From Scotland to Silicon Valley: Den Jones' Journey

“If you’re not brave enough to take a risk, nothing changes.” – Den Jones

On this episode of the No Trust Podcast, hosts Jaye Tillson and John Spiegel are joined by Den Jones, founder of 909 Cyber and former head of enterprise security at both Adobe and Cisco. What unfolds is a conversation that feels less like a theory session and more like a masterclass in real-world Zero Trust execution — one grounded in lessons learned, leadership scars, and a bit of Scottish humor.

From Postman to CISO

Den’s story begins on the streets of Scotland — literally. At sixteen, he was delivering mail, playing music, and volunteering at his old high school when a former teacher mentioned a friend who worked in IT at Sun Microsystems. One conversation later, Den had a roadmap: study, get certified, and get into tech.

That single connection led to a job in manufacturing, a move into infrastructure operations, and ultimately a role at Adobe Edinburgh in 1999. Within two years, Adobe moved him to California. Twenty years later, he had held nearly every IT and security leadership role inside the company — from infrastructure and operations to enterprise security and identity.

By 2017, Den’s team had deployed Adobe’s first iteration of Zero Trust. When the pandemic hit, he joined Cisco as Senior Director of Enterprise Security and repeated the feat — rolling out Zero Trust to 110,000 employees in just five months. Today he runs 909 Cyber, advising organizations on strategy, execution, and leadership.

The CISO’s Expanding Risk

When Jaye asked if he ever imagined the kind of pressure CISOs now face — regulatory exposure, personal liability, even the threat of jail time — Den didn’t hesitate. “Not in a million years,” he said.

CISOs, he explained, are now about five years behind CIOs on the maturity curve. But unlike CIOs, they carry an entirely new level of personal risk. The line between negligence and accountability is thin — and the fallout is real.

“I talk to a lot of fractional CISOs,” Den said. “They’ve been in the chair for years, but they don’t want that same risk anymore. So they consult instead. They still help companies, but as contractors, the legal liability isn’t on them.”

For Den, this isn’t just a legal issue — it’s cultural. “We keep talking about CISO accountability,” he said, “but where’s the same accountability for the CEO? If there’s a breach, was the CISO negligent, or did the CEO fail to empower the CISO to do their job?”

Skills Gap or Expectation Gap?

Den also challenged the common narrative about the “cyber skills gap.” He sees it as an expectation gap — employers searching for “unicorns” who can do everything, for less money and more risk.

“There’s plenty of great CISOs out there,” he said. “But when they interview, they start realizing the job is a liability minefield. So they walk away. It’s not a skills gap. It’s an empowerment and compensation problem.”

CIO, CISO — Or Both?

As the conversation turned to organizational structure, Den predicted a coming convergence between CIO and CISO roles, especially in smaller companies. “If you’re responsible for both security and services,” he said, “then you’re security-first, services-next.”

He and Jaye agreed that the wall between IT and security is finally coming down. Teams that once clashed over priorities are aligning under a shared mission: protect the business. The result? More hybrid leaders who understand security, networking, and applications — and maybe even share the same budget.

“The reality,” Den added, “is that breaches are happening through identity, through endpoints, through the network. Those things used to live in IT. Now they’re security’s responsibility.”

Securing the Sins of the Past

Jaye raised a point that resonated across the conversation: most security teams today aren’t building for the future; they’re securing the sins of the past. They’re replacing legacy VPNs, re-architecting flat networks, untangling decades of tech debt.

Den laughed in recognition. “Legacy never dies,” he said. “At startups, the legacy is a five-year-old laptop in a cupboard. At enterprises, it’s 40 years of accumulated decisions. But if you’re not brave enough to take a risk, nothing changes.”

That bravery, he explained, means being willing to swap out foundational systems while the business is running — “doing heart surgery on IT while the patient’s sprinting.” And when mistakes happen, leaders must take accountability without hanging their teams out to dry.

A Zero Trust Lesson in Humility

Den shared one of his most memorable “leadership through disaster” moments from Adobe’s first Zero Trust rollout. His team was testing a new NAC policy that segmented internal networks to behave more like guest networks — a key step in limiting lateral movement. A single misconfigured rule accidentally disconnected the entire company.

