felt that an agentless, although I know we do have a product that can go on end-user devices. Just like as I was saying before, whenever an organization came to see me, a cybersecurity organization that is, to say, “Hey, I’ve got this great product.
Oh, and by the way, I have to deploy it on every single workstation and server.” And I go, “Oh my God. How do I manage that? How do I stop, you know, a rogue workstation from plugging into my network, and then that’s my weakest spot?” So the agentless piece I was interested in. I really also, you know, just to talk a little bit more, I love the way, you know, the architecture of the solution with sort of the brain, you know, and the muscle aspect allowing you to, you know, even if youre offline or your brain is offline, your muscle can still do the work and protect you from potential attacks happening.
And I’ve seen those attacks happen where something’s offline, so you just allow everything through, and then all of a sudden you’re getting attacked. So, I guess I’ll reiterate the simplicity and the operational effectiveness of the solution. There’s also flexibility as well, I mean, in terms of the architecture, in adapting to whatever the network architecture is for an organization.
I think the flexibility is key in order to accommodate any organization or private sector organization.
Looking Forward: The Future of Cybersecurity
David Redekop: Right. Right. You know, I’m pretty sure your experience in security is going to mirror this, where sometimes it seems like the best we can do is make decisions by driving and looking very carefully through the rear view mirror.
Because we have to look at all of the damage that’s been done, that’s been left behind, and then say, “Okay, in order to prevent that kind of damage in the future, I should take a right turn here. I should take a left turn there,” right? So, if you could turn around and look forward, Phil, where would you say cybersecurity is headed in the next five years, not looking back, but looking forward?
Philippe Johnston: This might not even be looking forward, ’cause I remember, like, two years ago, the ability for attackers to develop sophisticated attacks with AI-driven programs or what have you is incredible. The amount of information now that even not even sophisticated attackers have at their fingertips in order to create potential attack vectors is absolutely incredible.
And that’s, you know, just driving the need for, you know, if you wanna look at, you know, AI-assisted defenses. But I was in that game when I was in the military, and it was called the electronic warfare game. In electronic warfare, one person creates a way to use electronic warfare to bypass your missile defense system.
The missile defense system then creates a countermeasure, and this keeps happening over and over. And so the game essentially is just figuring out what your attackers are doing on EW. And I see this with AI as well. This is exactly the game you get into.
I think that costs a lot of money. It’s so much time and effort to try to keep up, and most organizations don’t have the money even to keep up with that game. So the shift should be towards prevention. It should be towards containment. And what are those technologies so they’re doing that for you?
And, of course, Zero Trust has been around for a few years. Zero Trust models also, are critical moving forward. And what you’re doing with those three things: prevention, containment, Zero Trust models, is you’re reducing the attack surfaces before and preventing incidents from occurring. So that’s the future I see where you wanna spend your dollars and your time, and your effort as a CISO or a CIO.
That’s where, you know, if I was still there looking for those tools, technologies that are gonna take me in this direction.
Reducing the Load on the SOC
David Redekop: Right on. I couldn’t agree more that our focus shouldn’t be only on the detection and response side, but rather saying, “Let’s keep an eye on detecting and responding, but if we can prevent it so that the detection and response teams.”
Can you just imagine if the SOC team can be reduced in terms of load? That would be really, really nice, because a lot of them are dealing with automation of false alerts, you know, applying AI, and then they run the risk of, you know, an actual alert being pushed down to the bottom of the list or being marked as a non-issue when it really should have been.
So it will allow us to surface more signal out of even less noise by taking that preventative approach.
Philippe Johnston: Let me add to that, David, that, you know, you bring up a point that I’d forgotten, to be honest with you. When I was reporting dashboards for cybersecurity to boards or to whatever, one of the things we reported was false positives and false negatives.
And there were a lot of false negatives, and every one of those had to be investigated by my team. That was a waste. That was like, hey, like, we had to do it because that’s how we had organized ourselves and set ourselves up. So you really bring a point of high value. If you can reduce those false negatives, the false positives is the ones you want to get rid of and not take a look at those.
David Redekop: Right. Absolutely. Well, you want to reduce both. The risk profile varies when you have false positives that don’t get managed; then you end up creating user frustration, and if you have false negatives, then you create an unknown risk that might blow up, and your blast radius is unknown-how large it’s going to be.
And so paying attention to them and continuously automating that process is really part of the key. Yeah. So if you were advising someone in a CIO role today, what would you say they should focus on immediately?
