Approachable Empathetic People Leaders with Andrew Alaniz

AJ 00:15
Welcome to another episode of the To Comply or Not to Comply podcast. I am your host AJ Yawn, Founder and CEO of ByteChek, a cybersecurity compliance automation company, the only all-in-one solution in the industry. Super excited about today's episode with Andrew Alaniz, someone that I've known for a little bit here virtually. We've had some good exchanges and messages, and we finally had a chance to get together on a pod. Andrew is the Director of Technology and Risk at Freddie Mac. Andrew, thanks for coming on the pod.
Andrew 00:45
Thanks for having me, AJ.
AJ 00:46
Awesome. Andrew, obviously, we know each other, and I know about your background, but for the folks out there that are meeting you for the first time, give us a quick overview of who you are, your career, and what you're up to now.
Andrew 00:56
Sure, so, I'm a technologist at my core. I've been messing with technology since I was probably seven or eight years old. I have done everything from getting a computer science degree, managed servers, installed servers, to managing teams of engineers. In my previous role to where I am now, I lead a cloud security engineering, cloud governance, security architecture, and a couple of product teams for Global Bank. I basically took this job to kind of transform risk in a way that lets us think about how we can apply risk to modern technology and cloud because there's a lot of differences in the way cloud is implemented, versus the way a lot of traditional systems are. We've got both, so we got to think about both of them at the same time, but we've got to think about them in different ways. And so, that's a big deal for me. Probably one of the biggest things I learned over the last year in kind of transitioning to this job is my biggest passion in technology is actually not the technology, it's people and programs. It's building teams and building programs that have an awesome culture and are well-oiled. That's really what I love doing.
AJ 02:01
I find that that's a fun thing that I've seen with a lot of cyber professionals is, as we grow, as we continue to evolve in this industry, we start to care less about the technology. It starts to become less important, and it becomes more about the humans behind the technology, the humans we interact with on a day-to-day basis. What's that journey been like for you? You're a technologist, at your core, you have a CS degree. So, obviously, you started with hands on your keyboard, but now, you've transition to this phase where you're really focused on humans and the human aspect behind it. How has that journey been for you as a leader?
Andrew 02:37
I think it's because as I made my way through my career, I realized that there's people that are really good at the technology, there's people that are really good with interacting with people, there's people that are really good with process, architecture, all the different aspects of a business, right? One of the things that I've seen missing in companies, but I've also seen done really well, is people and leaders knowing not only where to place those people, because a lot of times, you have all the concepts of being promoted to failure, of putting people in places that they're not excelling, all of those concepts. But you also have just the culture that's created by people, leaders, and managers, that often transcends the culture of a company, right? You can have an awesome company culture, but those small teams, what that culture is created like, and that's not just from the top down, but also within the team, absolutely impacts the customer service and the quality of work from those teams, maybe bar none.
AJ 03:42
Yeah, absolutely. I read something recently, they were like, "Your manager will impact your life way more than your parents, at the end of your life." It's the people that you work for, if you think about how much time we spend at work over the course of our lives. A lot of us have had bad managers in our life and that impacts you, it impacts every aspect of your day to day, it impacts how you feel. It's just not a good environment. I think if more leaders took that responsibility on and realized how impactful they are on people, what happens is naturally, where you're at now, where you really care, you're leading with empathy and starting there. I want to talk a little bit about something that I've been kind of championing for a while and you've been in the position that you're in and just your career, you obviously have seen
compliance and the importance of compliance across companies all over the world. I personally think that GRC is a great entry point for people to break into cybersecurity. I love GRC, naturally, I think it's a cool field. I think that because I think there's a lot of transferable skills that make you very useful in the GRC and compliance space. If you're coming from somewhere else, if you're a person that's really helpful with collaborating or you're good written communicator, there's a lot of things that you can do that are important in GRC. I'd love to get your take on it because there's a lot of people out there that disagree with me, that don't feel like GRC is a good entry point, or really any aspect of cybersecurity is a good entry point. What do you think about GRC? Is that a place where people should start their career? Or, is that not necessarily a place where you think people can get going?