“The 30 test users were fine,” Den recalled, “but the rest of Adobe couldn’t connect to anything. Call centers went dark. I was on sabbatical and got the call.”

It took four hours to recover. When Den briefed the CIO and CSO the next week, he opened with a grin: “For the first time in Adobe’s history, I can guarantee there were no bad actors on the network.”

Everyone laughed — then got serious. They did a full post-mortem, learned, and moved forward. “If you’re going to ask your team to run fast,” Den said, “you have to expect hiccups. You don’t blame them for it. You own it.”

How to Sell Zero Trust

When asked what advice he’d give leaders starting their own Zero Trust journey, Den didn’t talk about frameworks or buzzwords. He talked about audience and empathy.

“No one ever hired me and said, ‘Go deploy some Zero Trust,’” he said. “They hired me to build a program that reduces risk.”

At Adobe, he learned to speak in outcomes, not architectures. The CIO wanted to move faster. The CSO wanted to reduce risk. So he framed his plan around three simple wins: remove passwords, remove VPNs, and make internal apps ‘cloud-like.’

Executives, he noted, don’t want to hear about 18 technical benefits. They remember three things that make their lives easier. “They hate passwords and they hate VPNs,” he laughed. “If you fix those, you’ve already got them on your side.”

When he later brought Zero Trust to Cisco — ironically a company known for selling VPNs — he set an aggressive five-month goal to deploy across 110,000 users. The program wasn’t perfect, but it worked. It was measurable. And it proved a point: progress beats perfection.

Measure Progress, Not Perfection

Den’s north star for success is simple: “Are we better this month than we were last month?”

Zero Trust, he argues, is a continuous improvement journey. “My measurement of success isn’t perfection. It’s that every month we deliver something that improves the business and reduces risk. If your project takes longer to make a baby, you’re doing it wrong.”

It’s funny — but it’s true. Long projects lose visibility, confidence, and momentum. Den prefers quarterly wins that show tangible progress and justify continued investment. “Deliver, celebrate, and ask for more budget,” he said. “That’s the rhythm.”

Reporting Up: What Not to Say

When the conversation turned to board reporting, Den was blunt: “Don’t tell them you patched 50 servers. No one cares.”

Instead, he recommends speaking in business terms — how security initiatives save money, reduce friction, or accelerate growth. At Cisco, his team supported over a hundred customer meetings that helped close deals. “When you do that,” he said, “you’re not just a cost center anymore.”

Leadership and Listening

Asked what advice he’d give his younger self, Den smiled. “Listen more and talk less,” he said.

It’s deceptively simple. But after thirty years in tech and twenty in leadership, he’s convinced the best leaders know when to pause. “I’m a storyteller,” he admitted. “But sometimes silence is what gives people space to think. And when people feel heard, they’ll follow you anywhere.”

The Sunday Roast Test

Every No Trust episode ends with something personal, and this one was no exception. For Den, a perfect Sunday dinner is a roast of lamb with cauliflower purée, crispy potatoes, and a bottle of wine. He still misses Scottish sausage rollsand a proper fish-and-chips shop — though he admits pineapple on pizza “isn’t always wrong.”

It was the perfect ending to a conversation about leadership, resilience, and the human side of Zero Trust.

Closing Thought

Zero Trust isn’t a framework or a tool. It’s a mindset — one built on courage, accountability, and constant improvement. Den Jones embodies that spirit. From postman to CISO to founder, his story is proof that security isn’t just about protecting systems. It’s about empowering people to take smart risks — and to keep moving forward, one month, one milestone at a time.

Listen Here - https://on.soundcloud.com/ofGruNInzKS21jjJDz

No Trust Podcast: Conversation with Den Jones - Edited Transcript

Jaye Tillson:
Hello everyone, and welcome to another episode of No Trust.
Today we’re joined by someone new on the show — Mr. Den Jones. Den, before we dive in, give us a bit of background. I can already tell from the accent you’re not from around here, so how did your career start, and how did you end up in the U.S.?

