Seven Questions for Critical Start’s New CISO

George Jones, Critical Start’s new CISO (Chief Information Security Officer), wears Hawaiian shirts on Thursdays. He cheers for the Red Sox, hits the gym every day at 5:30am, and was originally born in Germany when his dad served with the United States Army. 

Most importantly, George Jones has a broad and deep experience in infrastructure, security and compliance roles, with a history of building sustainable processes and growing organizations. In his role as CISO at Critical Start, George drives the strategic direction of corporate IT, informational security and compliance initiatives.  

He was most recently the Head of Information Security and Infrastructure at Catalyst Health Group, where he was responsible for all compliance efforts (NIST, PCI, HITRUST, SOC2), as well as vendor management for security-based programs.  

With more than 20 years of experience with technology, infrastructure, compliance and assessment in multiple roles across different business verticals, we wanted to share more about George’s philosophy as a leader, and what CISOs should be focused on in 2023. 

We sat down with George Jones and asked him more about his leadership style, pervasive security threats and why he chose to be a part of Critical Start.

A Q&A with Critical Start’s New CISO 

What drew you to Critical Start?   

At Critical Start, I am surrounded by intelligent people. I love walking into a room filled by people who have diverse thought processes and can bring 100 different ways to solve a problem to the table. The opportunity to work for an industry leader with forward thinking leadership and a strong culture is important to me. I have been in security and technology for most of my career, and I now want to work with companies that include employees and community impact in their decision-making process.  Critical Start and my peers on the executive leadership team do that, and I am proud to be a part of it. 

Critical Start is also different from other Managed Detection and Response (MDR) providers in our ability to support the customer while avoiding the heavy lift that other vendors have. After implementing other MDR platforms in the past, there is usually a lot of machine learning that must take place, along with repetitive, heavy processes. Historically, a majority of this was done by the organization  implementing the platform. Critical Start already has playbooks built that allow new organizations to come in and start seeing a return on their investment right away, which eliminates the heavy responsibility for the customer. 

What advice do you have for CISOs trying to create a culture of security in their organizations?  

The best advice I can offer is to get out in front of the organization as a leader. Everyone in the company should feel empowered and encouraged to participate in the security process.   

I always like to point out that, while I am the CISO, we are all security officers. Our team participates in regular security training, including phishing exercises and a huge emphasis on the importance of cybersecurity awareness. It’s essential to teach employees about risky behaviors and how to avoid them, to encourage less risky behavior during day-to-day operations, and help all staff learn to recognize and respond to cybersecurity events. 

As a CISO looking ahead to the trends that will shape the cybersecurity industry next year, what are you most concerned about?

Things that concern me most include threats to mobile devices, targeted ransomware, data breaches, phishing, and insider threats. No one is ever immune from these threats. I’m the CISO, and even I receive phishing emails. 

• Mobile device targeting is on the rise and mobile computing is integrated into every part of our lives and work. This is an area of exposure that is often overlooked. 
• Targeted ransomware is becoming more focused and sophisticated, and the bad actors are getting better every day, requiring organizations to be even more vigilant in protecting systems and endpoints against malicious code. 

• Safeguarding data is every company’s primary goal. Minor flaws or bugs in software can create a potential vulnerability for hackers to access information. Stricter measures in both the US and abroad (CCPA, GDPR, etc.) offer protections to safeguard individual rights. 
• Human error is still a primary cause of data breaches. A lack of attention to detail or intentional omission can lead to millions of records being exposed and result in irrecoverable impact to an organization. Creating awareness across the company is critical to successfully safeguarding your data. 

It’s worth noting that phishing isn’t going away, and is often the path that bad actors use to get into platforms and move horizontally. Once a threat has made it in, organizations often don’t know it for an extended period of time because the threat actors are moving sideways across your network, looking for opportunities to expand their footprint. By training your workforce to recognize and understand phishing emails, SMS phishing, and targeted social engineering – understanding what those look like is critical.  

Remember that you’re only as strong as your weakest link, and training your workforce to recognize and understand how to react to phishing emails is crucial. At Critical Start, we block every phishing email and sender. But making sure your frontline employees know how to recognize phishing and react is the first essential step. 

How did you become a CISO and why?  

Funnily enough, I never started my career with the intent to focus on security. When I began, my focus was on technology and efficiency. I started dipping my toe into security and compliance with my first exposure to SOX (Sarbanes-Oxley Act), which then went to PCI-DSS, SOC 2, HITRUST, and on from there, including an interest in ethical hacking. Actually, my journey first started when I walked into a data center at the beginning of my career, and decided to fix the air conditioning unit because it was hot. Then the next thing I knew, fixing things became my responsibility.  

Also, not a lot of people will say this, but I enjoy the “compliance” aspect of my job. I came to realize that I like the problem-solving and building associated with SecOps, and working with every part of the organization to integrate a security mindset into everyday tasks. Security is part of the foundation of an organization, and one that impacts every transaction that occurs in your daily life.   

Although my path to becoming a CISO was unconventional, many future CISOs start as security analysts or security administrators. They’ll branch further into security, setting up systems within a company and managing who has access to those systems. That is really where security starts – determining who has access to what.  

Any advice for others who aspire to work in the cybersecurity industry?  

Never stop learning and pursuing the concept of “servant leadership. ” One of the first mentors I ever had taught me about servant leadership, and it’s a message I have taken to heart. I tell my team that I work for them more than I work for me. If I don’t set them up with the ability and opportunity to succeed, then I won’t succeed. By offering myself, my time and my efforts to serve them, then we all grow and succeed together. While serving and supporting them, I continue to grow as a person and professionally. It makes us all better and keeps us more secure. 

The world of cybersecurity is ever evolving, and the other side is always looking for new ways to exploit vulnerabilities.  You must accept that there is always an inherent level of risk and be able to accept that, while you can’t solve everything, you can protect everything. I’d recommend developing a love for solving puzzles and to always be hungry to learn and grow, and you can be successful in this field. 

Who do you look to for mentorship and education? 

I am definitely a reader, and I am constantly doing research on new platforms, threats, and vulnerabilities to understand the latest threat vectors that are being used. My mentorship these days focuses more on leadership and service than technology. I strive to be a better leader and to better serve my team, my organization, and society. I find that I am my best self when I can help others learn, grow, and succeed. 

I closely follow Simon Sinek and Bill George’s work as continued learning. Bill George wrote a book with Peter Eagle Sims called True North: Discover Your Authentic Leadership. He talks about discovering your leadership style and being true to yourself as a leader, which allows you to have authentic relationships. I ultimately see my role as developing relationships with people to drive positive influence throughout the organization and create an atmosphere of trust. 

What are you most excited about for 2023? 

I am happy to be a part of the Critical Start team, and I want organizations to know that we use our Zero Trust Analytics Platform™ (ZTAP^®) to protect our own environment, the same playbooks as our customers, and the same SOC team. We’re constantly pushing boundaries and going on a journey that we can take to customers, because you never reach the finish line with security. Our experiences help us to protect our customers even better.