Andrew 05:22
Yeah, it's a great question. I think, at its core, there's no right answer. Or, there's no one right answers what I mean. But I think that two things that I have to consider is one, what is GRC? I think depending on the industry you work in, and the organization that you're in, that has a different answer, right? A lot of times, the way I look at it, there's big C compliance, and there's little c compliance, especially in financial services. Little c compliance is really what I think most of us in the security industry refer to as GRC, among some other things, right? The other thing that not all industries understand is in the financial world, there's a three lines of defense concept, where you have first lines, the technologist in those risk functions, second line is oversight of that, and third line is audit. Not all industries work that way as well. I think the second aspect that we need to clarify is that entry into cybersecurity doesn't necessarily mean entry into a career. I think there are two aspects to that, and I think both are worth
talking about, but one of the challenges that I have found is someone who's entering their career into GRC is going to lack a lot of context and people skills that are required to have the tough conversations, to challenge technologists and executives both, that's required in that role. However, as an entry into the security space, I do think that it's a good stepping stone, depending on your experience, because you don't have to be a technologist You don't have to be from any specific background because one of the things that really sets the teams that I build apart is that we don't just know the technology as the implementers and the technologists, we also know the business. That means that there's a place for someone from the business, who has no technology or little technology background, to have a role in GRC, which then is a bastion into security. I think those are two important pieces. Security in general is a tough place to start a career because I think there's a lot of contexts that is extremely valuable to be effective there, but there is absolutely a good place to be at entry level into security.
AJ 07:37
Yeah, I love that viewpoint. Actually, I have never thought about it like that, and I do think that aspect of compliance is overlooked, that you're gonna have to go and tell an engineer that they're doing something wrong and that they need to fix it. That's a tough conversation to have if you have zero clue of what exactly they're doing wrong. You don't know what they're talking about, or why it matters, and all this other stuff. I definitely see the piece that you talked about of it being a good entry point into cyber is really where my head that is because the technical barrier to entry is a lot lower. You don't have to go out and learn how to program, you don't have to be an expert. However, I say that with a grain of salt that one of the things that bothered me the most before starting ByteChek, when I was doing manual audits, is people used to call me a technical auditor. And I'd be like, "What does that mean?" Like, we're evaluating technical environment, what's the alternative to this? What else should I be at this point?" And they only said that because I knew a little bit about the cloud. And I'm like, "Well, I
decided to go learn AWS because 80% of our customers are hosted on AWS. I figured I should know the words that they're saying. If they say EC2, I should know what that means." That's what it was all about. I would say, yes. I think what you're getting that as well is not to convince people or trick people into thinking that you can just jump into GRC and be good without learning anything technical. The best compliance professionals do exactly what you said. They understand technology, then they tie it back to the business. What I would say is you actually are at an advantage if you are one of the rare compliance people that actually care about learning about technology and understanding technology, because you will now speak the language of the people that you're talking to.
Andrew 09:21
Yeah, and I think that's a big piece that's helped me be successful is because my entire career, except for the last year, has been on the implementation and engineering side. It helped me start this role and immediately build rapport with the technology teams, right? My knowledge wasn't based on certifications and spreadsheets, right? There's a place for that and it's valuable, but I had a little bit more rapport. I was able to build those bridges more quickly, without having to come up to speed on the technology before I could do that.
AJ 09:57
Yeah, I think that's huge. I think, on the flipside, I tell investors that the thing that I'm really grateful for, that's helping me now as a startup founder, is that I started my career in the army, as an army officer, which forced me to learn about leadership very quickly. I had to figure out how to lead and what my leadership style was as a young 23 -year-old, when I was responsible for 18 soldiers in the deployed environment. I'm grateful that I started there and learned about how to lead people very early on, because it's helping me out in what I do for a living. So, that's a very good point. One of the things you said earlier was about knowing the business. I think that's just such an overlooked aspect of cyber, where most people try to put cyber as an aspect of their business and unfortunately, most companies are not in the business of cybersecurity. They are in the business of something else, they are trying to do something else to grow, and cyber is not the thing that they're gonna get excited about. But if you understand what the business is doing and how they make money, and how you fit cyber into that, you become a more powerful person and part of the team. Talk to me a little bit about what you mean there when you talk about knowing the business and how it's important in cybersecurity.
