It is pretty alarming that many businesses do not pay that much attention to cybersecurity attacks. They do not take risk management seriously, putting their assets, employees, and profits in harm’s way. Diving deep into this topic with John Riley and George Usi is Jonathan Addington, President at J.M. Addington Technology Solutions and Founder of Cyber Secure RIA. Using car safety and driving analogies, they discuss how business teams can make their operations fully equipped and prepared in the face of many cybersecurity risks. Jonathan explains why security awareness training is not the sole answer to these threats, why accountability must come down from the compliance chain, and how cyber laws should evolve alongside such digital risks. Jonathan also explains how he applies risk management lessons in his own home, being a father of eight children.
Watch the episode here
Listen to the podcast here
The Best Approach To Cybersecurity Risk Management With Jonathan Addington
In this episode, we got Jonathan Addington. He is the President at JM Addington Technology Solutions and the Founder and President of Cyber Secure RIA. He is a father of eight children and an avid runner. Welcome, Jonathan.
Let’s start with our leading question here. If the cyber risk was a pizza, what is the riskiest topping you have seen, and what topping would you equate it to on a pizza? That is assuming you don’t like pineapple, anchovies, or anything like that on a pizza.
I love pineapples on pizza. I’m going to flip this around a little bit. The riskiest part about it is most people think they have ordered a plain cheese pizza, but instead, they got meat lovers plus all the veggies, anchovies, pineapples, and maybe a side of rat tails. If you had any idea what all the toppings were on that pizza, you would think twice about taking a bite, but you think you got a plain cheese pizza in front of you.
The biggest risk is people not understanding the amount of risk they have in cybersecurity and how that translates into business. Maybe I’m jumping ahead, but a cybersecurity attack can affect your retirement, the value of your business, jobs, employees’ livelihoods, and the local economy. The risk is a lot higher than when people think about it.
We understand that when we see the frameworks as the crust and the additional toppings or every pizza has to have some sauce, usually cheese, unless you are lactose intolerant, you get to make each framework your own by adding your own toppings. Our goal here is to understand those topics and where people make some of those mistakes. Without understanding those frameworks and the crust, how can they understand what the rest of the pizza should look like?
Your rat tail example stood out. It makes me think about what happens in many C-Suites when the topic of cyber risk is addressed. Generally speaking, because of what is happening, we see the cyber risk discussion evolve before CEOs would always say, “Cybersecurity.” Their attorneys and cyber laws are a no. There is another component to it, and you are accountable. What is interesting is, your average CEO, when they see a pizza, see rat tails and tarantulas on the pizza. Your technical teams see pepperoni. They were like, “I love this stuff.”
The common CEO wants to toss it over the fence and be, “I’m not eating that pizza. I’m going to delegate somebody else to eat that pizza.” They don’t roll up their sleeves, get in there, and go, “That doesn’t taste bad.” That is a good way to understand that not all people see pizzas the same. There are a lot of challenges when it comes to these CXO-related, so anybody in the C-Suite.
It makes me think of the marketing lead and perhaps the leads in charge of operations. They haven’t been around it enough in traditional brick and mortar. They are going to see rat tails and tarantulas. They are not going to want to bite at all. They are going to be like, “I don’t understand tech.” They use that as, “I don’t need that.”
What you see in risk management is these cyber regulations are both statutory and regulatory, not just regulatory. Statutory requirements are saying, “We know you don’t want to eat the rat tail and the tarantula, but it is pepperoni. You are seeing it wrong. If you don’t, we are going to hold you accountable.” Somebody in the C-Suite was like, “That is not in our team.”
I love that you brought it up that way. They think they are getting a cheese pizza. They dig in, and they realize there are some things on that pizza. There is no appetite for them to eat it at all and delegate. “It got a blinking light. I’m afraid of it.” That is fairly common in most late-adopter traditional brick and mortar businesses that are all of a sudden thrust into some regulatory or statutory requirement. They don’t know how to deal.
It is the awareness that drives behavior. If you are not aware of the risks, you are not going to change your behavior. Another way I think about it a little bit is seat belts. A few decades ago, cars didn’t have seat belts. People didn’t wear them. People weren’t aware of the risks you would die if you got in a car crash. It took an entire generation to get people to start wearing seat belts.
