In this next episode, I was joined by Jim McConnell. You’ll recognize his name if you follow topics on LinkedIn, such as supply chain security, infosec, physical security, and many more. Jim brings tremendous experience to us from his 30+ years of leading and supporting broad security initiatives in the telecom space. He also contributes to the Technical Committee and Working group of the Board of Executive Protection Professionals, developing the first-ever ANSI EP standard. (Thank you for your support, Jim!)
What I love about Jim is his commitment to learning and educating the communities around him, of course online but also in his community, where he helps faith-based organizations, military and law enforcement transitioning to private security, and so much more.
I hope you enjoy this conversation where we touch on every topic, from why you need a resume bucket list to what skills make a security director successful, how security interviewing skills can help you in your career, and so much more!
Highlights from This Episode
- Career Progression in Security: Jim’s journey from a technology intern to a security director and founding his own company showcases the diverse paths one can take in the security field.
- Importance of Mentoring and Networking: Emphasizing the value of mentors and networking in the industry, Jim highlights how relationships have played a pivotal role in his career.
- Adapting Security Solutions for Scale: Discussing the challenge of adapting large-scale security solutions to smaller settings, like a church, and the importance of being versatile.
- Writing and Sharing Knowledge: Jim’s commitment to writing books on security topics, sharing his expertise and contributing to the industry’s knowledge base.
- Pro Bono Work and Community Service: His dedication to providing pro bono security work for faith-based communities demonstrates the value of giving back.
- Continuous Learning and Education: The emphasis on constantly updating one’s knowledge and skills in the ever-evolving security field, including obtaining certifications and attending courses.
- The Importance of Definitions in Security: Jim stresses the significance of understanding and aligning with the definitions of key terms in the security industry to ensure effective communication and alignment within an organization.
- Metrics and Measurement in Security: The need for robust metrics and analytics in security to assess effectiveness and make data-driven decisions.
- The Concept of Honoring and Gratitude: Jim’s focus on the importance of honoring and expressing gratitude towards those who have contributed to one’s career and personal growth.
Videos and Training Related
- Clifford Stoll: The call to learn | TED Talk
- The Reid Technique of Interviewing
- The WZ Method for interviewing
- “The Butterfly Effect” by Andy Andrews
- “Honor’s Reward” by John Bevere
- “The Tribute” by Dennis Rainey
- “Fire in the Valley: The Making of The Personal Computer” by Paul Freiberger
- “IT Ethics” by Steven Northcutt
- “The Computer Industry Almanac” by Egil Juliussen
- “Kiss, Bow, Or Shake Hands: The Bestselling Guide to Doing Business in More Than 60 Countries” by Terri Morrison
Use CONTROL + F to search the transcript below if you want to learn more!
Transcript from this episode
*Note: this transcript was generated using automated software, and may not be a perfect transcription. But I hope you find it useful.
Travis 0:00 Jim McConnell, I am filled with gratitude that you're able to join me to talk today. I've seen that you work on a ton of really cool projects. Of course, you've had a long career working in many different roles and leading, but then also you do mass mcconnell.com. You do training for people in your community. I've heard you talk about doing septet training courses, about go back horses. So I know you have a lot of really cool experience plus contributing to many industry organizations. So Jim, I am super grateful that you're able to join me today. Jim 2:17 Hey, Travis, honored, honored, honored we've I'll call it work together in our industry and the way of networking should work for many years, probably can't figure out where that started. But obviously the power of LinkedIn and professional conferences, etc. so honored to be here and honored to serve you, you and your audience and help some others. Absolutely. Travis 2:39 And we're continuing that here. So to kick things off, I wanted to ask you if you could share a little bit about the projects you're working on today. And then what? And then a little bit about your security career path as well. So So tell us about some of the projects you're doing today. Sure. So Jim 2:59 earlier in our mid year of this year, I left V and started my own company asked McConnell, LLC for the lawyers in the world, and converged security. So that's obviously the part of revenue generating but love the projects that I'm working on. Outside of that. I have for over 30 years now been doing pro bono work for the faith based community around America support about 300 or so churches, get to do an Ask Me Anything, office hours type of call once a month with that community. So it's great because it takes it really challenges me when I've worked in a very large scale environment, where solutions are modeled after that large scale. And how do I adapt those solutions into a smaller scale? Like, say, a cowboy church in West Texas. And so it's, it's a great opportunity to be able to humble myself and challenge myself and both of those extremes, wrote my first book on converged security metrics, and working on my second book now, which is going to be on converged supply chain security. So that is probably a third of the way through my first draft. So I'm excited about getting that draft out to my editor this month. Travis 4:37 Congratulations. That's really cool. Ya know, Jim 4:39 I'm passionate about passionate about it. Anybody that hasn't written a book, go read a book, mentoring, the mentoring the law enforcement, military transition folks around our great nation and have a class around that that I do around them wanting to get into corporate security that is so so humbling to do that for those heroes. And then finally, do a local, local as of right now, a family go bag class. So I'm a first responder on the side. And I've taken kind of my corporate security experience and my first responder experience over the last five years of being a first responder, and I take a go bag model. And I kind of grow that into about an hour long class that I've done to rotary clubs and, and citizens academies and really anybody that kind of wants it in the in the DFW area. So that's been a blast, too. Again, just everything I could do to give back. I've been blessed with so much wisdom and knowledge from so many others. I can't not give back. Yeah. Travis 5:54 And I think stuff like that is so important. I was listening to an interview just the other day with a gentleman named Tim Kennedy. So he's a, I believe Army Special Forces guy he has like several, he started several businesses around, essentially giving people giving people