Andrew 11:09
Yep. I think that's a pretty dynamic question based on the company and the industry you work for, for sure. But I think you can probably sum it up in the idiom of: Don't miss the forest for the trees. I think it's easy for engineers and auditors and risk folks to be focused on "but this is what the standard says." Well, the reality is, risk management isn't only about reducing risk, to quote Phil Venables. There are other aspects to risk management, right? It's really important to understand that there are risks that aren't even related to cyber, there's technology risks, right? There's information risk, there's privacy risks, there are resiliency risks, there's other business risk, financial risks. The business cares about all of those, cyber is just a piece of that. And if we forget about that, and we're only looking at one scope, then we may be elevating something much higher than it should be in the grand scheme of things. That
understanding of the business, of the operations, of the broader picture, really helps us provide more value because we can provide a more relative risk management approach, as opposed to the absolute just within my little bubble.
AJ 12:22
Man, that's that is huge right there. Risk is just such a thing that I think people just check the box on, and it causes issues down the line, because you find out that there's actually a threat your organization's facing that you didn't even consider because you were just going yes, no, yes, no, down this risk register, instead of actually talking to people and understanding the why behind the business, the why behind the risk and focusing on people, processes, and technology. It's one of the reasons why I love the NIST cybersecurity framework, because it does a really good job of making companies at the early stages think about all of those different aspects of risk, where it's not just about your technical environment, your cloud environment. You need to go talk to finance, you need to go talk to legal, you need to talk to all these other people in the organization that have risks that will impact you from a cyber perspective and could have bad things from a cyber perspective, but you may be just too locked in on the cyber stuff. I was on a webinar recently in with my Director of Compliance at ByteChek, and she said something that was so profound, where she was like, "We have to remember that GRC is a three-letter word. There's governance, there's risk, and there's compliance, and that they're all different things." I think oftentimes, I'm guilty of it, I lump them all together, and say, "Oh, it's just GRC." But as you were talking about risk, I was like, "Man, that's so true." Risk is such an important aspect in understanding truly what are the risk facing the business. You have to start there. You start there, and then from there, you can go out and do all the cyber things. But if you're just trying to throw cyber at a company without considering the risks, you're gonna fail.
Andrew 14:06
A good way to think about GRC as well is each letter kind of represents a phase of risk management, right? Governance is: How does it work? Understanding what's supposed to happen. Risk is: what happens if it doesn't work the way I expect it to? Compliance is: How do I know if it's not working? Those are really the three questions that we should be asking, and that applies across any department or program, not just cyber.
AJ 14:35
Exactly. 100%. And I want to go back a little bit. As we started, we were talking about leadership and talking about the importance of empathy. I can't remember when, but I recently talked about when people are becoming a new leader and they ask me: What's the most important quality I have to have? Is it consistency? Is it showing up early? Do I have to be the hardest worker or the smartest or all these other things? I always say the most important thing as a leader is empathy, in my opinion. It's being able to serve and be an empathetic leader. I know you have similar thoughts, I'd love to just get your thoughts on the importance of empathy in leadership and how you have seen it benefit you as a leader as well.
Andrew 14:36
To be perfectly honest, I think that empathy is maybe the utmost requirement for an effective leader. To be effective, a leader has to have respect, they have to have people willing to follow them. Trust is something that you can take trust, you can buy trust, and you can earn trust. The only way that is sustainable is if it's earned, and empathy is really essential to that. There's plenty of books and quotes that you can talk about, but the reality is, if people you're leading, and I want to delineate between managing and leading, right? Because many people can be a manager, you can be a leader without actually having people report to you. In any way, or anywhere that you lead, people have got to know that you're a safe place. It's slightly different than empathy, but it all goes hand in hand. You've got to be approachable, you've got to be able to listen, and you've got to understand what they're going through. We can't expect people to leave their lives at the door to come to work. Like, they're all intertwined and if one's out of sync, the other is going to be out of sync. I've got to care as much about people's lives and well-being as I do the effectiveness of their work, or I'm never gonna get what is needed from the team.
