Fail Forward: Lessons in Leadership and Innovation with Jacob Valdez

0:00

Manish:

Hello, and welcome to the Ontic Connected Intelligence Podcast. I’m Manish Mehta, Ontic’s Chief Product Officer. Join us as we delve into valuable insights and practical advice that will empower you to navigate the complexities of modern corporate security and risk. We’re here to share knowledge from experienced leaders and innovators in the field. All right, get settled and let’s dive in. Welcome to today’s episode of the Ontic Connected Intelligence Podcast. We’re excited to have Jacob Valdez with us, a seasoned expert in global security and operations. Jacob currently serves as the director of global security and operations at Applied Materials, where he leads efforts to safeguard the company’s employees, assets, and information worldwide. With a distinguished career spanning leadership roles across Dell Technologies and the U.S. State Department, Jacob brings a wealth of experience in security, operations, crisis management, and global risk assessment. His unique perspectives on the evolving challenges of cybersecurity and the operational resilience promises to be an enlightening conversation. So let’s dive in and hear from Jacob about his career journey and the critical work he’s doing to protect organizations in an increasingly complex world. Jacob, welcome to the podcast.

Jacob:

Hey, thanks for having me. Appreciate the time.

Manish:

Well, why don’t we actually jump into that part of your career, right? You had spent almost nine years at the State Department. How did you make that transition, particularly to a company like Dell Technologies?

Jacob:

Yeah, that’s a great question. I get asked that a lot. A lot of it has to do with luck, but also hard work and just understanding what the corporate environment was at the time. So for me, it was a lot of job searching, a lot of soul searching, a lot of what do I have experience wise in the government sector that really relates to corporate? And I’ll be honest, I failed miserably at that at first. I had a resume that was like 12 pages long. You fell asleep after 10 seconds. It just, didn’t make sense. So it took me a while with the help of some friends to really get that together. But once I found that edge of really translating, I guess, what we do in the government sector, especially when it comes to physical security and safety, over to the corporate side, it was an eye-opener. It was a great experience. It really helped me jump right in to at least get that foot in the door to understand how the corporate machine works when it comes to security.

2:39

Manish:

I love that. And you and I have had a number of conversations about your transition and your journey at Dell. What were some of the learnings? And for our listeners, as they think about making a similar journey, what are tips that you learned along the way, especially navigating a complex global structure like Dell?

Jacob:

That’s probably the number one question I get asked a lot. I love to share my failures because I think it really sets you up to fail forward in a sense. So I would say hands down, number one is that not everybody has the same ideas that you do, right? You may come in thinking you’ve got the answer to the puzzle and you may. But I really had to navigate what that meant in the corporate environment, especially when you don’t have all your supporting business partners in the same wheelhouse, right? You go to someone else’s house and say, I’ve got a better way of doing things, depending on how you present it can really be a problem. So I had to step into that very carefully and understand the right way of approaching the idea, especially to a non-partner or partner that’s not in your wheelhouse. But still, even then you meet challenges, right? Especially if you’re coming to an industry or a company that’s been doing the same thing for 20 years, I would be a millionaire if I had, you know, Hey, we’ve always done it this way. Kind of answer and full disclosure. I’ve said that myself before too. So I get it So yeah, I would say the biggest challenge is really just navigating how you approach Problems and then how you approach the solution is the biggest thing because you don’t want to come off of obviously is hey, I’m invading your space

Manish:

And I think the most exciting moment for me was watching you elevate yourself in that organization and ultimately receive a well-deserved promotion. So maybe just talk for a minute or so about that.

Jacob:

Yeah. First off, thanks. Mentorship, right? Really looking outside the box is huge. But you gave me some advice. I really think that I’ve given other people, I’ve stolen it from you a hundred percent, but it’s great, is really thinking how do you present your solutions on an enterprise-wide format, right? Because you don’t want to solve just RECs, you want to solve for the larger problem. And really, how can that be functional and, you know, collaborative across different business sectors, right? You want your business unit, whatever it is, regardless if it’s just GuardForce or if it’s just GSOC or Fusion or Investigations, you want that to be a company-wide solution and not just a standalone, hey, I only do this, and this is the only thing I can do. So really opening my horizons to enterprise-wide solutions, not only solving for the problem at hand, but how do I solve that similar problem in different spaces three months, six months, 12 months down the road. And that ultimately led to, you know, help your mentorship. And quite a few from Dell, you know, really helped me kind of move forward in that different way of thinking.