You might say, “It is GM’s responsibility to make a safe car.” After decades, he realized, “It is also my responsibility to flick that seatbelt.” It started with an awareness of there is protection and risks. Similarly, the stuff started coming down on the regulatory and statutory levels. That is a simplistic example. That is also part of what drilled the behavior change. You can get pulled over and fine if you are not wearing your seatbelts.
[bctt tweet=”Awareness drives behavior. If you are not aware of the risks, you will not change your behavior.” via=”no”]
We have tied into that analogy ourselves before. The interesting thing, after a lot of thought, is we are lucky there is a good analogy and relatable analogy there to explain risk management with the seatbelt. The challenge is, when it comes to cybersecurity, it is 126 point harness. Clients are buckling every 126 buckles. For somebody to put one seatbelt on and turn that into a habit is hard enough.
The reality is that you build the car safer, but what is happening with cyber risk and cyber laws is you need a cyber airbag that deploys for the executive suite. When we explain it that way, it is more relatable, and it has been a constant struggle to help executives and even boards understand what is happening here that the regulatory train has arrived. You are all part of the train tracks as executive leaders. If you don’t have an airbag installed, you are going to have an issue.
It is not going to guarantee you are not going to die, but it is sure going to offer a ton more protection in case one of those 127 harnessed seatbelt points isn’t put on by your users. What compliance is is the seat belts. Somebody is going to forget to put one on, or somebody is going to take one off for whatever reason. You are going to get in a crash, and something is going to happen.
I love the feed there. I wonder what challenges might be in getting people to put 127 seat belts on.
The first thing I see is on both the technical side and the business side, a lot of the regulatory requirements don’t specify which seat belts you need to put on. They will say something like, “You need 126 seat belts to be safe, and you don’t know if you have arrived.” This was especially true of what we talked about earlier. It is getting better. Much of the NIST framework is flexible, but to the point that it is hard to say, “Have you reached compliance?”
Fortunately, that has gotten better, especially as you see CMMC coming in when the SEC’s proposed cybersecurity rule where they are starting to get somewhat prescriptive and say, “If you are not doing these things, you are not compliant. That is not the end all be all. There is still this flexibility that changes based on your risk profile, size, and environment, but here are some things you need to be doing. Here are some of the seat belts that you need to put on now.” It makes it a lot more relatable. I don’t know if you have ever tried to explain to somebody the NIST framework at a high level. Eyes glaze over after about 30 seconds versus being able to say, “You need this type of tool to solve this compliance issue.”
Do you see that with your clients as you are implementing some of these security things? There are lots of different frameworks, including NIST, SISA, and CIS frameworks. Are the executives paying more attention to it? Are you getting that message across to them?
They are all paying more attention because they all know someone that was attacked. I have been invited a few times to speak in front of groups of CEOs. You don’t see a lot of these attacks in the news except for the big ones like Colonial, Twitter, and LastPass. How many of you know someone like a friend, acquaintance, business owner, or some random person that had a cybersecurity incident that didn’t make the news? Every time, every hand goes up.
There is a lot more interest. They know there is a problem, and they need a solution. Going to the framework is still difficult for most of them as a first step other than to say, “There is this regulatory framework that you need. Let’s start by explaining some of the tools and how they satisfy some of the more basic parts.” It is an educational journey, where after you have taken that first step of awareness and implementation, you can start saying, “Here is the broader framework in which you are operating and why it matters.”
Isn’t that the swan song of the CEO that does end up carnage on the side of the road? A hacker crashes into their business as it is heading down the road. Part of the issue is that everyone is driving down the road and they see a lot of car wrecks. The interesting part of this is the framework discussion. Is it 127 point harness? It is not as simple as a single seatbelt. The idea behind the framework, I’m wondering if your perspective has something to do with building the exact right seatbelt for the users when they start driving your business down the road.
That is generally reliant on the tech teams. They say, “You are the smart guy. Go figure it out.” The reality is the behavior of the driver is almost always the problem because there is no such thing as guaranteed survival of a car going down the road at 100 miles an hour, no matter how many airbags or seatbelts you put on. What are your thoughts on the behavior of individuals that is the biggest struggle, especially from the top down?