AJ 15:33
Yep, 100%. In the army, I learned that a leader’s job is to provide purpose, direction, and motivation. I feel like it's very, very difficult for you to do that if you don't know your people, if you don't understand who they are, what their beliefs are, because not everybody is motivated by the same thing. Not everybody cares about the same purpose. Not everybody has all the same things. A lot of times, the leadership books you read tell you, "You gotta be this type of leader, you got to do this." Leadership is like security, in my opinion, it requires context. It requires you having the understanding, the discernment to know what leadership style is needed at certain times, and with certain people, the type of leader that you have to be towards them. That all comes back to empathy, right? It all comes back to that. One of the things you mentioned there that I'd love to get your opinion on, you talked about work life balance a little bit, and I'm a believer that there shouldn't be any such thing as work-life balance. The reason I say that is because if you kind of think about what we're saying there, we have work in one bucket and then we think about our life. Our life is who we are as an individual. Maybe we're married, we got a partner that we're with, so we have the relationship. We have to eat, that's another aspect of life, you're trying to be healthy, if you're trying to work out, you got bills, you got your health. Life is 10 different things, and you might be a dad, whatever it may be, and then work is one thing. We say we got to balance 10 things with one thing, and I think that's where the conflict comes because that's an uneven thing to balance against. To your point, people are so much more than what they do for a living, but I'd love to get your thoughts on work-life balance. What does that mean? When people think about work-life balance, especially in cyber, what does that mean?
Andrew 18:24
So, I want to respond to one thing you mentioned before that, and then I'll answer that question. So, to use a military analogy. I don't have a military background, but I have family that was in the military, so I am a little connected. One thing that I think is important that the military clearly shows us is that leadership is a role, not a position, because depending on the situation, there may be different people in the leadership role, right? I think that's a big thing for leaders to understand is that to be a leader, sometimes it means not leading, and empowering other people. And so, I thought that was a big piece to say, and that goes back to understanding those people and what their strengths are, and lifting people up at the right times.
Andrew 19:06
To switch back to the work-life balance concept, I think one thing I'd like to focus on is your perspective is going to be different than mine, because you're leading a company and you have a lot more control to affect that than I do in a large corporation and most other people do in the places they work. The way I look at is it's extremely important to me to understand a couple of things about the people that work for me. The first is, I don't think people should set an expectation for themselves that they have to know everything about every person and be able to recall it. I keep a note in my in OneNote with people and their kids names and birthdays, because I'm never going to remember that, but I want to know it. I've got to keep track of information like that about people so that I can keep up with it. There's just too much to remember. So, I think that's a practical way that we can start to show empathy, if that's
something that we're learning with people.
Andrew 19:58
I think another way is being cognizant of relevant events. Not to derail the conversation into the news that came out today from the Supreme Court, but just letting people know that, "Hey, look, this is a big deal. I can't solve this, and I can't fix everything, but I'm here for you. If you need a place for somebody to listen, if you need time." This is a life altering situation and as leaders, we need to understand that. It is going to impact people differently. And then, the other piece is that just like, for those of us that have kids, I know you have couple of kids, we don't parent kids the same way, just like we can't lead people the same way. Some people need to be led in different ways, and as people leaders, it's important to understand that for people.
Andrew 20:40
So, I think that knowing those things, lets us help empower our teams to feel safe about that balance. I think that's important. There's a lot of places where there's a fear of, "I've got to keep life separate." But the reality is, you can't. I think the other piece that's really important for me, for other leaders, is I spent a lot of time and effort as a manager and a leader, but this is kind of the manager role of understanding capacity and prioritization and work management of my teams, implementing tools and processes for that, so that I can have transparency. Not in the sense of micromanagement, but in the sense of when I've got people working too many hours, because they don't have the right prioritization, or they're not empowered to properly manage their work, or I can see where people are blocked so that I can free them. I think that's one of the biggest components or pieces of a manager to help improve that work-life balance, because if we're not doing that, then people are constantly thinking about what they didn't do
at work, or they're spending all of their life hours trying to finish it when they shouldn't be.