5:36

Manish:

This is a fantastic podcast because of your experience and all of the companies that you have given tours to when you were at Dell and you’ve applied those learnings now at Applied. But as you reflect on all of those GSOC or Fusion Center leaders that you’ve met along the way, especially over the last three to five years, What are some consistent themes and challenges that you’re hearing the industry is faced with and what have you then applied from those learnings and even you might be applying today at Applied?

Jacob:

Great question again. I would say hands down the consistent theme I heard from half of the group was, well, it’s just not something we do right now. We’ve just never done that before. And that’s not a bad problem set, right? But when we briefed a lot of customers and partners and we talked about new connections, especially when you’re bridging physical and cyber, physical and other business partners are not nontraditional partners of security. There was a lot of eye-opens like, well, you know, we just, that’s not how things work at our company. And again, it’s not a bad problem. So for that group, to me, it was really, I think eye-opening for them mostly to see it is possible. It can be done, but it takes time and it takes leadership. It takes buy-in and you have to believe in what you’re doing. So that was the other one. The other half of that, um, was a lot of good things, right? Just sharing those failures that we had. A lot of companies are eager to do the same thing that everyone’s doing, right? You want to converge your resources, you want to converge your talent, and it’s totally possible. And I think they walked away understanding that, OK, here’s a different ways of approaching to kind of get to that point. And I just love sharing those stories because, again, it’s not always about the wins. It’s how you got to that win after you failed five, six, seven times. And when you finally get that, it’s great to share that.

7:35

Manish:

Absolutely. And you talked about learnings. You’ve talked about being in unique houses. You’re at Applied Materials now. What are you experiencing? What are you learning there that others can benefit from?

Jacob:

Yep. So definitely, Applied is a great company. They’ve got a lot of great resources. The majority of folks I work with have been here for 5, 10, 15 years, have so much knowledge. And so far, everyone’s been great. Everyone’s sharing that knowledge. But again, it kind of comes down to they’ve been doing certain things a certain way. It’s worked for them. But we’re trying to evolve. And I say we as a global security team are trying to evolve to the next level to make sure we have the right level of support for this company. So I wouldn’t say roadblocks, but just kind of circulating these new ideas of transitioning to enterprise-wide solutions and really like, hey, we’re not trying to take anything from you. We’re just enhancing what you’re doing. We want to become a really good resource for you. You know, we’re that one group you call when you can’t figure it out. You just need that help. Like, I got to call the GSOC. And that’s really what we’re trying to get to is that point.

8:43

Manish:

Yeah. I got to ask you a question. You had mentioned cybersecurity before at Dell. What you ran was referred to as the Fusion Center. So the notion of cyber and physical converging. And I’ll tell you from my frame, it’s been more myth than a reality. I haven’t seen many GSOCs that have truly converged cyber and physical. Obviously Dell was at the tip of the spear, but how do you think about that convergence and where have you seen it successful and what’s left to do for the industry to truly converge?

Jacob:

Yeah, I think it’s a multi-stage process. I don’t think you’re going to flip a switch. Anybody isn’t like, hey, now we’re a SOC and a GSOC or a SOC and a Fusion. What I learned again through failures was you got to take a bite at a time. You can’t overcommit. Not everyone’s a cyber expert in your team. And even if you have cyber experts, a couple of SMEs, if you will, you’ve got to step into it to make sure that you can maintain that level of service. You’re not interrupting service. A great example would be just baseline monitoring. Can you enhance monitoring as step one? Maybe step two is you begin with alerts, right? Cyber related alerts. And I’ll say, I’ll stop there because that’s one piece I think is a great, easy way to converge those two groups is monitoring, right? There’s a million tools out there that will monitor cyber impacts, right? And if you already have a cyber team that’s doing that, outstanding. But if you can work with them to say, hey, What else can I take off your plate? Or what can I enhance in monitoring with my available resources? I think it’s a big win. I’ve had some great partners here at Applied that are helping me do that in the cyber team. We’re already seeing benefits of just sharing information. And regardless if they already know it, the feedback I’ve had here is outstanding with, hey, we got this. Thanks. Or no, we didn’t see it. So again, to answer your question, I guess baby steps into it. And you’re right, a lot of times you can say you have a converged house, but you don’t. What does that mean? This means I call the cyber 24-7 number and pass a customer over to them. That’s not a converged, you know, cyber GSOC or Fusion Center. So in my mind, it really is converged. You have cyber partners physically in your Fusion Center or your GSOC or virtually, and you’re embedded in those processes and response. Because you don’t want to be the last person to know what’s going on. You don’t want your GSOC to be behind the power curve when there’s a company-wide impacting event. You need to be part of that process. And I think once you become part of that process for a cyber reaction or an incident, I think that’s where you have the win, right? You’re no longer a second thought. You’re now a partner for response.