emergency preparedness and tactical skills if they ever encounter difficult situations. And he was talking about how today he sees so much uncertainty in the world, you have wars, you have political drama, you have economic challenges. And he was really just said he was talking about how important it is that we educate our fellow everyday citizens so that they're able to overcome, you know, some of these challenges that challenges that they're going to see day to day, whether it's the pandemic, which so many people did not expect, or whether it's other things that happen, whether that could be weather, it could be any number of scenarios. So I do think that role teaching the average citizen who really doesn't have a security background, and maybe not maybe might not think about emergency preparedness, getting them on board so that they could at least have like a minimum level of preparedness. If they ever encounter one of these challenges. I think that's awesome. What you're doing. Jim 7:09 Yeah, when you go to a class, and you see the 10 year old kid all the way up to a senior citizen and everything in between. It's yeah, I couldn't ask for a better audience. And it's gives them all the tools some, some will take it to the extreme. Typically the outdoors Dad, Dad guy, but other ones where the kid was a little kid says, Hey, can I get mommy daddy? Can I get a backpack? But and they want it pink? I tell Mom and Dad, I don't care. Their emergency bag can be pink if they're involved. Travis 7:44 Yeah, better to have the pink bag than no bag at all. Absolutely. And, Jim, I was curious, what got you down the path to working in security was Was there any particular I don't know, situation or person that might have inspired you to get started down that path when you were younger? Jim 8:04 Absolutely. It's a it's a amazing story. It I won't use the person's full name just because I haven't got approval from him. But basically back, I started in what we would call the technology industry. In 1982, working for a store called the software store. Funny story there. We used to get calls about clothing thinking that it was soft, w e AR, so a lot of redirects on those phone calls. But it was back when we had a lot of kind of boutique software and hardware, retail stores, mom and pop shops. And a couple of years into that we all hit the the famous 1984 with war games movie came out. And the company that my dad worked for, at the time was called ZTE. What we would know is V today, had an employee television show, little 30 minute show, every payday of all things called focus. And in there, they called up my dad and said, Hey, can we know your son's in technology and we've got this investigator fraud investigator, telecommunications fraud investigator over here, and we're going to kind of do the ying and yang. And so you had you had him his name was I'll call his name was Tom. And he had Tom over on that side. And I was kind of the kind of typical teenager kind of concept. And they interviewed he and I for a period of time, obviously edited down. And honestly, it was I remember getting off that call and I just said, Dad, I want to be I want to do what Tom does. I want to be like Tom And so that that didn't happen overnight. So over the next probably, let's see up until probably 92. just stuck in the IT world and odd jobs, I was an industrial cleaner for a Kmart, I did technology work. My dad had the first Mac Macintosh in the state of Florida in 1984. And so became a an apple repair technician. So lots and just try to experience as much as much as I could around the technology world. And then and started doing what we would call today is identity and access management, and kind of the cyber world. And around 1992 ish, I think it was, and eventually they came over and knocked on my door and said, Hey, Jim, this that was a temp, we have literally a week by week, Tim. And 1994, they walked across the hallway and said, Jimmy, I hurt you want to get into security, did that ask me twice, and signed up, got my first security job there. In the what we call the corporate world, I actually did a security guard role at a church and start in 92. It's a different story. But so that was September of 94. And as typical, you get rewards, and they immediately announced a reorg. And oh my goodness, you know, I'm the lowest man on the totem pole. And January 1995, they came knocking on the door saying we're going to introduce you to your new boss and reorg, etc. And so yeah, this is the backhoe this is about 11 years later. And the person that took over as my boss was the guy Tom from the video. I was set I was I was I was hooked. And and, you know, he he and everything that I did back then was in what we would call in the industry as a converged security model. There was no separation of physical and cyber and personnel, you know, kind of governance wise and organization. So, I've lived at a converged security model for 30 years. So I guess I don't know much difference. Travis 12:32 Yeah. And that makes me think so you started with doing identity and access management in 1992. And you're still heavily involved in the technology side until recently. So I guess one question I have is, like, what are what are some of your practices, routines philosophy around continuing education? Because there's, because there had to be an incredible amount of technology change between then and now. So could you share a little bit about, I guess, just your general approach to professional development? Jim 13:09 Yeah. So I tell this story to every mentor is, first thing we want you to do is build what I've termed as a resume bucket list. Look at your resume, where do you want it to be in two years, I just pick two years of random two years and build you a bit resume bucket list, do you want to improve in physical security, you want to improve in a specific area of executive protection and you want to get better at cybersecurity, whatever that is, build that bucket list. And here's the key. When you're, if you if you know following good practices in your personal life, when you're working on that budget in January for the new year, put a line item for continuing education. And so you're going to ask it of your of your employer. That's that's not a bad thing. And you may have tuition reimbursement, a lot of things that are out there, obviously, there's a lot of classes that are free. But put a budget line item into your budget for continuing education. I'm a huge fan of certifications and licensing. As one of my mentors said years ago, the reason I like them is not just because letters after the name pretty resume, but it forces me to be continuing education. So I do about 100 hours of continuing education that I record with my certification bodies over the last 25 plus years, so about 100 hours a year that I really tried to do. And a lot of that is good free. But I'd make it a purpose at the beginning of the year. What of what's my resume bucket list? Yeah, Travis 14:51 I love that approach. I think I may do something a little similar. Don't necessarily call it a bucket list. But yeah, it's