AJ 21:52
Man, so many gems there and things I want to follow up on. You had some quotable moments in there that we'll have to make sure we pull out, but I want to talk a little bit about that last piece, because I think that's so important. We talk so much about burnout in this industry, and how much people burn out all the time, and we always talk about: What do employees need to do to prevent burnout? What are the things that you have to do as a person? But you're taking the approach that I think is a revolutionary approach of it's your responsibility to check on those things, to see what's going on. Why is your workload so high? How can we help you? Talk to me about that. Do you think it's on the leaders to have that visibility into their employees and to help manage burnout? Where does that responsibility lie? When thinking about Cloud-shared responsibility model, let's think about cyber-shared responsibility model. Who's responsible for what there?
Andrew 22:49
So, I think it's twofold. There are components of it that we can't control, and that's based on the broader culture of the place we work. That broader culture dictates certain expectations, certain requirements, certain deliverables, but for them, I would say somewhere in the 80-20 balance. That's 20% of the problem. I think somewhere more in the 80% range is my responsibility. I've even said that specifically this week to a number of people in a couple of different contexts, that if you're working, I ended the night, that's my fault. I need to understand why I'm not removing a blocker for you, or I'm not prioritizing something, or I haven't set clear expectations, or I'm not backing you up when you have a problem to get that moved. There's a lot of times, and as a side note, because of cybersecurity, let's take incident
management off the table there, there are aspects of incident management that are completely outside of the scope of this conversation. But for most work, especially in the GRC space, there's not many things that can't wait a business day. I think a big aspect of my job is setting expectations and empowering people to know that, one, we're not going to be a culture of "No," right? Customer service is one of my top priorities. Quality is my second priority, but we're going to be a culture of "Yes, but." "Yes, but," is I can absolutely get to that, but right now it's going to take me two weeks to get to it, or whatever that may be. Let's just say that that my boss or the powers that be say, "No, I need to right now," then my job as a people manager to say, "Okay, we can do that, but if I do that, what do you want to drop? A or b? We can't do it all, you got to pick one." And that's the conversation that is empowering the people because I'm not expecting you to do everything we can't, right? We've got to pick those things that we can within our capacity.
AJ 24:44
Yeah, that's funny that you say that. I was just talking with someone recently, and I was telling them that as a leader, our responsibility sometimes, is to give our teams the ability and give them such clear direction of what that North star is that we're going towards, that they feel comfortable not taking on certain things, that they feel comfortable pushing back and saying, like you said, "Yes, but. That's a great idea, but this is what we're working on today, this is where we're focused, this is where we're headed. I have to stay there." And that's not on that employee, that's on the organization, that's on the leadership, that's on everybody else to make sure that we've set up this environment of, like we talk about in security and CICD, you want to put these guardrails. You want to allow the engineers to move as fast as possible, deployed and releasing changes as much as you can, in true startup fashion, but you want them to do it securely. You want them to do it in a secure manner, it's the same way with
people in their lives. You want them to be able to achieve all of the things because it does feel good for people to accomplish stuff. It feels good for them to be able to get stuff done, and you want them to be able to do that, but you want them to do it in a manner that is safe for them just as a human. So, I love that, man. I love the examples that you shared there on that. One of the things I would love to get your thoughts on, when we're thinking about leadership and thinking about empathy, we're operating in somewhat of a new world that has occurred over the last two and a half, three years. Now, we're starting to see this battle, where companies had to go fully remote very quickly to figure out how to operate in a remote environment. Then, now, as we're kind of coming out of this thing, or maybe not, people are being forced to go back to the offices. They're being sent back to the offices and some
leaders are like, "You cannot be a good leader unless you're in the office. You cannot be effective unless you're in the office." Other people are like, I'm in this bucket with ByteChek, that it doesn't matter. I don't really care where people work, I don't care the hours they work, or where they live, or any of that. I think remote work is amazing, because it allows you to do so much more. I love to get your thoughts both on just remote work, versus returning to the office. Where do you sit there in that debate? But also from a leadership perspective, for people that are managing remote teams, what's the way that they can be effective leaders and do all the things we've talked about?
