Cybersecurity professionals are often technically right but strategically ignored, and the gap between security knowledge and business impact comes down to how the story is told. In this conversation, Josh Mason draws on his Air Force background, MBA training, and new book to explore how security teams can reframe their message, align with business priorities, and move from being sidelined to being heard.
⬥EPISODE NOTES⬥
What happens when a cybersecurity professional knows exactly what's wrong but can't get anyone to act on it? It's a problem that affects security teams across every industry, and it's the central question driving Josh Mason's new book, Speaks Security with a Business Accent. In this conversation, Josh Mason joins Sean Martin to unpack why technical accuracy alone doesn't move the needle and what it takes to communicate security in terms the business actually understands.
Josh Mason brings a perspective shaped by years as an Air Force pilot and cyber warfare officer, where mission-first thinking wasn't optional, it was survival. As a safety officer, he studied aircraft mishaps, analyzed black box recordings, and learned that risk awareness doesn't mean risk paralysis. The same philosophy, he argues, applies to cybersecurity: teams can acknowledge risk without letting fear of failure prevent them from supporting the mission. Drawing from books like Dale Carnegie's How to Win Friends and Influence People, The Phoenix Project, and The Goal, Josh Mason structured his own book as a narrative, telling the story of a CIO who transforms a disconnected security team into one that communicates effectively with colleagues, leadership, the board, and eventually beyond the organization.
A recurring theme in this conversation is the danger of perfection as the enemy of progress. Josh Mason uses the Iron Man analogy of building an imperfect prototype, flying it, learning from the failure, and iterating, to argue that security teams need to embrace a similar mindset. DevOps teams have already adopted this approach, and security can learn from it. Inaction for perfection's sake, he warns, isn't going to get anyone anywhere.
The conversation also examines whether the cybersecurity industry does enough to learn from its own incidents. Unlike aviation, where the FAA and NTSB mandate rigorous post-incident analysis, cybersecurity lacks a centralized authority enforcing that same discipline. Organizations like MITRE, Verizon, and Mandiant publish valuable trend reports, and the data is there for those willing to use it, but it ultimately comes down to individual responsibility and leadership within each organization.
For anyone who has ever felt technically right but strategically sidelined, this conversation offers a practical lens on bridging the gap between what security teams know and what the business needs to hear.
⬥GUEST⬥
Josh Mason, Author of Speaks Security with a Business Accent | Air Force Veteran, Cybersecurity Professional, and Founder of Noob Village | Website: https://www.mason-sc.com | On LinkedIn: https://www.linkedin.com/in/joshuacmason/
⬥HOST⬥
Sean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/
⬥RESOURCES⬥
Speaks Security with a Business Accent by Josh Mason | https://www.mason-sc.com
The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/
More Redefining CyberSecurity Podcast episodes | https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
⬥ADDITIONAL INFORMATION⬥
✨ More Redefining CyberSecurity Podcast:
🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/
Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact
⬥KEYWORDS⬥
josh mason, sean martin, speaks security with a business accent, cybersecurity communication, business alignment, penetration testing, risk management, air force cybersecurity, security leadership, mission-driven security, stakeholder communication, security storytelling, noob village, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
Speaking Security with a Business Accent | A Redefining CyberSecurity Podcast Conversation with Josh Mason
[00:00:00] Sean Martin:
And hello everybody. You're very welcome to a new episode of Redefining Cybersecurity here on ITSP Magazine. I'm Sean Martin, your host, and if you listen to the show, you know, I get to talk to all kinds of cool people about cool topics and never a dull moment in cyber, of course. And to me it always seems, it boils down to telling a story.
whether you're telling a story to your team as a CISO, trying to inspire them and empower them and to enable them, or you're telling a story upwards, uh, as a SOC analyst to, uh, the CISO or the CISO up to executive leadership team. It's, about telling that story with and without numbers, with and without data, with and without pictures.
but. In a way that connects and hopefully the idea that I believe is to drive some action, right? Gimme budget, change how you look for how you threat hunt, change, how we build products and deliver services to our customers. always, always about taking action. And as the show, Is inspired to do by me, hopefully is do it in a way that the business does it safely and protects the revenue and, and market growth that it generates.
[00:01:16] Josh Mason:
Hey Sean. I'm doing great.
[00:01:19] Sean Martin:
It's good. Good to see you, my friend. Yeah. And it was a nice treat catching you in, in New York City at BSides and,
[00:01:27] Josh Mason:
Oh yeah.
