In this week’s episode of The Future of Security Operations podcast, I'm joined by Josh Lemos, CISO at GitLab.
Throughout his 15-year career in security, Josh has led teams at ServiceNow, Cylance, and Square. Known for his expertise in AI-driven security strategies, Josh is also a board member with HiddenLayer. He drives innovation at GitLab with a relentless focus on offensive security, identity management, and automation.
Josh and I discuss:
Leading an extremely transparent security function — and the challenges it brings
How he keeps a remote, global security team aligned
The evolving AI security landscape — and the threats he's most concerned about
Why building a culture of real connection and trust matters more than ever
His top advice for networking, hiring, and mentoring future security leaders
Where to find Josh:
Where to find Thomas Kinsella:
Resources mentioned:
In this episode:
[02:05] His early career path from mechanic to electrical engineer to security leader
[03:35] Josh’s philosophy on hiring and mentoring, plus his tips for creating networking opportunities
[05:30] How he applies technical foundations from his practitioner days to his work as CISO
[07:40] Building product security at ServiceNow from the ground up
[10:40] “Down and in” versus “up and out” - adopting a new leadership style as CISO at Square
[12:17] Josh’s experience as an early AI and security researcher at Cylance
[16:15] What’s surprised Josh most about the evolution of AI
[18:50] Why Josh calls today’s models “AI version 1.0” - and what he thinks it will take to upgrade to version 2.0
[22:45] The LLM security threats Josh is most worried about, as a board member with Hidden Layer
[26:30] “Expressing exponential value” - what excited Josh most about becoming CISO at GitLab
[27:45] Why GitLab prioritizes “intentional transparency”
[32:45] How GitLab automates and orchestrates its Tier 1 and Tier 2 security processes
[34:10] How GitLab’s security team uses GitLab internally
[37:35] The secret to recruiting, hiring, and managing a remote, global team
[39:45] The importance of in-person collaboration for building trust and connection
[41:45] Downsizing, bootstrapping, and problem-solving: Josh’s predictions for the future of SecOps
[46:10] Connect with Josh
TL;DL? Read Josh’s take on:
Connecting and collaborating effectively across a fully remote, international team
“We’re intentionally hiring in ways that cluster people together in time zones or regions so they have opportunities to meet in person. If nothing else, when they're working, someone else is working - they don’t have to manage their entire working life through asynchronous messages. We’re also really intentional about communication. Every week, I send a list of all of my activities that are non-confidential and also call out contributions from team members. People know what I'm working on, what their peers and other teams are working on. It creates an environment where people can do their best work.”
We focus on coffee chats. A coffee chat is not a meeting - it’s literally jumping on Zoom and talking about everything except work. That builds the human connection that's often missing from an all-remote team.
What surprised him most about the evolution and adoption of AI
“If I'm gonna be a bit cheeky about it - wrapping a good UI over an LLM. In the earlier models, NLP was a laggard in the ML space. Once Bert came out from Google, tokenization improved, and we started moving much more towards modern LLMs. Right now, AI is still version 1.0 - it’s very much human plus bot. Most software developers and security people use AI for tasks they already have knowledge in. The momentum of that underlying technology has improved, but not quite as much as the appreciation for the technologies.”
If you can make me 10 times faster at reading issues in Jira, if you can make me 10 times faster at fixing my build pipeline, the speed and the value in aggregate is much greater than any one single task. AI is the next evolution of cheap, easy automation for a lot of folks.
Automation and orchestration at GitLab
“Obviously, we try and automate all the Tier 1 functions that were historically a manual, repeatable effort. We use LLMs to digest incident reports so the necessary context makes it into the issue. Tier 2 functions are where you can really start to orchestrate. Tines is one of the tools in our stack that we use to wire in between GitLab and our messaging platforms. But we also write our own code. Our GUARD Framework really simplifies detection creation, alert routing, and metrics collection. We talk about all this stuff publicly because we want others to benefit.”
"We couldn't do anything if we did not focus on automation. Our SecOps functions include engineering of tools, glue code, and the use of platforms like Tines. We also write our own code to wire into our messaging platforms. When we instantiate an incident, all of that is shipped through issues. We use LLMs to digest what the reporter of a security incident is saying, so that all of that information makes it into the issue. When everyone arrives for incident response, they do so with full context from all the inputs available at that point in time. This has been a massive efficiency gain for our SecOps function — but it’s certainly not limited to that."
GitLab’s commitment to “intentional transparency”
“Operating in the open is not for the faint of heart. All our roadmaps and meetings are public, so we have to be thoughtful about our information disclosure. Our objective is not radical transparency - it's intentional transparency. Honestly, it's one of the most difficult aspects for our business to manage, but it builds a lot of trust with customers and other security teams. Every time I go to a conference, someone will come up to me and say, 'Hey, I read this in your handbook. We’re doing this, thanks to you guys making this public.'"
Our Head of SecOps is fond of saying, 'Attackers are talking to each other all the time, but defenders are not.' We're trying to change that by being really open with the defender community, from threat information to how we operate our team.
His hopes for the future of SecOps
“We’ve seen a lot of security tools not deliver on the promises they've made, and that's been propped up by venture capital in many ways. We have conceded a lot of our value creation to a larger financial ecosystem. I want to see much more of a focus on risk management, automation, and governance. For CISOs who want to move towards that vision, I might be wrong to give advice on it, but I recommend listening to folks like Haroon Meer who have set a good model for approaching it.”
I’m definitely wish-casting at this point, but I hope we see more bootstrapped, self-funded security companies working on problems that can't necessarily be solved by IT, ops, and engineering teams.
Listen to more episodes of the Future of Security Operations podcast.