Andrew 27:02
Yeah, it's a great topic and I don't think it's going away anytime soon. I think American culture, as I've seen, loves dichotomies, and I think the problem is most things are not dichotomies. In this case, I think this is one of those, there's not a "we should be remote, or we should not," decision. There are situations where it makes sense and is absolutely effective, and there's situations where it may not My previous job at a global bank, I drove to an office every day and worked in an office, but I interacted with Spain and Mexico and Central and South America on a regular basis. So, I was effectively working remotely in an office, right?
Andrew 27:43
I think that it's challenging when a lot of organizations set the a dichotomy at the top where it's either we're not or we are, there's not a whole lot you can do with that. I think that it depends on the teams, and I think that it depends on the on the leader. So, there's a couple of aspects that that I think we need to define as a technology industry. There's a difference between remote work and remote collaboration. A lot of companies have remote work down, you've got Teams or Zoom, or whatever it may be. I can join a virtual call, right? But remote collaboration is completely different. people who, I would say, accidentally collaborated in the office. In other words, they kind of collaborated because other people brought them into it, people happen to walk up next to their chair, and so they jumped into the conversation. Managers and leaders of teams that were naturally collaborative didn't understand what it
takes to create that environment from nothing. I think that the requirement on people leaders in a remote environment is creating remote collaboration. So, what that means is, you've got to have a camera on. If we're just chatting all day, you don't get a human interaction. There's so much more context to communication than what is the words that are said. Understanding people's facial expressions and body language and the tone of their voice is essential. But even still, let's say you have audio and no video, just tone of voice still can't convey it because I can be firm, but my face can say that I'm not angry and that's hard to distinguish if you're only listening to audio. So, I think that's a big piece. A couple of other things that I've put in place as I try to, I'll just say, I try to force chat. Just like we would have water cooler chats and turn to somebody in the chair and chat with them. I tried to force those. And so, I found that the more that we can chat and communicate that way, the more connected our teams become and the more we end up collaborating.
AJ 29:49
Yeah. 100% That's funny you say that. At ByteChek, we have this channel called the Question of the Day channel and we just asked a random question. It could be like: Who's the most inspiring person in your life? Or, what do you like: Chick fil A or Raising Canes? It's a wild place, and sometimes, the most off the wall questions get the most off the wall answers and you learn something about people that you never knew. But the whole point of that channel is to encourage the random conversations that happen when you work in an office. That's the thing that I think remote cultures don't get right is people don't always want to talk about work. In a real world, in the real office, they don't. They do not talk about work, they talk about the game, they talk about something that happened in the news, they talk about other things, but when you live in these environments where the only channels you exist in, the only chats you exist in are work chats, and you're never actually talking about stuff that involves your life, you start to separate the two. You have the work persona, and then the outside persona. Chances are,
your outside of work persona is who you really want to be and who the person that you feel comfortable being. So, if you have to put that person away eight hours a day, 40 hours a week, that's tough, that's going to put some anxiety and stress on you.
Andrew 31:05
You know, I think something you just hit on there is an intangible component of empathy. As leaders, especially new leaders, I'm going to go on a tangent for a second, but it's easy to forget, there's a concept called the the burden of knowledge, it's easy to forget what it was like on the other side of the table. If you're not a human to other people, then it creates a more authoritarian environment, right? People look at you as the Great and Powerful Oz behind the curtain, you're unapproachable and things like that. And so, it's really important to be human with people, and that means admitting when you're wrong, being transparent when you don't know things, things like that. But being human goes a long way to creating a safe environment and letting your team know that you are empathetic.