Manish:

I love that. Love that. And I think the word or the term embedded is so crucial in all the ways. Absolutely.

Jacob:

Because, you know, physical events lead quite frequently to cyber related instances or there’s a piece of that. So absolutely having that embed there and having those resources available to he or she regardless of it’s cyber, insider risk or supply chains, a big piece.

12:26

Manish:

Another thing you’ve personally experienced is success can beget success, but it can also become a challenge if you’re not resourced or prepared. So an example is your remit, and this could be for anyone listening, in running a GSOC could be X. And then if you’re successful, you’re asked to take on more and more and more. What are some guidelines or maybe ways for a leader to think about when to say no, or when to make that case for more resources?

Jacob:

Yeah, it’s definitely known to probably most everybody listening to this, right, is you do get that when you want to keep pulling that thread, but to your point, you get to the point where you’re out of resources, you can’t make those timelines, and you’ve overcommitted, and your staff has overworked, or we just don’t have the resources. So I think, again, bite by bite, right? You don’t want to throw your line out there too far. You want to just a little bit at a time and adjust, a little bit and adjust. Regardless of that’s maybe helping insider risk and you’re going to help with some additional background checks, you’re doing more OSINT checks or you’re helping with cyber. You can’t take on the role at once. You’ve got to really line it out and do it piece by piece. Because I have been in situations where I’ve overcommitted. Things are going great and the floodgates open all of a sudden. To your point, I have too many customers I can no longer provide a result for, which is not where you want to be. So I’ve kind of learned that and kind of step into it very, very slowly and methodically without just saying, yep, the floodgates are open, send me everything you got.

Manish:

So what’s the trick to get those additional resources or get that budget?

Jacob:

Absolutely. I can tell the listeners to what’s worked for me in the past is showing that return on investment, right? Yeah. You know, everybody’s great at accounting. This is one thing that our CSO Dell was great at pointing out was, hey, counting is great. You’ve got to do that number one, right? You have to learn to count correctly. But what do you do with those numbers? And if you can’t show the return on investment, the value, or what that means, the impact to that company, you’re not going to get resources. But if you can do that, if you can show you’ve now reduced costs, you can do it better, faster, cheaper, in a sense, for certain things. You really are in a position where you can say, hey, I can continue to do this, but I’m going to need some additional resources because we’re expanding these services. So, but to answer your question and go back to it, really having tangible results, results that you can back up that are validated that says we have done X, Y, Z. We’ve saved the company this much. We’ve improved the process this percentage. We reduced loss by this percentage. Having that actual number of percentages is a very hard thing to do. especially when you come from a physical security background, right? It’s super hard to show that this percentage equates to this dollar. But if you can do that, I think you’re holding the golden egg to say, all right, I need more resources now.

15:26

Manish:

Excellent. Let’s talk about companies that are multinational and then GSOCs or fusion centers that have a global charter remit. There’s so many models to this, right? There’s the centralized GSOC that manages the globe, there are regional GSOCs that you have to coordinate, and then there’s even insourcing and outsourcing. How do you think about those models and maybe talk a little bit about each in your experience and what works and what pitfalls to watch out for?

Jacob:

Yeah, I’ll tell you again from lessons learned, pitfall number one is know what you have out there. Do those surveys, make sure you truly understand what services are being provided at those smaller SOCs or your regional SOCs. Because if you don’t understand what services they provide, and you remove or take away something or modify, you’re not going to understand that ripple effect that may be very specific to that region. So, pitfall number one is really doing a proper survey to understand what services are doing, what’s out there. And when you don’t want to inadvertently affect the business.

Manish:

And when you say survey, maybe describe that a little bit more.

Jacob:

Sure. So survey, I mean, can be an actual survey. It can be a physical for me. Maybe you have, you have the operators fill out your regional security team, but also going there if you can, or sending someone or being physical present to see how all that works. Everything looks great on paper, right? But really being able to understand it, if you have that luxury or ability to travel or to have someone from your staff there, to just observe the day-to-day to understand and make sure that makes sense. That’s the other piece of the survey.

Manish:

Love that. Okay. Other challenges?