sitting down and riff Selecting and thinking, okay, which areas? Do I know I'm weaken, that I need to start developing, at least like a foundation level of expertise? And yeah, it's typically, typically I have that conversation probably every six months and be like, Alright, what's the status on this? Where am I? And what else do I need to do? For example, I'm starting a CISSP study group at the end of the year. And, and I saw your your comments on your comments and your recommendations as far as studying goes. So doing small projects like that, where I could hopefully engage others, and then also get some of their advice. So that's also led to a couple of good conversations where people recommended, hey, if you're going to do CISSP, you should probably just do security plus, first build that into what you're doing. So you could have, you know, the most comprehensive or the most fount you could understand all of the foundational topics. So yeah, in my own small way, I'm trying to follow your bucket list, Jim. Yeah, Jim 16:04 well, I was honored to be able to help build, create what you know, as security plus, so even the opportunity to build for the next generation of programmers like that, is was was just an honor for me to be able to do that. And then, of course, the CISSP took very early on in my career. I didn't have my concept of a resume bucket list at the beginning. And that's, I still honestly transparently struggle with that. But I said, You know what, I'm not going to make that mistake and educating others to not make the same mistakes that I did. And the resume bucketlist concept. In fact, last week, you mentioned for the show septet, I've done lots of physical security assessments around the world. But I didn't have the concepts around the structure of septet and so my my wonderful adjunct employer, Texas a&m TEKS had a septet class and went through that last week as a student. And it was awesome. I understand the similarities to what I've done. But I also understand the structure. So always learning. Travis 17:18 Yeah, and septet is one of those topics, I feel like we see it mentioned in a lot of security books, but only for the first time I took a septet course just a year or so ago. And I was blown away by how much how many useful ideas are included in septet curriculums that I could have been applying really my entire career like in all day to day design type thinking situation. So that's one. That's one area that I'm really interested in. Absolutely. And you talk about being contributing as a instructor for Texas a&m. Could you tell me a little bit more about the projects that you're dealing with them? Jim 18:00 Yeah, I've been a student of them for many years as a first responder and took many of their classes. They've got some great classes across a wide range, not just not just security. And so I reached out to them about two months ago, and said, looking for an instructor. And they were so applied and see it was last last Monday. It was my first day as an adjunct instructor and so going to be getting on the road and giving back to during classes and stuff like that going forward. So pretty excited to learn more about their world from the other side. But just being a student and one of their classes last week, I was actually double listening, listening not only as learning septet, but watching the great instructors and kind of their style and you know, how do you how do you become a better instructor, you know, watch better instructors. So it was just a blessing them an opportunity last week and so yeah, going forward, trying to figure out where I can help them out and expand their world. Travis 19:10 Awesome. Yeah, there's definitely an art to instructing, facilitating. So yeah, I think the same thing when I attend some of these courses. Sometimes you're just blown away with the way that the instructor is able to control the room to get people engaged and to make the material stick because we've all been through, you know, some less interesting PowerPoints maybe it's like our annual employee training or or any of those. So, yeah, I could really admire a great instructor. Yeah, Jim 19:41 my CISSP bootcamp was over 900 slides. So yeah, I had lots more caffeine when I took that back two years ago, so they've improved it since it Oh, Travis 19:52 I totally agree. And also they have some really cool curriculums. I haven't done any courses with them but I've browsed browse the correct Elam and some of the topics and subtopics that they teach on. That's one program that seems like it's probably one of the leaders in the US. So I encourage people to check them out. Absolutely. And next, Jim, could you tell us a little bit about your career progression, starting as an engineer, and then going all the way up to being director, what were some challenges that you might have faced along the way that other young people might see as they progress in their careers, especially if they're in the corporate side? Sure. Jim 20:34 started really as a, as a talked about a contractor with them, you know, contracting, interning, those volunteering, those are great way to get experience where you can and so encourage folks to do that. And, and so yeah, I started out as that I am analysts, I think, was the official title, worked my way through into director and then left, left the company in June of this year as a fellow. So that culminated a an amazing 28 plus years with them. But, you know, I think that what what if I, you know, the old look back, if you could write a letter to yourself kind of concept. I, you know, it was what one was kind of, I think the most important of all of it was what I call based on Andy Andrews book called the butterfly effect was really around your understanding who can help me and honoring, honoring those folks in so call them mentors call them, even folks that I didn't like, can I learn from them? And so I had to understand who can I learn from? Who can I learn from whether they're, whether whatever side they are, are good or bad at, and then learn to honor them. It just it's so so amazing to go back and look at all the people that I have had past cross, countless stories. And my fifth book that I'm planning will be all about honoring those folks. I was a Travis I was a rule follower. Not that I was perfect. But I was I learned early on. Maybe it was my dad, generational culture or whatever. That was a rule follower. I wanted to read all the policies, and I wanted to follow him on and, you know, learned a lot about what the term policy really is and what its realities are. But I struggled when I didn't see people following the rules. And I struggled when I was, you know, messed up. And so that was an ongoing, both challenge but also learning experience. When I talk about security, governance, and I talk about, you know, where does this term called policies come into play, and people are generally pretty surprised. Because you know, every organization may define the definition and scope of this term called policy. But for me, I had to follow the rules I was I was almost to the stressed and fearful of it. But