Josh Lemos - CISO

Why I’m at GitLab

GitLab builds a platform with the potential to improve security assurance at internet scale. Having spent a decade leading teams that engineered security solutions into homegrown CI/CD systems, I saw an opportunity to move beyond single-company solutions that served thousands of developers to work on a platform that could secure millions. At GitLab, we have the opportunity to improve software security globally. What keeps me at GitLab is the wealth of smart, dedicated team members committed to the same mission.

Throughout my life and career I have sought out difficult challenges. Leading a security division at the most public public-company is one of the most challenging CISO roles in the world. It is a great privilege to help lead this company on our security journey as a DevSecOps company.

Leadership Philosophy

People are the foundation of organizational success and the most fascinating aspect of any enterprise. This is particularly true in information security, where securing human behavior has been an ongoing challenge for decades. My mission is to create environments where exceptional individuals can thrive and drive remarkable outcomes while fostering a culture of meaningful contribution.

Personal Values

  • Candor: High-fidelity information drives decision-making. I encourage open dialogue and positive intent, believing that even difficult issues become solvable when discussed openly.
  • Integrity: Maintain rigorous accountability standards and act in good faith, regardless of circumstances or audience. Reputation and trust is currency in the security community.
  • Ownership: Success multiplies when people feel true ownership of objectives. I believe in pushing decisions to those closest to the problems.

My Super Powers

  • Accountability: I deliver on commitments and maintain high performance standards, communicating proactively when plans need adjustment.
  • Building High-Performing Teams: Complex systems require collaborative effort. I value acknowledging both strengths and growth areas in building high-performing teams. I create environments where team members can do their best work, a place where they make their career highlight reel.
  • Persistence & Grit: My achievements come through determination and resilience rather than natural talent. I’m willing to fail and learn repeatedly on the path to success.
  • Humor: While I take our security mission seriously, I believe in maintaining perspective through appropriate levity, especially following high-pressure situations once threats are mitigated.

My Weaknesses

  • Malcontent: My drive for improvement can sometimes overshadow celebrating progress. Please remind me to acknowledge wins.
  • Impatience: When biasing for action I may at times move too quickly to solutions in areas of expertise. Feel free to encourage more discussion time.
  • Complacency: I have limited patience for learned helplessness, I expect others to share my drive for seeking better solutions. Don’t stay blocked.

Working Together

Expectations

  • Problem Solving: Expect first-principles thinking and data-driven approaches
  • Ownership: Clear DRIs (Directly Responsible Individuals) for all initiatives
  • Growth Mindset: Continuous learning through active coaching and feedback
  • Customer Focus: Alignment between business objectives, OKRs, and security strategy
  • Healthy Conflict: Embracing diverse perspectives and data-grounded discussions

Communication Preferences

  • Primary: Slack is my default communication channel
  • Documentation: Comments in shared documents (tag me directly). I prefer to write and communicate in long-form content rich documents
  • Meetings: Reserved for discussions that can’t be resolved asynchronously
  • Email: Long-form, non-urgent communications
  • Phone/Signal: Emergency and off-hours communication

My Role as CISO

Secure GitLab’s platform, customers, and company against cyber threats.

Key Performance Indicators

  • Incident SLA compliance
  • Asset inventory coverage
  • Time to containment
  • Internally identified vulnerabilities

Expectations for leadership - What I need from you. What you will get from me

  • Be Proactive: Push information rather than waiting to be asked
  • Challenge Norms: Take principled risks and question the status quo
  • Show Integrity: Own failures, celebrate team successes
  • Embrace Divergent Perspectives: Seek out and value different perspectives
  • Communicate Clearly: Default to transparency and structured communication

Remember: I value direct feedback. If you see areas where I can improve or better support you, please let me know.

Last modified December 13, 2024: Remove trailing spaces (a4c83fb3)
View page source - Edit this page - please contribute. Creative Commons License