Jacob:

Obviously, budget, right? Everybody wants budget. Everybody needs more money. We all do. We all try to progress our programs. That’s not always available sometimes. And you have to prepare for the worst, I would say. So if you know your budget’s tight, you know you’re not going to have budget, where else can you consolidate to maybe uplift those larger centers that make sense to your company that are strategically placed in the right country or region. So as you look at your survey, again, you can use that to your benefit to say, OK, I’ve got, this is fictitious, I’ve got 12 different mini SOCs across the globe. And maybe five of those don’t even do anything SOC related. It’s just someone sitting in a room that’s monitoring a monitor or push button alarm that you can consolidate and do more remote monitoring. What’s that cost savings that you can apply to potentially uplift those larger regional ones? And then can you also save the company some money, right? That’s ultimately what we want to do is make it so efficient that we’re saving the company money. We’re not overspending on resources we don’t need.

18:13

Manish:

And then, of course, the pendulum shifts on insourcing, outsourcing. How do you think about that? And again, pros and cons?

Jacob:

Absolutely. So pros, obviously, of sourcing to a third party provider is they typically have experienced operators, supervisors, and staff. They’re very quick to fill. The pros are you’re not dealing with that HR requirement. They are. They’re going out there and fulfilling that role. They have their own SLAs. So it’s a bit of relief, administrative-wise, I’ll be honest, of not having to manage that. So the downside to that. Let me go back to some positives. I’m so sorry. One is that they have a lot of regionally based partners. So they do have ability to really source the right people if it’s done right, who are local to you or local to your RSOC or your SOC, wherever it’s at. So that’s a huge benefit. The downside sometimes from what I’ve seen also is you are not part of the hiring process. And so your expectations of what you need, your requirements, that have that teammate may not be translated correctly to what they’re looking for on their cost spectrum, if you will. So you want to be fair to your team. You need the right hires, the right talent, the right mindset to be in there. And especially with this current workforce we have, right, it’s changed. It’s changed over five years, 10 years, two years. I mean, so you really want to make sure that you have the right resources and you’re hiring the right staff. So the pros of in-house, hiring your own FTEs, your full-time employees, is you get to choose those folks. You get to set the standards. You get to ensure that you have the right team to support you. It can also be cost effective, depending on what company and what platform you’re using, right? You can actually save the company a lot of money related to moving from a contractual team to a full-time. The third piece, or I guess the last piece, is the ability to access information. Right. We all, everybody has NDAs, that’s part of it, but really when you outsource, there are limits to what you can share. And as you progress your GSOC, your Fusion Center, you want to progress your team. You want your team to build, to learn, to get new skill sets. And you want your team to do, to be more efficient. If you don’t have the right NDAs in place or the right access levels because of legal requirements, whatnot, it can really hinder your, your movement forward.

20:42

Manish:

Very helpful. You mentioned talent. This is a good segue to talk about maybe a layer of talent that we don’t often talk about, which is you as a GSOC leader, a GSOC executive or Fusion Center executive will need a strong leadership bench. So the individuals that report to you, that leadership level, what’s been a very successful profile that you’ve seen of those leaders, and it could be promote from within, it could be hire externally, but what’s the profile that you’ve seen be most successful in that layer of leadership?

Jacob:

Absolutely. I would say beyond, we’ll get to experience in a second, but that connection, you’ve got to have that connection as best you can. And I know it’s hard, right? Three or four interviews, you spend an hour, two hours, four hours that person, but beyond some of the capabilities of understanding platforms and expertise is you have to You got to have a feeling in your stomach. This is the right person. He or she fits in. Or you click with them, right? You just know, like, this is somebody I want to work with. This is somebody I can trust. So take away that. Experience-wise, all over the board. I don’t have a set thing that I look for. I do like team members and leaders and partners to have some type of high-intensity experience, whether it’s a SOC, a GSOC. emergency management, BCP. Those are things you want people who can understand risk and deal with risk because it’s not always easy. Worst case is you don’t want somebody who doesn’t have experience necessarily working crisis and they never had a crisis in their experience. Day one, you have a workplace violence case or you have something dramatic. You don’t want that overwhelm. So I like to look for folks who have a little bit of crisis management experience and doesn’t have to be military or law enforcement, anything. Just dealing with the crisis and understanding their capabilities, knowing themselves, and then how do they project themselves in the room at the time, right? We can all practice a million times. I can, you can. But really, when there is a crisis happening, how do they truly react when they’re leading a team? They are responsible for leading your company’s response. So you have to feel comfortable with that. And not everybody knows everything. I don’t know everything. So it’s something you can build on, but you have to feel, you have to have that level of confidence that they can handle themselves in a crisis and they can lead the team under them in a crisis, if that makes sense.