AJ 31:59
I think that's such an important part of leadership that people forget is that it's not just about what you say and what your policies are, it's about: How are you acting? Are you the type of person that's working on PTO? Because guess what your team's going to do? They're going to work on PTO? Are you sending emails out at 10 or 11pm at night? You're telling your team that you want them to work at 10 or 11pm at night. Nowadays, all of these tools have the ability for you to schedule messages and send them out later on. If you're a leader working at 10 o'clock at night, don't send that email then, let it go off in the morning so that your team doesn't feel the pressure that they have to work that much. We get it if you're in a leadership position, you have to work late sometimes, it's a part of it. But you don't have to pull in every single individual contributor on your team, and now make them think that that's the standard because that's what you're doing as a leader. You are setting and establishing a standard. If your standard is "I'm going to separate my personal life from my work life," everyone else is going to do that. They're going to just end up doing that and you're going to build the culture that you probably don't want. I think leaders have to remember that, it's not just about what you say, it's about: How are you operating as a leader? What are the things you're doing? How do you look, when you join the team calls, is your camera on? Because if it's not, other people are gonna say, "I don't have to turn my camera on." That's the type of culture that you're going to be creating. I think it's so important that you talked about that aspect of leadership of really living out the things that you want your team to live out.
Andrew 33:25
Yeah, so, I'm glad you said that because I put together a one pager about myself. I call it, Working with Andrew, and I have little tidbits about things that I expect. One of those things is eating your own dog food. And so, I think that's exactly what you're saying, I shouldn't expect from others something I'm not willing to do. And so, if I'm telling my teams, I need you to put that work in JIRA, I should be putting that work in JIRA if I need you to do it. That's something that I practice pretty well, or I'm pretty passionate about making sure that we do. There's another aspect that I think, especially for new leaders, that's important, I actually call it the CEO Comment Fallacy, it's what I've kind of dubbed it. When you don't have the self-awareness to say, "Maybe I'm thinking out loud, maybe I'm just talking about something." If I'm not constantly reiterating, "This is what I expect," people will take that and run with it. Before you know it, you've filled up everybody's capacity with some ideas you had that you never intended to be implemented. I think it's important as a leader, to constantly remind people because they're not going to believe it, "Hey, I'm just thinking out loud, don't go do this, let's talk about it," and things like that, because otherwise they're gonna be running in 20 different directions.
AJ 34:39
I'm laughing because that's so true that I've now, typical CEO Founder, randomly get these jolts of ideas and I just go into a channel and I'm just saying all the things. Then, I have to stop myself like, "Hey, as a heads up for everyone, nothing I just said is a me asking you to go do something. Nothing I just said means to change priorities. Please take all direction from your people leader, do not take this as that." I didn't know this until being a CEO that if I go and say like, "Hey, it would be nice if we did x," or I send a screenshot of something I saw like, "This is cool. I wish we did this." Somebody's gonna go do that, and they're gonna just take off and go run to do that, but I wasn't saying that, that was not my intent. That's so true, and I think it's important for all leaders, not just CEOs, but everyone that think about with the way you're communicating. What message are you getting across? And sometimes, you have to do those disclaimers to make sure that people are not taking stuff like that. But yeah, this, I mean, Andrew, this has been amazing man. It's been a really dope conversation just about leadership, about cybersecurity and compliance, and getting to know you more. I know this is gonna be extremely valuable to our listeners. Before we hop off, any last words? And then, at the end of that, tell folks where to find you if they want to reach out and learn more.
Andrew 36:00
Yeah, I would say last words, don't feel like there's this enormous set of criteria that is required to become a leader. You don't have to manage people to be a leader. You don't have to be an expert to be a leader. Honestly, if you're empathetic, you're gonna become a leader on accident. I think that's truly important. But I think that, yeah, just treat people like people, be human, and people will follow you and listen to you. As far as getting in contact with me, I'm mostly on LinkedIn, I actually don't even have a Facebook or Instagram account that I use. I do have Twitter, but I don't ever check it. So, LinkedIn is where I'm most active. I'm always happy to chat about these kinds of things.
AJ 36:47
100%. Yeah, give Andrew a follow or connect with him on LinkedIn. You're gonna learn a lot and this episode right here is just gonna be, I think, super impactful. So, thank you again, Andrew, for joining me and spending some time with me. I'm glad we finally got this done and on the book. I'm excited for it to get out. Thank you all for listening to another episode of the To Comply or Not to Comply podcast. Don't forget to give us a rating. If you liked the episode, give us a five-star rating. If you didn't like the episode, give us a five-star rating. Just go ahead and click that for us. Appreciate it, and we'll see you on the next episode.