other than that, I security wise, I was a converged guy didn't hear the term until later on. But when I heard it, and somebody explained it to me, I went, What's that's not new. So I was talking to somebody the other day, one of my mentees, and I said, you know, think broadly think about definitions, think about the audience's view of definitions of words. So if you and I were to talk about what's the difference between safety and security, or the feeling of safe, or the word, policy versus guideline, all of those words are really, really important, but they're important for the audience you're in front of. And so I really spent, in fact, when I wrote my first book, spent a lot of time on defining what my perspective was on the definitions, that doesn't mean that you don't walk into a room and say, calm, these people's definitions of x is very different than mine. Let me adapt, I can be educated also. So that was huge to understand. I really thought broad it doesn't mean and I talked to my mentees about this a lot. It doesn't mean that you if you want to go specialize in a particular area security and be the best of the best in that area. Awesome. And I know a lot of people that are that way in particular areas. For me. My success was partly because I was able to go broad And that was just a trust and a blessing from my leadership. But when I did that, I got to sit at a lot more different types of tables. As we say, it's tough to get a seat at the table than I've ever thought I would. Interviewing. Every security person should go to an interviewing class. And I'm not talking about an HR interviewing class, I'm talking about a John Reed, WC Don Raber. And one of the interviewing classes. I can't if there was a core skill set, that man I used across the last 30 years and still to this day, was around interviewing. So there was a core skill set on what I'll call the technical side, not the leadership management side. But on the technical side, please go to an interviewing class, where you get faced with having to do that. Travis 25:53 And Jim could ask you a question there. Yeah, I know exactly what you're talking about. Like I went to WZ, I think it was their two or three day course a few years ago. And actually, at the time that I took the course, I really wasn't, it didn't apply a ton in the work that I was doing day to day. But then as I progressed, like a couple years later, I was saying, oh, you know what some of these ideas from the interviewing course, I could see them playing out in day to day interactions, no matter what I'm doing. So for you, when it comes to those interviewing skills, how, how do you see them applying in some of the corporate roles that you've been in? Jim 26:38 Yeah, I mean, obviously, you start to look at somebody, and don't trust people more. But I think, to me is, it's listening. It's listening better. I don't tend to talk too much. But it starts to understand compassion, about what they're going through, personally and professionally. When I'm doing auditing, I'm not going through this script of things. I'm not going through kind of questionnaire, I want to have a conversation because we as I think human nature, and I'm not a psychologist, I think it was just human nature, just to have a conversation with folks and I countless times where I've made the mistake of going in with the scripted interview on an actual investigation, versus where I got better at and just had a conversation, semi an audit, one of my first auditing, my first major security assessment was in Caracas, Venezuela, and I had my stupid checklist and my questionnaire. Boy, if I go out there today, I walk in with a blank legal pad. It's awesome. Because I'm gonna have a conversation with folks. So really helps in those areas of listening, how to ask questions, well, open ended versus closed in, you know, where I can where I'm going to adjust for an investigation versus an audit, versus just trying to sell what I do, when you get a seat at the table, is I tell people, if you're in a corporate security role, or want to be in there, think like a vendor, you got to sell your stuff. And so interviewing skills and things like that really, really help in those areas to get a seat at that table, and that seat at that table could be one on one, or a room of Board of Directors. Yeah, Travis 28:25 I love that idea. Because, yes, so much of what we do is all around communication, for example, working as a security consultant, I'm interviewing stakeholders all the time. And if you take the wrong approach, if you craft your direction, if you craft your questions in a sloppy way, or even just your body language, and the way that you communicate, can have all the difference in whether stakeholders want to be open and honest and helpful and contribute to the assessment or whether they think that you're an auditor who's going to give them bad marks. So they want to tell you, you know, the least amount of information possible. Yeah, those communication skills. And then from there to when it comes to designing reports and presentations and the way that we present information. Those are incredibly crucial. And yeah, I couldn't advocate more for some of those interviewing courses you mentioned, like that, or even. There's a gentleman Chris, I think Chris Voss, he wrote a book called never split the difference about negotiation. He's a former FBI hostage negotiator, really interesting book. It's books like that, that give you a different way to think about the way that we communicate the way that we use words. So yeah, I couldn't agree more about that. Jim 29:46 Yeah. You know, as I, as I say, over and over my key word is, you know, all in every language means all which came from my pasture. And so I talked about that all the time, no pun intended. And so yeah, we're If you're a security person, you're out, you're you're all in on security. And so, you know, it's, it's if you want to get into security and want to, you know, grow in this path, I go back to when I played little league baseball, my coaches used to tell me all the time, you want to get better at Little League Baseball, as soon as you leave the field, you go home and watch a little league baseball, you read books on Little League Baseball, you do you got through the little of baseball, it is so you know, it's that always learning, you know, if I'm walking to, if I'm walking, my wife and I are at a go into the mall or something like that, you know, as a as a executive protection agent, guess what I'm learning. I'm learning Hey, what would I do differently here? How can I you know, I'm going to I'm going to open the door, I'm going to see how she responds she's, and so go to that mall, what do they have? And I'm not necessarily assessing. I'm saying, how would I react? If the ball is saying baseball? You're number one rule number one thought and baseball? Is it the ball was thrown hit to you or thrown to you? What do you do with the baseball? And so same thing in security? If it's three o'clock in the morning, and you get a call about a cyber incident? What would you do? Travis 31:15 Yeah, and