23:12

Manish:

That’s great advice. Love that. Let’s talk for two minutes about technology and in particular, AI. Where does AI work and where does it fall apart when it comes to GSOC and Fusion Centers?

Jacob:

Yeah, I have mixed feelings on this. So part of me is like AI, bring everything, bring it all now, right? I want it all, the whole bundle. But I think there could be some pitfalls with security without validation. At the end of the day, if you can use AI to reduce or increase your efficiency, reduce your response time, that’s great. But I always think there should be that human factor at the end of it that does a final analysis. You don’t want AI, in my opinion. I would not want AI making a final decision if we need to dispatch. fire medical or alert cyber or, excuse me, notify HR. I want a human doing that last bit. But again, if we can use AI to collect that data, help with the analysis and project what AI believes this will happen, that’s great. That’s what we need. But again, the validation, the right data sets and training to make sure that not everybody just goes with what AI says because it says do X, Y, Z. You’ve got to have that human factor in there. But definitely, if you can get it and use it, I would say go for it.

24:30

Manish:

I think that’s very pragmatic. A couple of final questions. Jacob, and again, thank you for making the time today. In my time at Dell, in my career at Dell, if you couldn’t measure it, you couldn’t manage it. So everything had a metric. But not every company is designed that way. So how do you, what, again, guidance advice would you give GSOC leaders on being able to measure what are the critical KPIs and how would you present a case? However you want to take that question.

Jacob:

Yeah. Yeah. So I think I would start with, um, if you are, if you’re working for a company that doesn’t collect metrics currently, and you don’t really know where you’re at, but we, Hey, we want to collect something. That’s great. I think you got to look at what’s important to the company. What matters, those key performance indicators and those key risk indicators, right? What’s really important, if I say, hey, that door opened 2,600 times this month, and it was trending toward more open in the afternoon and evening. That’s cool. Does anybody care? Probably not. So you don’t want to waste cycle time on pulling data that really doesn’t matter to your company. So if you can find those key risk indicators and then kind of bring it down to key performance indicators, I think you can set metrics up that mean the most to your company, that you can get the most value out of, and also use, right? You want data that’s usable for trends, for analysis. And if you are collecting on something that really doesn’t matter to the company, you’re going to waste time presenting a fact or a data point that they just don’t care at the C-suite or the executive level.

Manish:

Excellent, excellent. Any final thoughts? And then I do have one last question for you. Any final thoughts for our listeners? Again, this is super helpful, great insight. Anything else you want to leave our listeners with?

Jacob:

I would say fail forward. Don’t be discouraged if you fail once, twice, three times, getting something across, the idea across, getting that new partner. Don’t expect things to happen overnight. Again, I’ve done it myself where I have a higher expectation than reality. So step into it. Plan it out and set yourself up for success with realistic expectations that you’re not going to change it overnight, but keep working on it is what I would say.

26:44

Manish:

Jacob, one final question for you. What does Connected Intelligence mean to you?

Jacob:

I think Skynet. For the listeners. No, it’s really everything we talked about in one data set that’s thinking alike. So regardless if you’re working on a workplace violence case in the GSOC or you’re supporting a medical incident or cyber or some type of threat, connected intelligence is really all those pieces in one database that you can use to articulate something. So, for example, if I’m working on a case about an employee who’s at a risk for workplace violence, and they’ve been tagged in a medical incident, several other cases over the years, and maybe there was an accident in a parking lot, that connected intelligence may be useful when you’re coming up with analysis. It can also be the physical side, right? You’re looking at threats and trends over time. So maybe it’s a supply chain risk or a threat to a logistical center. How you can connect everything from physical to cyber, name brand, and then you’re bringing up your OSINT stuff, all of that connected together to really push out faster intelligence that’s more reliable, more robust. Nobody wants a single source of intelligence. You want a single source of truth, which can be great, which is all those platforms together in connected intelligence. But really, you don’t want to make a decision on one single piece of information. You want connected intelligence to really drive that decision making, to have validation in my mind.

Manish:

That’s great. Our guest today was Jacob Valdez. Jacob, thank you for joining us on Ontic’s Connected Intelligence Podcast.

Jacob:

Appreciate it. Thank you for the time.