I’m going to go back to awareness to start. Even though I’m saying the CEO is someone that was attacked, they don’t understand how pervasive the issue is and how high the risk is. Until they understand that, it is hard to change their behavior. Most of the time, I find out it is worse than anybody thinks, and they wouldn’t believe me if I pulled them down. Sometimes I like to post on LinkedIn and say, “Here are some recent attacks.” You might think, “I don’t know. John is doing some research.”
Before we got on this show, I looked up some of the recent ones. There is Twitter, LastPass, SugarCRM, and Siemens PLC, which is a big deal, especially if you are in manufacturing and other critical industries, multiple issues with internet-connected vehicles, 20% of passwords were cracked in a Federal IT audit, and a messenger which is used even by European governments for secure messaging, CircleCI, and WordPress. Do you know what matters about that? Is there a connection that you can guess between all of those? It is not going to be the obvious one.
None of them have made the news.
They made the news. That is the headline from one tech website I visited. I didn’t do any research. I didn’t subscribe to the headlines, and those were all on there. There are ten times more attacks that you can find if you talk to security people. There are another ten times attacks that don’t get reported by anyone. That is the first step towards changing behavior.
The other thing at first that you see is every framework that has been seen has some level of user education in it. This is a big part of why. We need everyone to understand what the risks are, and you need people to understand that they got a personal responsibility from the janitor up to the C-Suite to protect the organization. It is not the same behavior. It is not the same thing that every level has to do. Ironically, often the C-Suite has access to less information than a couple of levels down, but they all need to be aware of it and know what to do or maybe as important as what to not do.
I don’t think there is any right or wrong answer when it comes to behavior because using the car analogy, why are we still having accidents if we have all these seatbelt laws and on-the-road logs? There is a degree of acceptance that I wonder why that measure is, what is right, what is wrong, and perhaps the regulations of the answer. What are your thoughts on that? What is enough before you disconnect completely because that is the only way to be 100% secure?
I’m going to start by tarring and feathering people that aren’t doing enough. That would raise some awareness.
Part of the point is that whether you like it or not, if you eat pizza, there is going to be indigestion. The question is, what have you done to make sure that you prepared for that? As far as the organization is concerned, like a household, there is going to be a degree of the things that we see already in the market, like security awareness training. You can drive as much security awareness training as you like, but that is not the only answer.
That goes back to the fundamental question of what are all those different treatments you are using in terms of what could possibly go wrong while you are on the road. Awareness is the king of the castle and has reached lawmakers. They are doing something about it. I still have relatives who don’t wear seat belts on the East Coast. It is about acceptance of risk, which is an executive discussion. Going back to awareness always makes the most sense. Perhaps the best way to improve that is the real discussion. What do you think is the best way? We now know awareness matters. Where does it need to happen besides cyber laws?
Can I get you to expound on that question a little bit so that I can answer more specifically?
Yes, the business culture within the producing set. You have producers that work for a large organization. You send them through security awareness training, thinking that is the treatment, yet they see the CEO or somebody else in the C-Suite asking IT to come over and disable this antivirus because they can’t work.
I will give you an example. In healthcare, we have seen, in some situations, you disable this right now, or somebody is going to die. It gets disabled. They move on to the next fire. It is not allowed to be re-enabled. All of a sudden, there is an issue. It is that balance of risk. Arguably, anybody who is like, “I don’t want that patient to die in healthcare. I’m going to do it. I’m going to disable that antivirus, but we will get come back to that.”
When that happens over with every single in a large scale in a clinical facility, you are logging everything. There is going to be evidence there, and somebody needs to address that. Is that hiring more people? Is it doing more awareness training for doctors? What is the answer? It is what is the balance rather than awareness. I don’t think you can completely eliminate the risk.
You can never eliminate the risk. I would change the tents of balance to balancing. You never achieve balance. You are always in this act. With the situation you described, part of every framework is going through auditing. You might look at what are the things that we know. Is the riskiest change the most often, like turning off antivirus all the time, especially software developers seem to be some of the worst?