that's the perfect way to approach so many of our security roles. Yeah, it's anticipating what might happen. And do we have a plan for handling this new scenario? If that happens? Yeah, that's a good philosophy. And, Jim, I was also curious to ask you. So can you share a bit about a bit generally about the role of a security director working in a corporate setting? Like generally, what types of projects would you work on? Yeah, just give us an overview of the types of projects that a security director is focused on? Jim 31:53 Sure. I think that obviously, you want to understand your scope, and your roles and responsibilities, your scope, so you don't, you know, divert off of that inappropriately. And so what your authority is, and those are very important words, and get those things in writing, getting people to agree with, but you know, to me, I think the challenge and a security drill, when you get to the director level, is balancing both the business need and your passion for individual contributor stuff, you know, doing projects yourself, versus leading an organization, both in people strategy, technology, other areas, and I, again, transparent, it was a struggle on a number of occasions for me is, you know, how do I balance managing the operations as my primary with, honestly, the fun stuff of the individual contributor, you go off and find something? And so so that distraction? Is there? The need for reporting, and I say the word reporting in a broad sense, you know, especially in this day, and age, reporting can be a text message to your boss, if you are doing and I'd say this very loudly in 2023, if you're doing reporting, PowerPoints, whatever the form is, if it doesn't fit on the size of your boss's cell phone, you know, pound sign failure, everything is kind of got to fit on that cell phone, because the higher the my peers as a director, and the higher ups we're getting so much we're you know, forget about the COVID. And, you know, working from home, our world is on that cell phone. And so it was adapting to the audience very, very regularly for what I was doing. Obviously, measuring what you do, I'm a little bit biased, because I have a book on converged security metrics, but how do you measure what you do? I love the program the there's an acronym called sai POC, s. I P. Oh, see, your audience should look it up. It's probably one of the best simple models of saying, what a Why is a director. If somebody says, What do you do? I tell them, let me go put it up on a whiteboard. Osipov and it's a real simple process to go through. And if you can't do that as a director, and defining what your sai POC is for your services, you know, you better do some soul searching and when I say services centric, as a director, you really start to go from the people that do it to becoming effectively the salesman or the vendor, or supplier, whatever word you want, because you're your department because If you're a vendor to the business, you're a supplier to events. Now, people don't like to do that say that, but it's kind of fact. And so learn how to be a vendor without calling yourself that but you know, connect with the business. How do you get a seat at the table? It's coffees, it's pizzas, it's icecreams. It's getting out in the field, I love love, I drove me crazy during COVID Not to be able to get out in the field. Because when I get out in the field, I want to connect with people. And connecting with people doesn't necessarily mean within the four walls of a cubicle. So man, and you know, managing and honoring your people, what they need, both personally and professionally. Making sure your scope of what you do and your roles responsibilities, and how you're doing reporting is rock solid. And all of your audience's are have input into that and you adapt to that. And then balancing your desire for individual contributor type of activities. With managing your core function, Travis 36:05 I see. Yeah, this reminds me I had a conversation a while ago with a security director with a technology company out in Austin. And I remember after talking with him and learning about his career and the work that he was doing, one of the things that really stuck out to me, he talked about how going from being going from being lower in the hierarchy. And the organization, he was highly focused on developing super technical skills. And then he found as he moved up in leadership, it got progressively more important to focus on his soft skills and leading communicating and those areas. So did you find it similar? Where later as you progressed, really, there was more of a focus or emphasis on people? Jim 36:56 Yeah, well, I would say, people in a broad term, so people is my audience is my executives, people that reported to me, people that were vendors that supported me. So it's it's people a lot of ways and so yes, did I get? I don't know that I got less technical, I got less specific. So early on in my career, obviously, I am I did some firewall stuff, etc. Could I do that today? Yeah, I probably struggle with a little bit. But you know, I'm still riding the bicycle kinda. But yeah, I think it's around relationships, the network and relationships. And so people kind of whether it's, it's not just people, but it's that relationships with all and we use the term stakeholders, what I would say is expand your definition of stakeholders. People that you're learning from is a stakeholder they're giving to you type thing you want to give back. Travis, you and I are stakeholders in ourselves, we're not only have a network relationship in the industry, but you have a capability, I have a capability, can we work together not because we're we own two companies, we work with companies, etc. And we were doing our own thing kind of thing. But just, again, goes back to definition, take stakeholder and expanded significantly more than probably what you've read in a book. Because the more you expand that, the more you find out that, hey, you know what, there's a, you know, the facilities, guys that does keys for the building becomes a great stakeholder, the finance and budget, people that do that work on new projects and business development, great stakeholders. And so really, I mean, the entire org chart of your company, is a stakeholder, add a client, their entire org chart is potential stakeholder. So yeah, it's about people, stakeholders, relationships, interrelated and nurturing those, and much more importantly, to me, serve them and honor them. Travis 39:15 I love that outlook. Yeah. It makes it forces you to expand and think about how the work that you're doing influences so many other people, not just the people on your team, the people in other departments, the customer, the consumer, the person that's going to be the end user, I do really like that philosophy. And you talk about the importance of communication of developing relationships with these stakeholders when it comes to being a security director. What other competencies or what other skill areas do you think are critical when it comes to being successful in a role like that? Jim 39:55 We've talked about