Den Jones (909 Cyber):
Thanks, Jaye and John — great to be here. So, imagine being sixteen in Scotland. The weather’s terrible, you’re walking the streets as a postman, and you’re mostly interested in music.

I used to volunteer at my old high school helping with music programs, and one of my teachers introduced me to a friend who worked in IT at Sun Microsystems. I went to visit him, saw all his music gear, and asked how he could afford it. He said, “I work in IT. Go to college, get some certifications, and you can do the same.”

So that’s exactly what I did. I landed a job — one of only two students in my class of thirty-six to get one — and eventually hired a few of my classmates later on. I worked in manufacturing and infrastructure operations, went into contracting, and in 1999 joined Adobe Systems in Edinburgh.

When the Y2K panic hit, nobody wanted to change jobs, but I took a short contract that led to a full-time role. A year later, Adobe moved me to San Jose, and I’ve been in California ever since. I spent almost twenty years at Adobe, doing just about every kind of infrastructure and operations role until my last gig, which was in enterprise security.

In 2017 my team deployed what we called Zero Trust for the first time. Then in 2020 I joined Cisco as Senior Director of Enterprise Security — right as the pandemic hit — and rolled out Zero Trust there using Duo. After that I did some startup work, and a year ago I launched 909 Cyber, a consultancy focused on strategy and execution, mainly for small and midsize companies but some enterprise work too.

It’s been a journey. I still play music — that’s what keeps me sane — and these days I spend a lot of time helping CISOs and security leaders build programs that actually work. The challenges are real, but it’s a fun gig.

Jaye Tillson:
When you look back over your career and see the pressure CISOs face today — regulatory scrutiny, personal liability, even potential jail time — did you ever imagine it would come to that?

Den Jones:
Not at all. At sixteen in Scotland, I never imagined I’d even be in California, let alone here. But you’re right — the pressure has grown dramatically.

CISOs today are about five years behind CIOs in the maturity of the role, but the personal risk is much higher. Ten years ago, if something went wrong, nobody thought a CIO could go to jail. Now we’ve seen CISOs personally charged or fined.

Many experienced CISOs I talk to have shifted to fractional or advisory roles because they don’t want that liability. As contractors, the risk sits with the company, not them.

I’d also love to see the CEO held to the same standard. When there’s a breach, we always ask if the CISO was negligent — but was the CEO empowering them to succeed? That’s the real question.

Jaye Tillson:
We also keep hearing about a “cyber skills gap.” But I’m not sure that’s the whole story. What’s your take?

Den Jones:
I think it’s more of an expectation gap than a skills gap. There are plenty of talented people out there, but companies are looking for unicorns — someone who can do everything for less money and take all the risk.

When CISOs go through interviews, they quickly see the mismatch between responsibility, compensation, and empowerment. Many walk away. It’s not that we lack talent. We lack realistic expectations.

John Spiegel:
We’ve talked about how the CIO and CISO roles are changing. Where do you see that relationship heading?

Den Jones:
I think we’ll see the CISO role merge more with the CIO role, especially in smaller companies. If you’re responsible for both security and IT services, you’re “security-first, services-next.”

More organizations are cloud-based now. You’re not spending a year deploying SAP anymore. Security, infrastructure, and networking are converging. I’ve been both a CIO and CISO, and that blend makes sense — one person accountable for protecting and delivering.

It’s also a budget issue. When the two roles fight for separate budgets, things get political. A single leader with unified responsibility removes that friction.

Jaye Tillson:
Most of our teams are still securing the sins of the past — decades of legacy systems that were never built with security in mind. Maybe as companies modernize, we’ll finally break that cycle.

Den Jones:
I’d love that, but legacy never dies — it’s like The Goonies.

When I moved from big enterprises like Adobe and Cisco to a startup, I thought I’d escaped legacy. There, “legacy” meant a five-year-old laptop in a storage closet. But when the startup got acquired, we inherited the acquirer’s tech debt.