If you have identified this as a risk, what do you have in place to go through and make sure it is still in the state that it is supposed to be, that is a core part of compliance, and this is how it’s supposed to be. There are going to be gaps. We need to save somebody’s life by disabling antivirus. You need to look for those gaps and either close them or document why you are not going to close this gap and have a mitigation plan in place.
Practice is part of that. You have to be able to practice those as a team. You have to understand what the goals are when you are under attack. How do you react? What are the plans? How can you move those forward? Part of that awareness is understanding you will be under attack and being ready for that. You don’t want to do your practice sessions under pressure. It is much better to practice those and understand it beforehand. You don’t want to go out and start playing the Super Bowl as your first game.
I feel almost like maybe we are diving too far down into the weeds here. There are another couple of ways you could think about this. One is any sports team has a set playbook. None of them are going to operate exactly how that play is written down because there is an opposing team that they have to adapt to. None of them make up the plays when they get on the field either. They have plans for most of the plays that are going to be against them or for what they want to do to move the ball down the field. These are plays they have written down. Hopefully, they have practiced, and they know which one to apply in which situation.
There is watching game tapes both ahead of time of what your opposition is doing and how do we do. That is built into a lot of these compliance frameworks. A lot of it is common sense. What do we think is going to come up against us? What can we do to mitigate the risks? What is our next play if something comes against us? Can we see what else is happening in the environment and what is likely to come against us? Assuming we get hit, going sooner or later, how do we execute the playbook that said, “This is how we recover?” What can we do better next?
It seems to go back to, at least in terms of risk management, that challenge of what the technology teams have to do versus the departmental business behavior and executive behaviors around the topic. If there is any, as proven by the seatbelt laws, it took years for people to do one click and believe in it.
Part of the journey is the journey that people are on already, especially executives driving down the road and seeing their competitors, suppliers, or even their customers in the carnage of a wreck on the side of the road. Call it natural evolution to some degree. The concept of anything in life does have a journey and lessons learned doing about it and not hitting the repeat button. It is a lot less likely if it has happened to you, but it has been proven that you need to see a couple of accidents on this side of the road before you take notice.
There are plenty of accidents on the side of the road. You have to open your eyes. From a leadership perspective, there is no question that anybody in tech has been jumping up and down on the table for years, saying, “I need you to do these 27 things.” The counter says, “I will give you three because that is all the budget can handle at the moment.”
There is also acceptance of ownership and responsibility. I’m going to return to the sports analogy for a second and move back to the framework. If you are the head coach of the team, you are not throwing the playbook to your linebacker. You can say, “Come up with it.” You own that book. You own that responsibility. It is your job to be winning games. There is no question about that.
CEOs understand this in most areas of their business, and most of the things that come with Cs understand they are over finance, HR, or operations. They understand that the CEO ultimately owns all of those things, except somehow IT got thrown way down to the side like janitorial services. That is not the case anymore. They got to own the entire organization even if the risk is there or not.
As we are talking about compliance, regulatory and statutory frameworks, you are starting to see them being held responsible legally for what happened. We saw in California that a CISO was convicted for not following all the proper steps in the course of a cyber-attempt. Regardless of how you look at that particular case, I’m a big believer that holding people up to the top responsible for what happened is important because as long as you don’t, you are removing some of the motivation and incentive for them to act responsibly. There are some of the other things and risks you talked about, but having the responsibility of coming down this compliance chain is important as well.
It is easy to reflect and look back at some of the different analogies that make cyber risk management that make awareness relatable, like the crashed vehicle on the side of the road and eating pizza giving you indigestion. There has to be somebody integrating, and that generally becomes an accountability factor. When I hear stories about lawmakers writing laws to potentially jail executives, there was a representative in Oregon who wrote a law but didn’t make it.
For years, we have had a two-party model. You are the company. You are doing business with a customer, and it is a one-to-one relationship. Anytime you have regulations coming in, you have to add this judicial branch, almost like the executive branch and the congressional branch. Here is this judicial branch and all these regulations coming in. It doesn’t take a genius to figure out that there are a lot of different analogies out there of, “Check with your doctor before you eat the pizza. Get the smog inspection before you get the license.”