it for ever since we all gotten his career around So how do we make things relatable to folks? And so it's very humbling to me when I get to work with a church or a single moms group, or senior citizens group, I love doing it because it forces me to go, how do I take a technical subject, and take it down to something that is valuable to a wide variety of audiences? Because I can get somebody that has, I don't know, a PhD and cellular communication that kind of knows what security is about, but he doesn't know the broadness of security that I might be concerned in. So how do I take that individual that has unbelievable, you know, background and going, Hey, can we kind of think about X, Y, and Z. And so the skill set to know who your audience is for the next meeting in the next call, etc. I love just researching, go on LinkedIn, look at people's review profiles and researching. One, is there a Nexus that I can connect with them on a school background, I was just talking to an individual. Travis at the lien night here in Dallas Fort Worth with the asis. And guy walked up to me, and we were talking about executive protection and the different things found out he went, he worked for a company that I took a class at. And so I found that next, so finding an excess finding or have a point of relationship to there, but meet them where their needs are. And, you know, you don't go into the five to 15 other things you could do they have a problem today, can I solve it today? You know, if I'm doing search and rescue, I want to solve the problem that we have with that, that search and rescue, I want to solve for the victim in the family, etc. But guess what do they have other needs after they, after we rescue them? Or, or you know, find them extend it? Sure, you know, could it's something be that we can help them with send them to another resource within the community, etc. But you know, what, I'm not gonna go over and talk to the, to the family and say, Hey, let me tell you about, you know, better housing or whatever, you know, they, they want their problem solved today. And so solving their problem to build the relationship, you know, connect, you know, next sister relationship, relationship to solving the problem, serving them as a servant. And then, you know, other things will grow through there. I mean, there are folks in my 2500 business cards that are sitting next to me. And just countless stories of both ways. Were getting calls 20 years later and still serving each Travis 42:56 other. Those are some that's awesome insights. And especially when you talk about being able to take a very technical subject, and communicate, communicate that to a layperson or maybe even they're super educated, it's just in that topic, they just happen to be less knowledgeable. And I was talking with someone a while ago, I think they were actually also a security director, except for a software company. And they were encouraging me to read to take a look at there's a number of children's books that talk about machine learning AI, and very complex topics. And he was encouraged COURAGING me to look at those for ideation when it comes to just thinking of new ways to communicate complex topics to an audience that's unfamiliar. So yeah, that was something that I thought about a while ago, and it just seems to be a really interesting idea for at least ideation and getting some inspiration. Yeah, there's Jim 43:58 a there's a most of us know who Cliff Stoll is from the book called The Cuckoo's egg. Cliff does a TED Talk. Travis, I'd encourage you to put it in the show notes. He does a TED talk about his path of, you know, not dumbing things down, but connecting with the people where they are. And he talks about it in the context of going back and teaching elementary school, and I won't give away the story. But it is a it's a fascinating thing for a person that has his background, to be able to connect with the folks that he's teaching at an elementary school level really humbled me, I've literally watched that thing multiple times. They've just re humble myself. Because Travis, you and I have talked to conferences and things like that and we get the opportunity to speak. You know, and one thing I made a mistake on early on was that everybody in the audience is saying, and I learned very quickly out of reviews and bad reviews, etc, when you walk into an audience, and I just kind of think about the person on the front row, you know, just walked out of college and they said, I want to get into security, and they're an intern. And then you got the same person on the front row has got a PhD, you know, five certifications and two patents, and you want to connect with both of them and the topic. Boy, that's a, that's a wonderful challenge to get to where, when you at the end of the time, and both of those people come in and says, I learned something. Travis 45:38 Yeah, that's definitely one awesome thing to aim for when you have such a broad audience. And I will definitely include a link to that TED talk in the show notes. And I'll probably check that out today during my lunch hour. And that reminds me, I wanted to ask also, Jim, are there any books that you find yourself recommending the most, whether it's educating people in the community about security and safety topics, or even some of the people or even technical security people that you would work with day to day popular books? Jim 46:15 So say on the kind of that what I call the soft side? One book is by Dennis Rainey called the tribute. The other one is by John Bevere, called honors reward that really talks about honoring people. My my favorite topic, and then on the security side, I really like anything that's kind of so there's one called the computer Industry Almanac. I don't know if it's still published. I've got an older version here. That one and then let's see. Yeah, called fire in the valley. So I'm, I'm a industry history buff, in some ways to really think about, you know, are there, you know, people gotta think that these things are different and more technical and things like that, you know, as I tell people, hey, AI machine still needs a user ID and password. Yeah, so there's some things that gotten people make it overly technical. So I love looking at the history of our industry, I have a set of the rainbow Series books on my on my shelf here. And because I keep wanting to say, when I'm in an audience, it really is, is it really that difficult? Is it really that bleeding edge? I mean, there's some things but isn't it kind of still old fashioned confidentiality, integrity, availability, you know, the fraud triangle, these different than those things kind of still work in 2023. And so I would encourage folks to look at some of the history of what this particular area of interest in security that you have to just kind of check yourself on the things like that. Let's see. The only other one that I would say is Steven Northcutt wrote a book on it ethics. So I do I do a kind of why do people do bad things class, and I referenced his book. So Yo, check yourself in the security world, I have had my the sad