Interview: Kimberly Johnson and Christopher Porter on Leadership
Kimberly H. Johnson
Executive Vice President and Chief Operating Officer, Fannie Mae
SVP and CISO, Fannie Mae
Founder and Author, IT Revolution
One of my favorite presentations from last year was from Fannie Mae, a fortune 25 company kicking it off was Kimberly Johnson, Fannie Mae's, EVP and chief operating officer who spoke about bringing business and technology leaders together to achieve their mission. It was such a great and clever presentation. She talked about how technology was critical for achieving their short-term objectives, such as responding to the COVID-19 pandemic and also in the longterm, helping them manage the risks of a nearly $4 trillion balance sheet, which is often comprised of 30 year mortgages. She also presented with a longtime friend of mine, Chris Porter, their chief information security officer, and among other things, he talked about how his team were helping create paved roads to help thousands of Fannie Mae developers get to production quickly, safely and securely. So Kimberly and Chris, I am so delighted and honored that you were able to come back and discuss some themes that I thought were so remarkable, uh, from last year.
Great. Thank you for having this gene. It's terrific to be back.
Wonderful, wonderful. Uh, Kimberly. So I learned something in every interaction that we have. Uh, so before we begin, could you just talk briefly about the mission of Fannie Mae, uh, your role and the importance of the Fanny mission?
Excellent. Thank you so much for asking Jean. I think mission is essential and for us, the mission of Fannie Mae is really about facilitating equitable and sustainable home ownership and making affordable rental housing available all across America. I personally think it's really important because having a safe, reliable place to live is kind of the cornerstone for quality of life. So I think about our day-to-day job is making sure that people actually have a high quality of life enemies role. Again, just because you're asking specifically about us and what we do to be able to make a difference in that world. It's, it's really a simple one. As most people know, Fannie Mae is in the housing industry. We don't make loans to people who, who want to buy houses, but we do purchase those loans from banks and mortgage lenders, and that frees them up to have more capital to make more loans. We take all those loans when we package up those, the payments, and we turned those into securities. We securitize them and sell them out into the capital markets. So we're kind of a middleman that helps the cash flowing from the capital markets, into the homeowners who need that to pay their mortgages.
Awesome. And what is your role in the, uh, the giant machine that is Fannie Mae?
I'm our chief operating officer. So I have a pretty broad set of responsibilities, but primarily around operations, technology, innovation, strategy, resiliency, information security, a little bit of everything.
So Chris, you and I have known each other for over a decade. And I've told you that the presentation that you gave with Kimberly and team is one of my favorite presentations. I mentioned it in almost every presentation I give these days. Um, and you've shared with me how Kimberly Johnson is an incredible person to work for, uh, partly because of her authentic and empathic leadership style. So can you talk about why those characteristics are so important and beneficial to you as leader of the InfoSec organization? Oh, and can you also introduce, uh, yourself and your role?
Yeah, certainly. So, uh, as you mentioned, Jean, uh, Chris Porter, I'm the chief information security officer here at Fannie Mae and I'm in charge of all things cybersecurity end to end from access management to architecture, vulnerability management, et cetera. So I've got the full, full piece. I also in our first-line risk organization. Uh, so get, get a little bit more technical or resiliency risk. Uh that's where will come in at some point as well. So, uh, so, you know, I've, I've worked with, uh, for Kimberly now for about five years and I've got to be careful here so that I don't embarrass her, um, on, on the line here, but, uh, you know, she was our chief risk officer before she became our COO. So I had a chance to work with her in my sort of dotted line capacity. And then, uh, my full line reporting directly to her.
You know, I think when you have a leader, that's going through a digital transformation that, uh, and the company going through a digital transformation, like there's, there's certain characteristics I think are super important. One is you gotta be humble. Uh, and, and she is very humble, a lot of humility, uh, around what she knows what she doesn't. And that kind of leads into the second factor, I think, is super important. Like she's such a voracious learner. Uh, there are times where I'll be bringing something to our team and say, Hey, I just heard this awesome podcast from Adam Grant last week on psychological safety. And it's so important to us, Hey, I want to share this with everyone. And Kimberly's like, yeah, I was listening to that too. And so like, just constantly, like if there's books that I've read, she's, she's been reading them. And so I think that voracious learning, um, is super important, especially for someone who, you know, came from our business side and didn't necessarily have the technology experience, but she's picked it up really fast.