One of the other analogies we have used in the past is that hackers are not thieves. They are also arsonists. They set these little backdrafts. They wait and distract your team after they have absconded with your data and extort you. We have no cyber fire department, but fire inspectors are coming and all these inspections.
The analogies are clear. We are getting better as an industry in helping awareness happen through relatable comparisons. We are always seeking ways to get new ideas from others in the industry because, through communication, you get better results. That is the biggest challenge most of us have, especially if you are a tech head. Head down, get out there, and communicate. As you evolve, and especially some of the younger folks evolve, they network better. Perhaps that is part of the answer. I’m sure that the recipe for success still boils down to lessons learned. That seems to be the case in the US specifically.
In terms of getting the CEO’s attention and not putting them understand the consequences of not following through with these things.
Call it cyber stability, cyber risk, or cyber security. There are many components to it. It is almost like a technical religion. It depends on what you believe, whether you are in the trenches producing, a leader, or a CISO who has the technical skills as well as the leadership skills to interact at the C-Suite level.
What I always come back to is that aged old problem of tech and security professionals doing everything they can, but they don’t have the authority to tell the CMO or the COO. That continues to be a struggle. Perhaps regulatory changes will abound because we are living in an internet-delivered world whether we like it or not. That is where we are going.
It is an interesting thing to chew on because I know the answer is not static. As much as we like to say, “Follow ISO 27001 or NIST 80171 because you are CMMC,” that only gets you part of the way there. Awareness and behavior are probably the biggest factors. We often say that when it comes to laws, and even some of the data privacy laws that are more common these days, there is a long journey before enforcement gets down into the weeds. I do wonder how that’s going to evolve because we are a country of arguing and less prescription.
In a lot of the things comparatively, like a GDPR where it is prescriptive, you get here. It can be a gray area sometimes when you get to the courtroom because what we are talking about here is that you have to tell the CEO, “You have to do this. We are going to audit you.” Holding the board accountable and not the CEO is the only way to get that done, and that seems to be what is happening now, at least in statutory requirements.
Jonathan, you got a whole security team at the house. How do you do security awareness for your own family with eight children and a wife? Tell us about your home life and not the cybersecurity part of it, but tell us about yourself.
I got eight kids. Five made at home, and three are chosen. Our home is a little bit crazy all the time. I have a crazy life. I do this stuff at work. There is always some craziness to running a small business, and I come home and do the same thing. There is a natural continuity between those things. I got to be laid back to handle that.
Do you have your home playbooks?
You have to have playbooks once you have that many people in the house. They will look different than they do at work, but you will be surprised how much carries over. It is a change of environment.
How often would you say you have to call an audible?
For the younger ones, it is hourly. For the older ones, it is closer to daily.
The young ones are a little bit easier.
Is it true that they say once you get past three, and we got more than three, it is not as difficult because you can achieve scale? I got three. I always wanted to ask.
I don’t know if it gets harder or busier. You are doing the same things. You are just doing more of it. There are some economies of scale. Whether you are going to the grocery market to buy 1 or 4 gallons of milk, you are still going to the grocery store to buy them out. You are not buying four different things to drink now. You get systems in place, like bedtime, time to eat, and house rules. It is not like those change a lot between 3 kids and 8 kids. You are still not allowed to run out in the middle of the road because you are the eighth child and not the first.
We have our kids do their own laundry, but I wonder if you have 2 washers and 2 dryers, 3 washers and 3 dryers, or a big washer and a dryer. This is scale. There are lots of ways to attack it. There are got to be things that happen when you get to eight. You have a nineteen-year-old, and she is not at home anymore.
She has moved out and is going to college.
Growing up, there were three of us. My older sisters are twins. It was like my older sister’s twins were like one person. I was like an only child because they had each other. Every parent that I talked to it seems like the ones that have more than three have a processional for how they run the house, but at scale with that many, I can only imagine and respect what has to be done in terms of resources to keep the household going.
The biggest thing is flexibility and understanding what is not going to get done. House isn’t going to stay clean. That is the way it is, especially when you got many young kids. There is going to be less time available in the day. Make sure that your expectations are adjusted by commercial things when you can. It comes to stuff like laundry or dishes. We do dishes twice a day instead of once. I don’t know that it is that big a deal.