If you’ve been around ten years or more, you’ve got legacy. The only way to move forward is to be brave enough to replace it — to take risks and make hard changes while the business keeps running. When I led Adobe’s service-management transformation, we swapped ITSM platforms every twelve weeks. It was like performing heart surgery on IT while the patient was sprinting. But if you’re not willing to take those risks, nothing ever changes.

Jaye Tillson:
Speaking of taking risks, what’s the biggest mistake you’ve made that ended up teaching you the most?

Den Jones:
Early in my career I became a manager way too young. I hired two guys straight out of college who were friends, and I had no idea how to lead them. I didn’t have the maturity or mentorship to handle it. The lesson was simple: ask for help. Find people with experience and learn from them.

Years later, when my bosses encouraged me to go back into leadership, I hesitated until I saw someone less qualified get promoted. That was my wake-up call. Since then, I’ve loved leading — building teams, mentoring people, creating a culture where they can thrive.

As for technical mistakes? During Adobe’s Zero Trust rollout, we were testing a new network-access control rule that segmented internal networks like guest networks. One engineer pushed a bad config and shut down the entire company — everything offline except our 30-person pilot group.

I was on sabbatical. Got the call Friday; due back Monday. We fixed it in four hours. The next week, in front of the CIO and CSO, I said, “For the first time in Adobe’s history, I can guarantee there were no bad actors on the network.” They laughed — because no one was on the network at all.

The lesson: when the stakes are high and the team messes up, you take the hit. You own it. If you want people to run fast, you have to accept a few stumbles along the way.

John Spiegel:
That ties into leadership. Zero Trust isn’t just technology; it’s vision and communication. What advice do you have for leaders driving these programs?

Den Jones:
When you’re hired, no one says “go deploy Zero Trust.” You’re hired to build a security program that reduces risk. Understand your audience. The CIO wants speed and efficiency. The CSO wants risk reduction.

At Adobe, I focused on outcomes they cared about: remove passwords, eliminate VPN, and make apps “cloud-like.” Simple ideas that solved real pain points. Executives don’t remember 18 benefits — they remember three that make their lives easier.

When I went to Cisco, I set a five-month goal to deploy Zero Trust to 110,000 people. We weren’t perfect, but we proved it worked. You don’t need 100 percent perfection — you need progress that matters to the business.

Jaye Tillson:
Exactly. We’ve talked about that with John Kindervag too — it doesn’t matter where you start, as long as you start.

Den Jones:
Right. My mantra is, “Are we better this month than last month?” Perfection isn’t the goal. Improvement is.

If your project takes longer than it takes to make a baby — nine months — it’s too long. Deliver in quarters. Show value every three to six months, then ask for more budget. Leaders who can demonstrate progress keep getting investment.

And stop reporting vanity metrics. Don’t tell the board you patched 50 servers. No one cares. Talk about how you saved money, reduced friction, or helped sales close deals. At Cisco, we supported over a hundred customer meetings that helped sell Cisco products. That changes how the business sees security — from cost center to growth enabler.

Jaye Tillson:
Great advice. So if you could go back and give your younger self one piece of leadership advice, what would it be?

Den Jones:
Listen more, talk less. I’m a storyteller by nature — I like the sound of my own Scottish accent — but real leadership starts with listening. Silence gives people space to think. When people feel heard, they’ll follow you anywhere.

John Spiegel:
We always end on something personal. Den, what’s your perfect Sunday meal?

Den Jones:
I’m a huge foodie. Growing up, we ate a lot of lamb — so a roast lamb dinner with cauliflower purée, roast potatoes, and a good bottle of wine. That’s comfort.

And I miss Scottish food — sausage rolls and a proper meat pie. The U.S. just doesn’t do them right. And yes, I’ll even defend pineapple on pizza. Sometimes sweet and savory just works.

Jaye Tillson:
We’ll agree to disagree on that one. Next time you’re back in the U.K., we’re all going for fish and chips.

Den Jones:
Deal. Thanks for having me on, guys. This was a lot of fun.

John Spiegel:
Thanks, Den — great conversation.

Jaye Tillson:
And thank you to our listeners for joining another episode of No Trust. Stay tuned for more real-world conversations about building and leading Zero Trust programs.