opportunity of investigating my own employees. So I've investigated security people that were fraudsters and criminals. So you know, let's keep checking ourselves. Travis 48:49 And that's a great topic in itself too, because just recently, but we see it in the news all the time where CSO or CSO does something that they're not supposed to do, and then they become high profile incidents. So ethics, insecurity, I think, incredibly important, not only at the top, but you've you very well could if you're a younger person, you very well could find yourself in a situation where a security manager asks you to do X, but you know, maybe you get a gut feeling maybe we're not supposed to do this, could this violate our employee handbook? Or maybe you just know, through your own conscience that I probably shouldn't be involved in this. So yeah, I think ethics and security, you could find ethical dilemmas from the lowest level position to the highest level position. So definitely a great topic for people to dive into. Yes, Jim 49:49 it's, you know, again, we check ourselves. Let's let's be, you know, take that word integrity. When you Get out of bed before your feet hit the ground. You know, Lord, help me have high integrity that Travis 50:08 I couldn't agree more. And you mentioned a couple other books as curious. You mentioned one, I think called honors reward. Could you tell us a little bit about that one, or maybe something that was like a big takeaway that you could apply or that you see other other security practitioners applying? Jim 50:28 It's a it's an emotional topic to me. You know, we see it. We see it in many different areas of our lives. So the probably the most popular is taps when a military passes away. I mean, she was the wrestling federation has an honoring model where they ring the bell, I think nine times or something like that. Honor is abused. There's false false honor. But what I will say is, I let me let me tell the story. So I was in the sound and lighting industry for a little while, when I was younger, I learned a lot from that. And I tell the story where I was struggling just mentally, how to wrap a cable, there's a certain way in that industry to wrap cables, typically called over under, somebody will call it the figure eight, whatever. And so I was I was breaking down a small event. And this I don't know, seven, eight year old kid comes over and he says, Excuse me, sir, excuse me, sir. He says, Is there anything I can help with? I says, I don't know. I just eases Can I wrap that cable for you? And I said, Sure, buddy, go ahead. And I didn't care how it came out. But the kid starts wrapping it perfectly and over under. And I looked at him like, Dude, where'd you learn that from? He says, My dad has me out. When we're doing the yard. He asked me going out cleaning it up. And he taught me how to wrap 50 and 100 foot extension cords the right way using overunder and it just became natural to this kid. I honored that kid that this day, because it's like, It rocked my world to say, Wait a minute. I'm not getting this. So honor, honor and honors your war by John Praveen really talks about when we honor people, and then in a high integrity way, we're going to receive back honor. And so not that that's our purpose and seeking. But there are so many people, I do a little class on on kind of where we came our butterflies, again, part of one of my books coming up. And so you know, Travis, if I took you back to say, How did you get to the company you got from? There's multiple people you probably honor for where the position you are today. If you went back from, you know, for their back, back back, both in your personal life and your professional life? How far back could you go again? Watch Andy Andrews is video called the butterfly effect. How far back could you go? And how far back? Could you honor those folks? And just the joy, the excitement? There? There's countless stories in my own life of where I have honored people. And by the way, there's countless stories where I have not honored people. And I apologize for that ahead of time. But it is it is most humbling thing is go on. And people Travis 53:35 I think you're right, it's almost I don't know, in an unusual way yet as you go about expressing gratitude and honoring other people. It just brings you good karma. And like you mentioned, I could think all the way back to before my first real security role of people that had helped me along the way that pointed me in the right direction that said, Hey, go read this book, or do this course or do this program or think about this in a different way. Yeah, I could think for every single job I've had in the security industry, a whole number of people that I have gratitude for, for ways that they've helped me. So I think that's fantastic. And then also even just thinking about day to day practices and projects that we're working on in the workplace. I think insecurity sometimes it's easy to we go we complete one project, do a fantastic job. And then an hour later, we're working on the next project. But we never really had time to sit back and think how this project go, what can we do better? Who really helped push this project across the finish line and just did an exceptional job. So yeah, I could also see that just every day in everyday situations in the workplace. Were being able to honor and to You really just reward with recognition? How much of a factor that plays in just having a great culture and having a team that's inspired to work well together? Yeah, Jim 55:14 I writing writing pin letters, writing postcards with handwritten, what they call wet ink. You know, emailing the CEO of a company, to tell them how great you know, your experience was with, you know, the lady at Chipotle. countless opportunities there. I've traced my butterfly effects back, you know, into the 1800s. Now, just of the things that kind of happened, and the people that I had the opportunity to honor across that board. And so you know, if I said how Tipton you know, I would honor how Tipton and people I, who's how sifted kind of the creator of this thing called the CISSP. Yeah, there's just you could just draw out names. And so yeah, I just, it is so critical to not just the progression of to a security director of fellow and now as an owner of a security company. But boy, I didn't get here without stepping back and say, oh, wait a minute. I'm not the most important guy and girl in the world, I gotta go back and start honoring some folks, whether that's my wife of 31 years, that local law is just a countless kind of thing. It's got to be very, I mean, integrity, honor, serving, you know, if you there's the three word for security success, Travis 56:39 that's a perfect tagline for security. I like that. And then continuing on. So I want to ask you, are there any other topics that you had a burning desire to talk about today? Or maybe any other insights for aspiring security professionals? Jim 56:58 Kind of two things. One is, definitions. If you think you know, the definition of, again, let's take the word if I if I had everybody on this listening to this