A lot of families I know have laundry days. Mom and dad be will do their laundry on Monday, the kids on Wednesday, and these kids on Thursday. We got one for every day of the week now. A lot of it isn’t that different. I got a little bit of a bias here because I like to encourage people to be looking into the adoption and foster care communities in particular and to realize that it is not as scary as you think.
Unlike the other topics we are talking about here, it is a lot easier, and you are more prepared for it in most cases than you think. You can bring another child or two into your home. It is not going to blow your stuff up. It is not like, “I can’t handle another kid’s worth of laundry.” You can do that. There are dynamics and some stuff that is going to change. I’m not saying it is nothing, but if you wait until you think you are ready, you are never going to get there. It also applies to both discussions. You need to be ready, but you are never going to be 100% ready, but that is life.
[bctt tweet=”If you wait until you think you are ready, you will not get there. You will never be 100% ready, but that is life.” via=”no”]
Tell us a little more about yourself. How did you end up in the field? Where did you come from?
How did you get started?
My mom got a great picture of me sitting in front of some IBM computer at four years old, making pictures out of the letters. I don’t even think I could read at that point. I remember we got our first computer in third grade. I still know the dial of sound in my head. I’m sure you guys do too. No offense, but I can tell you that you are at the age where you remember what that sounds like.
I’m starting to program a little bit in fourth grade, mostly some DOS batch files. QBasic and Visual Basic came in middle school. I’m learning how to hack my district’s network. I didn’t do anything nefarious, but I found out that there wasn’t much in the way of protection. I’m continuing to do code in high school and starting to get paid for some of the more basic computer support.
I got to spend a year living in China between high school and college. That was a great opportunity to apply the cybersecurity things I had learned on my own in the real world. Even though this was many years ago, the Chinese still were going to watch all your internet traffic and look at your electronic devices. A nineteen-year-old protect your gadgets. Fortunately, I was relatively well prepared for that.
How do I get started doing this? My major was in Finance and Economics. It is the geeky side of the business. That is the number side. I graduated in ’08. It is a horrible time to come out with a degree in Finance. I found myself pushing carts instead of having a job in finance. I started doing this computer work on the side. A friend, Mike Turner, urged me to start a business. He is telling me regularly. Finally, I said, “Mike, what do I do?” He helped me. Without that, there would be no JM Addington Technology Solutions now.
That evolved a lot. It started with me. The biggest light bulb moment was when I started talking to other IT people and IT business owners, I realized that the stuff that I was doing that I thought was basic security was what other people were doing as high-end security solutions, especially for the SMB market implementing zero trust architecture. I had no idea what zero trust was when I started doing it. I thought this was the only smart way to do it. Why would you let traffic out of a firewall on port 3389 if you are not using RDP? Why do you let any traffic go somewhere where there is not a legitimate reason for it to be going in around?
Risk Management: Talking to other IT people will make you realize that the basic security you are doing is considered as a high-end security solution by other people.
There are a whole bunch of SOPs that we were doing that I later learned most people were not doing. It was an ingrained cybersecurity culture that went back all the way to grade school when I both learned what it was. I was self-taught and learned how to get by this stuff. We are able to apply those lessons later on. I’m bringing together a team that has the same culture of valuing security and understanding that it is the small things than the big things that are often more important.
Thanks for sharing your story and how you got started. We all have our stories, whys, and purpose. How has that changed up until now? What is your purpose and why? What you are doing is sometimes tied to something that happens in life. That might change. What is that now for you?
There are two things we are about. I don’t have this up on a wall, a mission statement, or anything like that. It is just to provide a good working place for employees, a place where they want to come to work. I don’t think there are enough jobs out there that people want to do, enjoy, and feel like there’s a healthy culture.
There is a personal mission to the company. At a broader level, it is securing the community. Security is our thing. If we could only do one thing, it would be security. Part of it is because it is a passion and we look great at it. It is important, which John and George, you guys notice because you see it. It is the ability of small business owners to retire. It is employee jobs and livelihood. It is impacting the local economy.