[00:01:28] Sean Martin:
Yeah, it was, it was a good, a good event. We spent quite a bit of time hanging out together and, meeting people and chatting with people and, and Huxley puts on a Huxley, Barbie puts on a good, good event there for sure.
[00:01:40] Josh Mason:
Oh yeah. Agreed. Thanks for letting me basically take every, your whole day in. That was fun.
[00:01:46] Sean Martin:
You didn't, you didn't take my whole day. we, we enjoyed the day together and, yeah, it was fun cruising around and saying hi to folks and, and hearing what was going on. And, it was the, the inspiration to, have a chat and connected to storytelling. Yeah, one of the, one of the things we gotta talk about is speaking security with a business accent.
how you spin that there. We, we talk about language of, security to the business or language, business language and security and, and trying to make that connection. But I like the accent 'cause it. It's the same thing. It's just connecting and, and, and, yeah. I don't know. I, I wanna get your perspective.
before we get into it though, Josh, maybe a few words about, what you've been up to, what you're working on these days.
[00:02:32] Josh Mason:
Yeah. So, right now my, my day job is, I do federal sales at, Synack, where we sell pen testing. and I'm on the federal sales team, so to the federal government pen testing at scale, supplementing in-house penetration test teams, but, I'm always busy doing a lot of other things. as folks like you have pointed out.
I run a non-profit Noob Village where it's, I call it the tutorial version of DEF CON or the on-ramp of DEF CON. and we had our, our first year, this past August, and that went swimmingly. And had a meeting last night. We're already prepping for the submission, which we won't be submitting until February, but we already have our ideas put together of what we wanna do for this next year, and, yeah.
an Air Force, pilot in cyber warfare background and grabbing an MBA along the way, and then finally got into cyber. And so I, I look at things and think about things a lot different than, a lot of other folks that I work with. That's what I've learned.
[00:03:45] Sean Martin:
Yeah. Yep. Which is, which is really cool. And, I mean, you're, you're a busy guy. I know you're, you're at a lot of conferences. You have a lot of conversations with folks. And, you, you give back tremendously to the community, which I'm sure people appreciate to, who are the beneficiaries of, of the work that you do.
[00:04:04] Josh Mason:
[00:04:04] Sean Martin:
[00:04:04] Josh Mason:
[00:04:04] Sean Martin:
[00:04:04] Josh Mason:
[00:04:04] Sean Martin:
[00:04:04] Josh Mason:
[00:04:04] Sean Martin:
[00:04:04] Josh Mason:
[00:04:04] Sean Martin:
[00:04:04] Josh Mason:
[00:04:04] Sean Martin:
[00:04:04] Josh Mason:
[00:04:04] Sean Martin:
[00:04:04] Josh Mason:
[00:04:04] Sean Martin:
[00:04:04] Josh Mason:
[00:04:04] Sean Martin:
[00:04:04] Josh Mason:
[00:04:04] Sean Martin:
yeah. So all the good stuff you do for, for the, the community. Tell me, tell me Josh, what, you have a book that, that you put together.
Kind of tell us what that's about and kind of the catalyst for, why you decided to write the book.
[00:04:20] Josh Mason:
Yeah. I was giving some talks this past, spring and kind of things that I've learned from translating my, what I've learned in from being a pilot to. Some takeaways that I think a lot of cybersecurity folks can, can utilize, upwards communication, things along those lines. And, I, I've recently identified that I'm autistic.
a book like Dale Carnegie's, how to Win Friends and Influence People. And then books like The Phoenix Project and the Goal, which show how do we tie in the work that we're doing in one department, with the Phoenix Project in it, and then cybersecurity.
it didn't matter where you went on base, if you knew it was a, a base where you've got planes that fly in the end, everyone knows that they're part of that mission of moving things or, you know, plans getting off the ground even if, they're a guard at the gate.
do, but part of their job is getting things off the ground. So I had been giving talks along those lines of if you want to have your penetration test, results your, your report have some impact. knowing that I was going to a conference with a bunch of penetration testers, I decided to Dale Carnegie Principle speak in terms of the other person's interests.
prioritized? Are they going to get budgeted? Are those things going to matter and how we write the report?
for those talks. Kind of was the catalyst because in at the end of the talk I presented a lot of these books, a lot of these ideas, a lot of the concepts of how do we frame things and put them in those terms.