Philippe Johnston: So my thought is whatever you can do to reduce the ability for attacks to spread across your organization, you should be investing in that.
So that’s either through prevention, as well, network segmentation, of course. That can definitely stop the spread, and the ability to contain quick and easy if it does happen, those are things I would, you know, definitely focus on. In terms of enhancing your operational resilience from your cyber team, your network, your infrastructure teams, those are the things I think that, you know, I would be focusing on as a CIO today.
David Redekop: Yeah. Someone, that’s an architect with a Fortune 50 company I had chatted with recently said, “If you could somehow segment without the complexities of segmentation, if you could somehow do NAC without the complexities of NAC, you know, you would basically stop every threat at the source,” right?
Or very much limit its east-west movement capability, very much limit any device being able to do that’s not already authorized. And so many red teams even, and those are ones that are trained in looking for ways that are weaknesses in environments, look for exactly east-west and lack of NAC as their, you know, attack of last resort.
And we had an excellent pen tester presentation that almost sounded like he was on a Jack Rhysider podcast of Darknet Diaries, telling us some of the stories of how he was successfully breaking into networks that hired him to check their defenses. And, the good news is that all of this is possible with a lot less of the cost and complexities that we used to have.
Cyber Risks and Business Enablement
David Redekop: You made a good comment earlier, Phil, about cyber becoming a business crisis and not just a technology problem. Dive a little bit deeper into that. What did you mean by that?
Philippe Johnston: Well, definitely, I mean, I’m not sure what else I can say, Dave. I thought I did a pretty good job.
But the point is businesses exist not for cyber, right? They don’t exist for cyber. Businesses exist for whatever reason they do, you know, servicing their customers, if it’s the government of Canada, servicing Canadians, you know, whatever. They need to continue to feel like they can run their business securely, safely, efficiently, and cyber obviously is a key part of ensuring that is.
And maybe I’ll just dive down into a little bit more of an answer on that as well. With the advent of AI, now I had to develop an AI strategy where I was before. In fact, the two last organizations I was there, I had to develop an innovation strategy. And in order to enable the full power of AI, you need to give the employees access to it, and more access than just an email server to log in to do their email.
They probably wanna have access to data so they can do their own queries. In other words, the advent of AI and also, low-code, no-code has meant that more people within your business can be more efficient at delivering IMIT to, like, services or programs or whatever. And I’m just thinking why cybersecurity is so important, and the prevention, the containment, the isolation.
Imagine if you could give more people in your organization admin rights to be able to empower them to do more of the work instead of, you know, going through me as a ex-CIO, and me having a list of the 20 projects I can’t get to and prioritize. So I think businesses these days are probably looking for something better from a cybersecurity perspective to empower their employees.
So I’ve gotten into a little bit of a detail of one area where I think, you know, the future is going, and definitely those businesses that can allow their employees to leverage AI to do more, be more productive, deliver their services without the, I don’t know, the full support of, I mean, there’s still support from the CIO and the IT people. But you have more people in your organization that might need admin rights, that might need the ability to do things other than just your developers.
So, from a cybersecurity perspective, how do you deal with that? How do you limit the risk now that you have way more people who could do way more damage if their accounts were compromised? Anyhow, I just thought of that one to give you an extra level of detail. Especially for modern organizations that wanna thrive and be successful, they’re probably having to think about this.
David Redekop: Yeah, and what I also thought that you were referring to, at least what I identified with it being a business problem, is that a stakeholder of a small-medium business, say, or even enterprise, they have some key objectives, and those are really prioritized in driving up top line, right?
Driving down costs. So they’re gonna look at any cyber product. Does it help me drive top line? Well, if it’s an AI enablement, then it might, right? Will it drive down cost? Well, think about it. If you take a broad approach of doing cybersecurity in a broad-brush way that isn’t complex, that is actually practical, you can drive down cost.
So you’ve got two of the top two requirements right away of a stakeholder in a business. But if it’s not being presented that way, if it’s not being offered or being understood that way, then it’s gonna look like the opposite. You have another cyber product. No, that’s gonna cost me money instead of it helping me generate new top line, right?
And so part of that business problem is in that cyber has become complex enough of a mystery that unless it is being understood by stakeholders, they’re not gonna purchase, because a confused mind doesn’t buy. So we have to make sure that we solve that part of the business problem as well in the community.