When you got money going to Russia or China, that should be staying in the local community. Even responding to these cyberattack fires, that money could be deployed so much better anywhere else in the economy or even staying in the owner’s pockets or bonuses. It is important, at a personal and local economic level, for businesses to be secured. That is what drives the business side of it.
The biggest challenge always is markets do change and life changes. Change is part of life. Maybe I’m a little bit older for this, but there was a movie with Steve Martin called Parenthood. There is a scene where the grandmother tells a story about a roller coaster ride. The whole point of that was life is a roller coaster ride. It has got its ups and downs. Where would you say you are on that rollercoaster ride? Are you up or down? Are you more of a merry-go-round guy?
You are the CEO of your business. For most CEOs and business owners, every day you walk into work, there is something exciting and something that get you up in the morning, and there is something that hits the fan. There is a lot of that in life. There are family issues that come up. You get to see kids go to college and make decisions that are going to keep them out of college. You get to see employees step up and make decisions that save a client from getting ransomware. Sometimes you see someone that needs some more training because they let that antivirus off.
[bctt tweet=”You are the CEO of your business. Every day, there is something exciting that gets you up in the morning and something that hits the fan. ” via=”no”]
It is a hard question. On a personal level, I sprained my MCL in July 2022. Even by runner standards, I’m a big runner. As soon as that started getting healed up, I got COVID in August 2022. Months later, I’m still dealing with the effects. I went from running 30 to 40 miles a week to hoping to walk a mile. The downside is I’m not running what I want to be running, but the upside is I’m finally making progress.
On the business side, I was out of it. I might as well have been in a coma. That was a downside. The huge upside there was everybody else in the company had to step up, and they did. I think it elevated everybody up to position and found out that there was way more capability in everybody individually and as an organization that I or we were aware of that is going to permanently impact us as a company and make us better. Where is that on the rollercoaster? I don’t know. This is maybe the part where it is going down, and it dips up. You are not sure if you are having fun or you are going to dribble up.
Sometimes it is easier to back that out and ask the question. Why an amusement park is a life for you right now? Some people would say, “A merry-go-round, I’m walking around.” We always know owning a business is like riding a rollercoaster. Most people want to turn it into a merry-go-round and print the money. I found out that the rollercoaster ride is invigorating. It can be scary, but the risk-reward function does sometimes come into play in the business environment.
Every business owner is doing their best to build a stable ride. The people that work for you, which we call the whole team, don’t work for you. You work for them. You have some people that want to be on a rollercoaster and some people that want to be on a merry-go-round. It depends on their personalities. That is why we have things like DISC profiles because people have a certain way about them.
There is an expectation of stability and excitement, depending upon the person. A business is a rollercoaster ride. At home, that analogy runs true. We want a merry-go-round, but you got a rollercoaster ride both in life as well as in professional environments. It is how life works to some degree. It is whether or not you enjoy it or not, that matters.
Jonathan, where can people find you?
My name is relatively unique, Jonathan Addington. You are not going to find a lot of Jonathan Addington. You stick that into Google. You will probably find me everywhere. You can find me on LinkedIn, which is where I do most of my professional postings. Find me on Facebook. It is more personal. You will see some of my photography there. I’m a little bit on Instagram. On Goodreads, not that there is a whole professional profile there, but if you want to see what I think is fun to read, you will see me there. Those are the main places I hang out. My secret is I am on Mastodon too, but I use a handle there. You are not going to find me by googling them.
I’m sure they can talk to you first, and you will share with them. That’s the way it works.
No, that is my secret persona. That is my Batman.
Jonathan, we appreciate your time. Thank you very much. It has been wonderful chatting with you. For the audience, thank you for reading. I hope you have learned something and maybe laughed, are scared, or hiding under the covers at this point. This has been another great episode, and see you next time.
About Jonathan Addington
Passion for running
Father of 6 children
From Knoxville, Tennessee
Founder and President at JM Addington Technology Solutions
*Founder & President of CyberSecureRIA
*BA in Finance and Economics and Philosophy from Bethal University
The solid business understanding helps me help clients make technology decisions that align with their business plans.
Present: Jonathan is the President of JM Addington Technology Solutions an