[00:07:59] Sean Martin:
Just like that. It's when
[00:08:01] Josh Mason:
Well, I have the
[00:08:02] Sean Martin:
which is, yeah, we have the notes. Well, I guess that, that, it's an interesting, good, good point. in that, You have the knowledge, right? It's not just going and digging up a bunch of stuff and pulling it together. You have, you have the knowledge and the experience and, and I've had these conversations done, these presentations, I'm sure speaking with folks after you present, they validate some of your thinking.
an organization's program. So. Tell me, so you, in, when you were giving the example of pen testers and pen testing and, and that is, is the book, it's not specific to pen test, right?
[00:08:58] Josh Mason:
Yeah. I really liked the way the goal and the Phoenix Project and the Unicorn Project were written in that they share principles without being boring. They are not textbooks. They're fiction, they're literature. They's a story and a plot and a character. And, I went. I, that is not my strength, but I do have my undergrad in humanities, and it's 2025, so with a, you know, $20 a month, editor to, to help me out with this dialogue stinks.
page by page, by page, actually made a pretty decent story of a CIO at a company who realizes that their team is ineffective in communicating with one another. Is ineffective with communicating upwards and outwards and, shares, principles with, both the team, with colleagues with the board, and then eventually outward.
as ironically, I don't want to give up the plot, as, as their career grows and they face new challenges. Taking it beyond, their organization, realizing that they get to grow as a leader as well. So multiple learning points there. if you've read Dale Carnegie, a lot of the PO and you've. Put those things into practice.
studied for an MBA, a lot of the things are gonna look very familiar. but the context for it might seem obvious. And yet everyone that I've spoken to at, in a leadership position that I've presented it to, they go, wow, this. I wanna make my organization look like this, and that's one of those things that really makes me smile to hear.
[00:10:59] Sean Martin:
I love that. And with, without giving away too much, are there. Attributes or actions or other elements of, of a security operations, program, let's say, that you, you highlight changes? so don't, I don't wanna give away the secrets, but are, are there, are there things that, that you help say. Yeah.
you highlight as areas for, for potential improvement?
[00:11:40] Josh Mason:
There's a little bit of tactical level, presenting some tactical ideas for. Options. But, nothing is, you should do it this way. It's, we could do it this way, this way, this way, or this way. And we should choose it based off of what are we trying to achieve as an organization, both as our security organization, but the security organization isn't an end in itself.
[00:12:16] Sean Martin:
Perfect.
[00:12:17] Josh Mason:
Because that's my, my minor from undergrad.
[00:12:20] Sean Martin:
That's your jab. I know.
[00:12:22] Josh Mason:
yeah. so I was a safety officer as my first additional duty as a copilot. Once they were cool, you can land the plane. You can take off the plane, you can do all the things that you're supposed to do as a copilot.
now you need a job to do in the office. Because everyone's gotta have a job, job to do when they're not flying, which actually makes up 90% of your week. So, I went to safety school and I studied aircraft crashes, mishaps. it was, a bit of crying. a lot of listening to block blocks, tapes and, seeing recreations of the crashes and knowing, actually some of the.
people involved and then going out to sites and seeing how an investigation would occur and knowing how to manage a, the whole process from, soup to nuts and, then going back and being in charge of a safety program for our unit. And anything from, A guy riding his motorcycle home from work one day, takes a curve wide and, shatters his ankle and has a ground mishap that I have to file, because that counts under safety, to bird strikes, which happened way too often.
eagle over Arizona that goes into an engine, and now we have to. It was a mess. then you gotta somehow get a new engine to some random airfield in Arizona. and you don't think that that's gonna be a big issue. But, birds into engines is not a good thing.
the Hudson. And so, with that, while your mindset is on the worst case scenarios, that's not what you focus on all the time. You do the work so that then everyone can focus on the mission. So it was never oh, hey, don't forget. Don't, don't hit any birds. Instead, it was we all know that there is a bird migration season and birds fly often at dusk and dawn and at these altitudes, and there's a lot of mission mitigation to take into it.
risk for the mission, but, you're aware of it and then you make the mission happen and,
it is the safest form of mass transportation and in the Air Force it is fairly safe in the big scheme of things. So in that same sense, now take that to security. There is the mindset of. Don't get breached. Don't, don't let your someone get your passwords.
the mission. And that's, if we can frame things in those mindset and then now understand.
if, market share, if this quarter we're, we're coming up on Thanksgiving and Christmas, if it were a retailer. I'm pretty sure the big focus is going to be, making sure that the website stays up, that shipping goes out, that payment information is able to go through.
number one, 'cause I know that's what their focus is. And so how can we, as security in the organization, make sure that those are available for the rest of the organization?
don't get breached, but where's our biggest risk and what are we most concerned about right now?