But in that vein …
Philippe Johnston: And I wanna add one more business problem. You know, how much does it cost you if your IP is stolen? If your IP is stolen, and then all of a sudden somebody else beats you to market. You know, what is that problem? So, the only reason I say that is in Canada we have so many wonderful, innovative small businesses, and are they doing what they should be doing to protect their IP with a simple, easy way that’s also solving a business problem from an efficiency perspective and an opportunity perspective?
You know, a challenge for me wanting to see more of our country be successful around the world. I challenge those businesses to think about that, to think about what have they done to secure their IP, and is it staying in their organization? Have they deployed the right cybersecurity measures to ensure that it does not go abroad, and then all of a sudden somebody else beats you to the punch?
That’s a business problem as well for me, you know, not an IT problem.
Conclusion and Final Thoughts
David Redekop: Yeah, absolutely. Well, in that vein, it’s probably not surprising to the audience today that heard you say “we” that this is a very exciting week for us, an opportune time to announce that Phil is now part of the ADAM Networks team.
Welcome, Phil, as our field CIO. Good to have you.
Philippe Johnston: Thank you very much, David. I’m very excited to join ADAM Networks.
David Redekop: Okay. Now you have to tell me: what is it that you’re most excited about that you’re gonna be working on this year?
Philippe Johnston: I mean, obviously working with your team to improve the product and how it can be leveraged by organizations in an easy, more digestible way. So continuing to work on that, and I think that’s important.
I wanna, you know, as I think I mentioned it throughout as a theme, you know, I retired, but, you know, a lot of things shaped me and who I am in my career. I’m a very, very, very proud Canadian, and I can see for the business reasons even I listed, the ability to protect more of Canada’s small businesses, large businesses, enterprises in helping them deploy what I would think is an efficient cybersecurity solution that then can also allow them to be more secure but also save money, and then therefore focus the funding, the savings potentially somewhere else, like, you know, in more innovation or more product development or what have you, or sales.
So I’m pretty excited to be working with other Canadian companies through ADAM to support them with the growth of a really great cybersecurity product that could make our Canadian organizations thrive.
David Redekop: That’s awesome. Phil, you reminded me of a friend of mine telling me recently that as we were celebrating his birthday, and he was saying, “Yeah, I’m excited to enter my most,” I think the term was, “most rewarding decade of my life,” and he turned 60.
And I said, “Is that so? So 60 to 69 is the most rewarding decade?” I said, “What’s the second most?” He says, “You’re in that one.” So apparently, being in our 50s is the second most meaningful, rewarding decade, and the third one is being in the 70s. And so I find that interesting that the challenges and difficulties in life, you had some, I had some, we’ve all had some, actually is what shapes us being able to, extract meaning, and then applying that meaning towards a way where others can benefit from it.
And I think that’s why protecting people, and organizations are made up of people, is so, meaningful in my life anyway. I hope you feel the same, Phil.
Philippe Johnston: Definitely. And I have decided to help on boards, you know, organizations that, I think, are charitable organizations that help others.
And so yeah, I have to agree. I’m at a good point where I’m meeting great people, having great conversations, feeling like, some of the experience I’ve gained and those hard lessons, like you mentioned, those hard lessons you had in life. You know, you can provide those to others and hopefully helping those organizations and people as well, with respect to, you know, their growth and their adjustment to situations.
David Redekop: Right. So folks, if you hear from me or Phil, and we just want you to not have to go through a ransomware incident recovery. You’ll know that it comes from a special place that we really do wanna protect people that we love. All right. Thanks for being with me today, Phil. We’ll see you in person real soon.
David Redekop: Take care.
Philippe Johnston: Thank you, David.
David Redekop: Bye-bye. Bye-bye.
Outro
Announcer: The Defender’s Log requires more than a conversation. It takes action, research, and collective wisdom. If today’s episode resonated with you, we’d love to hear your insights. Join the conversation and help us shape the future together. We’ll be back with more stories, strategies, and real-world solutions that are making a difference for everyone.
In the meantime, be sure to subscribe, rate, write a review, and share it with someone you think would benefit from it, too. Thanks for listening, and we’ll see you on the next episode.
1 post – 1 participant
The post TDL 024 | From Crisis to Prevention: Rethinking Cybersecurity Leadership | Philippe Johnston appeared first on The ADAM Blog – ADAMnetworks.
*** This is a Security Bloggers Network syndicated blog from The ADAM Blog - ADAMnetworks authored by Carly_Engelbrecht. Read the original post at: https://support.adamnet.works/t/tdl-024-from-crisis-to-prevention-rethinking-cybersecurity-leadership-philippe-johnston/1598
