The technology sector evolves at a relentless pace, and that forces all connected industries to scramble to keep up. For many companies, this scramble looks like prioritizing the adoption of new tools, systems, and software, which makes sense on the surface—integrate new technology as it comes out, and the company will never fall behind, right? The downside of this approach to innovation and technological development is that the people using those tools, the team that makes the company function, are never able to properly learn the tools in time to optimize their usage. In cybersecurity, this problem can be even more significant, with the potential strengths of new tech offset by their potential security weaknesses, and the complexity of resulting problems compounding out of control.
There may be a better approach, and it has seen success through history. Cybersecurity expert and the Chief Information Security Officer (CISO) for the Analysis and Resilience Center for Systemic Risk (ARC), Douglas Lemott Jr., has seen it all in his years of experience, and much of his success has come from a simple paradigm: “people, processes, then tools.” Even in times of rapid change and progress, the best result, in Lemott’s eyes, comes from focusing on empowering the people first, analyzing processes second, and putting the new innovations and tools last.
“In my leadership roles, I’ve found that the key is embedding innovation into the operational lifecycle—not as a bolt-on, but as a natural part of how we improve,” explains Lemott. “Cultivating a culture of experimentation and creative problem-solving within highly structured environments starts with acknowledging that defined processes and creativity are not mutually exclusive—they’re complementary when properly aligned.”
Empowering People With Experimentation
Given his leadership experience in both the United States Marine Corps and the private sector, it’s no surprise that Douglas Lemott Jr. takes a people-first mentality to effective work and innovation. At the core of any initiative, whether it be the creation of new technology, the development of a new process, or solving a problem, is trust. If the people on a team don’t feel safe to challenge assumptions, propose novel new ideas, or merely ask questions, then they aren’t going to be able to do their best work.
“I make it clear to my teams that processes are there to support outcomes, not stifle initiative,” Lemott says. “I encourage them to challenge assumptions safely and constructively. That means creating psychological safety where someone at any level can ask, ‘What if we tried it this way?’ without fear of being dismissed or penalized.”
Douglas Lemott Jr. understands the value of experimentation, especially in the agile and creative environment of cybersecurity, and thus empowers his team to experiment in safe sandbox environments, red-team/blue-team exercises, and internal ‘innovation sprints’. Security must be disciplined, but it must also be flexible and creative; by providing these opportunities and encouraging his team to engage in these controlled experiments, Lemott’s team can produce insights that improve or even rewrite existing processes. This efficiently creative environment creates solutions focused on the mission, without wasting any time or energy.
“Every creative solution is aligned to the mission—whether that’s reducing risk, improving resilience, or enhancing efficiency,” Lemott explains. “I teach teams to ask: ‘How does this help us serve the mission better, faster, or more securely?’ That question becomes the bridge between structured processes and creative thinking.”
Bottom-Up Trust And Communication
The other critical step in empowering the team is the simplest one: listening to them. Trust is critical for any enterprise, but is especially so for an industry charged with protecting the systems and data of hundreds of thousands of people. Lemott builds trust by building an environment where psychological safety and accountability coexist; the alternative is a workplace context where people have ideas but no venue, no permission, and no confidence that they’d be heard if they spoke up.
Douglas Lemott Jr. experienced this firsthand, stepping into a cybersecurity leadership role at a company reliant on legacy systems and rigid policies. The current processes weren’t working, and team morale was strained at best. The solution wasn’t to leap on new tools or immediately overhauling processes, it was to start by talking to the team. Lemott proposed a bottom-up audit of the tools and workflows, and asked the ground-level team one question: “If you could redesign this from scratch, what would you do differently?”
“Within weeks, we uncovered manual processes that could be automated, unnecessary redundancies, and even risk exposures that had gone unnoticed because ‘that’s how it’s always been done,’” Lemott recalls. “One analyst’s idea alone cut false positive alerts by over 30%, simply by rethinking how logs were parsed and prioritized.”
The technical changes weren’t the revolutionary part of this process. Trusting the collective intelligence of the team was. These were experts who had been reacting to threats back to back and working hard with inferior processes and workflow systems—they knew what they were doing. Defaulting to formal procedures is not always the best option, and the path to progress isn’t paved with new tools or stricter policies. Success and progress are found by a willingness to challenge assumptions, listen to the team, and deviate from the script in service to the mission.
“In both military and corporate settings, I’ve found that if you build a culture where people are clear on the mission and empowered to take initiative within well-understood guardrails, creativity flourishes,” says Lemott.
Breaking Down Process Frameworks
As much as being able to challenge processes to find new creative solutions is important, there is still a great deal of value in rigorous, repeatable processes. Balancing discipline and creativity has been a consistent part of Douglas Lemott Jr.’s success in the cybersecurity space. Part of this comes with the territory; cybersecurity is very much a game of documentation, repeatable solutions, and standard operating procedures. In Lemott’s words, “Before you can innovate, you need discipline: clear documentation, repeatable processes, and a shared operational picture.” It’s more effective to innovate and produce creative solutions when the team is working from an established foundation.
“The key is showing your team that creativity isn’t chaos—it’s a disciplined pursuit of better,” Lemott says. “When that’s clear, even the most structured environments become catalysts for meaningful change.”
Cybersecurity is a demanding field, and the cost of failure is simply too high to treat problem-solving as creative trial and error. Operational reliability, compliance, and risk thresholds are non-negotiable when failure could mean millions of dollars in damages. The trick is to incorporate creative experimentation into the rigorous and disciplined processes to get the best of both worlds. Douglas Lemott Jr. does this by building a structured continuous improvement loop into the operations rhythm, working in opportunities for retrospective analysis and innovation after every incident or execution.
“Ultimately, adaptability doesn’t mean recklessness,” Lemott explains. “It means knowing when to explore and when to execute. And that’s only possible when your team is grounded in process, aligned on mission, and empowered to think critically within a well-defined risk framework.”