[00:17:06] Sean Martin:
Yep. I mean, you know, the birds are there. You gotta, you gotta, you gotta be, be prepared. So how, in telling your story of, of analyzing incidents and, funny, I just use that word. I was, I was gonna say crashes, but I use incidents 'cause it sounds like more than just crashes. how. Because not, not everybody who's flying gets to do what you did there, but you brought back that understanding in a way that helps the team understand what you saw and heard and, and watched and analyzed and, and take that to help them not think about it all the time, but be.
connecting to security teams. I know we spend a lot of time, looking at kill chains and building playbooks for response and, and running pen tests, looking for weaknesses where some of the stuff of a bird hits here, it's gonna do this.
but I don't, do, we do a good enough job. Doing the, the postpartum of, of breaches. I mean, we don't, we don't really share that information much.
[00:18:25] Josh Mason:
It,
[00:18:26] Sean Martin:
So it's really, really hard to look, look back at and say, you're, you're the most, here are the 10 most common ways companies are getting breached through phishing, ransomware, whatever it is.
[00:18:49] Josh Mason:
it's tricky. With aviation, obviously the FAA got put in charge of all of that and the NTSB, national Transportation Safety, board, and back in before, The, the biggest crash, biggest airline crash in history was in 1977, to Guci GPA in the Azores. 2 7 40 sevens ran into each other on the runway because of one, couldn't see the other one and the run, air traffic control cleared one.
While another was still on their runway way crossing. And, since then a lot has gone in, to stop an incident like that from happening again. Now that was hundreds of, you know, individuals, lives. We in security, in cybersecurity, we have big issues. CrowdStrike affected a lot of people.
I'm thinking back to, some of the biggest worms and malware, that stretch across the globe affected a lot of people. However, the body count is, one of those things that overall. Governments haven't gotten to the point where they've decided, okay, we need to really strictly have something watching over this and managing it.
things along those lines. So in the end, what you end up with is we have some organizations like, MITRE, Verizon, Mandiant, who.
the incidents that they're tracking, the incidents that they manage, the incidents that they know about and put out trend reports, and those are very helpful overall to the rest of us. And then there's the, the blogs and the cyber threat intel that's available openly and then paid for, and that's also helpful.
organization is willing to open their eyes and look for it, it's there. So yeah, I think we do do a pretty decent job of it.
[00:21:07] Sean Martin:
I, I, I would agree that we have, we have a lot of data to review and analyze and ingest and, and take into our program. I'm wondering if. Are we, are we making the most of that though? And, and, yeah. I don't know. Maybe, I don't know if it's the, the creators of the content, the, the research that, I dunno, do they?
[00:21:49] Josh Mason:
Yeah, it, I think it comes down a lot to individual responsibility. In the organization and I think in the United States at least, there's going to always be that sense of
taken well.
it being a very popular motion. I mean, even things that are, are popular right now aren't popular right now, you know what I mean? facing this past month. So it's, I, I would love to see things like that seem obvious like that put in place. I just, I think it, it is going to continue to come down to the, to us helping to educate and lead, our colleagues, to understand and then educate and raise others in the industry and in the community to have that mindset.
that way, we might be able to make that change better than hoping that something happens from above.
[00:23:07] Sean Martin:
Yeah. Yep. I'm, I'm, I'm always hopeful that, that we, we find that path to, to do more and do better and make that connection. I want to. as we begin to wrap here, I saw a post the other day and I commented on it. It, it was not a cybersecurity post. I don't even think it was a technology post.
and I'll, I'll include a link to it. I'll have to dig it up again, but basically the, the author, she said. I spent so much time making sure I was extremely accurate and always right in my driving of things with my team, that I ultimately alienated my team and those around me.
How does that relate back to the book and what you're trying to say there?