say, What's the difference between safety and security? I've asked that question. Probably 1000 times of different professionals, vendors, etc. If you if you don't know what you feel those definitions of just those two words. And if that doesn't match up with your organization's definitions, and your executives definitions, check yourself. You know, we use the word all I want him to go into the whole marketing challenges that we have in the security industry right now. But I really, really encourage folks to really, really think about scope and definitions. If I say the word audit, if I just say the word cybersecurity, versus information security, if I say special event security versus executive protection, boy, I and I'm not I'm not here to change the industry, that that is a data for middle tassa. And what their standards and lots of how do you how do you wake up every morning as a security professional? How do you define those words, stick to them, it doesn't mean that your audience has a different definition, you need to adapt to that when you're communicating, but set that solid foundation for you. And so that's, you know, on the hard technical side, definitions and scope are way more or a whole lot more important. I think that some of the whole what's our solutions and things like that, because if I walk around a certain security conference we may have been at recently, and I walked up to the booth people and say, Hey, you got this on the wall over there for your advertising. What do you mean by that? I can tell you I, I secret shot a few of that things. And people didn't know. I think the other thing is, I am humbly passionate about metrics. Didn't do this well. And when I started in this industry, when I built my first security department, but again, not here to advertise the book, but the book, I want people to go and do metrics, if you had never talked, never buy a book or never attended a class on figure out what that is because we're not going to improve society security, safety, security, these types of things without measuring this stuff and hard ways and hard conversations. What I tell when I when I do my analytics and metrics class, one of the first things I talk about, and I'll give away this part of the class is, is our audience ready? Sometimes we To do metrics, and stats and things like that, even when our audience is not ready, if they're ready, great, if they're not ready, and they admit it, that's a different conversation. But let's just not be afraid. Say, Well, Jim, if I if I tell those things, I could lose my job, like, what are we here for? What's our why? I mean, my Wyatt at a certain telecommunications company I used to work for was very clear, I figured out my why. And so my metrics and my things drove around, can I improve? Can I work towards bettering that why? And you do a metrics program? Travis 1:00:41 Yeah, these are great ideas. And you mentioned the importance of definitions. It's so funny, even in the security industry, like I don't know how many books I've read, or how many people I've heard speak from some of our industry organizations, where even something as simple as their definition of risk or threat, it could be, you know, any number of things depending on who you ask. So I do really like that idea of having developing your definitions for you personally, as you're using them, and then even to your organization so that you're all speaking the same language. And then also the idea of metrics to that's something that's a big interest of mine. So I think I will be checking out your book. And just a few months ago, I bought another book, I think it was how to measure anything in cybersecurity or something like that. So yeah, those are going to be two that I'm using in the near future, just to think more about those. Because yeah, if you're a project manager, if you're someone managing any type of project, it's really important to figure out, okay, what, what's the end goal here? And what are those milestones along the way? What factors are what metrics can we track that we know are going to make us successful, and help us reach that end goal? So yeah, I really do like those ideas. I'll be diving into that. And, Jim, I really appreciate you spending your time with me today, we went over some really cool ideas, everything from sai Park, which I will be linking to, I found, actually, while you're talking, I found some cool infographics talking about that. But also some of these other ideas from creating the resume bucket list where we're going to outline where we want to be in our career, what we want to be on a resume in the next couple years, from there to thinking about some of the core competencies for someone working in a director level role, whether that's going to be communication, some of the technical skills, building a nexus between yourself and the stakeholders that you're serving. And then, of course, ethics and interviewing and some other big ideas. So Jim, I'm super grateful. And I'm Be sure to include lots of links to some of the ideas that you mentioned. And for those listening, if they want to learn more about the projects that you're working on, where where should they go to you? Jim 1:03:13 Sure. My little company is called Ask McConnell. So make it easy. Ask mcconnell.com is out their humble little website, and I'm on heavier on LinkedIn. And so follow me there. And I'm posting things there. And yeah, that's where I'm, I'm at networking is powerful. It doesn't solve all your problems. But yeah, check us out on the website and on LinkedIn. Travis 1:03:42 Perfect, I'll definitely be sure to link to those. And you also have some really cool resources on your website from some of the checklists to a go bag inventory. So some cool ideas on there for people to check out as well. Jim 1:03:56 Yeah, you talked about, you talked about earlier, I forgot to mention he talked about earlier around, you know, after a project is over, one of the resources on there is what I call an after action report a personal after action report. So I encourage folks to check that out. It's really kind of a, you go and do a project, you go do an incident, you go do something of major significance. You want to kind of like hey, how well did i The person in the mirror do? And how did I treat everybody else? And so it's a little bit guided towards kind of the protection industry and first responder industry, but something to adapt. So do an after action report on yourself is what that checklist is or questionnaire, whatever is out there something that again, self reflection, so you can improve on the next time. Yeah, Travis 1:04:50 another fantastic resource, so I'll be sure to link to that. And yeah, I couldn't agree more. Even when I have to go back and edit this podcast. I'm going to be figuring out okay, me Yeah, I can use this word a little less next time. So yeah, I agree. 100%. So, Jim, thank you very much. I'm super grateful to have you. Jim 1:05:10 Travis was an honor. And let's keep in touch and let's continue to serve our community as best we can together. Travis 1:05:17 Absolutely. Thank you.