[00:25:04] Josh Mason:
Yeah, that's, that's very poignant.
well, but that's not the secure thing to do. Or that doesn't fit what the model says or that isn't the best practice. And that might be true, but it also, again, comes down to that isn't necessarily our decision to make unless it's our company.
yeah, but there's, I, I recently saw a, a reel, a short at TikTok. I don't know, it probably went across several of them. it was in response to one, if, if you're paralyzed by inaction or paralyzed, in inaction. By focusing too much on trying to make the right choice, you're stuck in a fight or flight, mindset and the follow on to that was, and that was from a, psychologist or a sociologist.
and I think too often that's accurate for cybersecurity people. Say, well, what, what is the right thing to do? It's like, well, there might not be a right thing to do. There might just be a best thing to do, and the best thing to do is going to be based off of what is the mission.
[00:26:29] Sean Martin:
Yep. It's funny. I was just gonna say the right choice may not be the best choice, and the best choice might not be the right choice, and that that can all be true at the same time.
[00:26:39] Josh Mason:
The, the fun response to that was, Reference back to the first Ironman movie in which, Tony Stark, he's building out the mark two in his mansion in, you know, in Malibu, the mark one he built in the cave so he could escape. And, you know, one flight got him out of there. You know, you survived the cave, got away from the, the captors.
it is not finished. It is a prototype that he, you know, can fly. And, his systems, is AI says, okay, you, you shouldn't do this. cool, you flew. Good job. Now you should land. And he goes, okay, excellent, great. Let's go up into the air.
58,000 feet or 85,000, something like that. He goes up into basically space and he freezes up because the suit's not made for it. And Benny finds out, okay, the suit is not made for that, and it ends up being the pivotal piece that. Sorry if I'm ruining a 20-year-old movie for you.
it ends up being the pivotal piece that that's how he wins in the end beating. You know, the other guy is because he ran before he walked, he decided I need to do this thing before I sit and figure out what would be all the perfect stuff before I get on the spreadsheet. We figure out all the specs and features, build it.
iterate. And sometimes we just need to do that. DevOps is happy to do that, but security, we're oh no. we can't possibly do that. We have to have it all figured out. Well take something from DevOps. Know that you can have a 2.0 and a 2.1. Yeah.
[00:28:38] Sean Martin:
yeah, exactly. Yeah. Yeah. that interesting point. I, I didn't, I don't know the movie. For, sorry for those who might judge me for that. But anyway, as you're describing that, I was just thinking if you're, if you're entering that space against a foe and you figured out that the suits the issue and the, and the foe didn't, and you can survive in that environment and the foe can't, that, I dunno if that's the story or not, but that makes me think about security.
[00:29:29] Josh Mason:
yeah. In the, in the movie, you know, he's got this suit, and he ends up fighting another guy with a very similar suit, except the other guy's suit is well engineered for battle and, beats him up pretty badly. Making a lot of mayhem all over LA and he finally realizes, you know what? I'm not gonna win this, against one-on-one.
you know, the 2.1 version, and he's going up and up and up and up and up and he finally asks, so what did you all do to deal with the icing? And the other guy says, what? Icing? And the other guy freezes up and he doesn't. That's how he wins the battle.
[00:30:12] Sean Martin:
There you
[00:30:13] Josh Mason:
And yeah. is there a perfect analog?
we can't let the, the takeaway should be that inaction for perfection's sake, isn't going to get us anywhere.
[00:30:26] Sean Martin:
I love it. Well, Josh, I mean, we can, we could take this all kinds of different ways. kind of like we did. We were hanging out in New York, in New York at BSides, just chatting and, and shooting the breeze. And, always good to see you, my friend. We're gonna, we're gonna leave it here. The book is Speaks Security with the business accent, how to communicate cybersecurity concepts clearly ease, friction with stakeholders and influence decisions.
sounds like a good book, my friend. I will say thank you for, for sending me my copy. I hope to, grab that soon when I get back to where you sent it and, and we'll have a, have a good read of it and I would encourage everybody else to, to do the same. Grab a copy. Sounds like a good team book. for teams to read together and, and maybe there's some, activities or workshops teams can do, do after, after they read certain parts of this.
I'll include links to the, the book so people can grab that. And obviously you're LinkedIn so people can connect with you. So thanks again, Josh. Congratulations on the, on the book.
[00:31:25] Josh Mason:
Thanks, Sean. Thank you, Heather.
[00:31:27] Sean Martin:
And thanks everybody for listening and watching, this episode of Redefining Cybersecurity here on ITSP magazine. Please stay tuned, subscribe, share with your friends and enemies, and, if you have a story you wanna share about, how you run your program and, how you're seeing some benefits, let me know.
we'll see everybody on the next one.