Uh, let me tell you, um, and you know, I think the other thing is, uh, she's very team focused and, you know, I got a chance to see that when she was leading our risk organization, but she's also brought that same sort of, uh, uh, visibility to our current team, making sure that we have complimentary pieces, always looking at how we as a team can get better and how we compliment one another. And I think that's really important. I mean, uh, sometime asking me about, um, uh, laughter yoga and we can, we can talk a little bit further about that.
So then the se and our conversations, you mentioned how, um, sometimes you are the bearer of a surprising, uh, uh, maybe bad news and so it's even more important, right? Uh, uh, it makes it possible to do your job. Uh, did I interpret that correctly, Chris?
Yeah, certainly. I mean, you know, CSOs in general, it's rare that we get to bring good news to folks. We're always highlighting some sort of risk. We're usually highlighting how we're the constraint in the organization from getting any work done. Um, and so there there's oftentimes where we have to have really tough conversations around work that we need to get done or work somebody needs to do for us. And, and those are always, uh, conversations that are a little tougher and, you know, I think she always comes to them with a, you know, tough but fair, uh, kind of thing, and, and is really looking at it from the broad perspective of how do we continue to protect family may, how do we make the right trade-offs in the organization? Um, and, and she's, you know, always looking to do the right thing, which I think is super important.
Oh, that's awesome. I'm going to, um, uh, put those words tough and fair in a box because I'll bring it up a little bit later. So Kimberly, as you can tell, I loved your presentation that you did with the team so much from last year, because, uh, among many other things that you seems like you model so well, how we'd want all of our business leaders, uh, to behave and, and adjust world. Uh, Chris mentioned to me that among other things you value a very highly learning and psychological safety. Uh, I'm wonder if you can put that into context for all of us. Can you talk about your leadership philosophy and how you tried to model it in your own daily work?
Um, thank you, Gina and I am a little embarrassed. I think Chris only gave all the good attributes. Do I have to get them on another secret recording for the other ones he hasn't told you about yet? The, um, I, as for my own leadership experience and style, I definitely believe that psychological safety has to underpin everything right. And it does come from the business perspective that having a business responsibility means you have to be dedicated to winning. And in order to win, you have to have a unique offering, something that differentiates you from your competitors. And if you're going to differentiate yourself and have something unique, it can't be easy, right? Like you have to do something hard, either coming up with a complex and complicated answer or stringing together a series of simple things in a way that nobody else has, has figured out yet, but you have to do something new and innovative in order to come up with something unique. And again, D do something unique and innovative. You actually have to learn something beyond what you do today. That too, it would just be the same old, same old, if you weren't learning. And in order to learn new things, you have to be able to put yourself out there, take some risks, not be afraid to fail. And so I think that's what, for me, psychological safety underpins everything I want my teams to do when they come together, because I don't think you can win without it.
And so when someone hears someone like you, uh, in a position of authority say is psychological safety is important. Um, I think some people might hear, oh, uh, Kimberly is just trying to be nice. Can you help connect the dots on how those virtues ended up with a more effective team that actually better enables things that you talked about? Like a winning, which I think people are far more familiar for people in leadership positions to talk about
That's right. Well, again, in order to be able to do any of those things, to put your team in a position to win, I think you have to create a space for your team to work without judgment and without fear of humiliation. And I'll give you a really simple example. We all go through, you know, times when, when things go wrong and we go back and we do all kinds of, you know, debriefs, and we do all kinds of root cause analysis. And we come back and we try to talk about like, what went wrong. And we did that for years and years and years, and it never felt like we were really getting to the heart of what was going wrong in a way that allowed us to prevent things like that from ever happening again. And so we, we took a big step back and we said, how do we make these retros a little more blameless? And we totally changed the structure. Now we don't have people standing up in front of everybody else answering about what went, not according to plan. We really extracted the data and the stories. And we deliver this to everybody in a way that we can ask hard questions and get to the bottom of things without blaming anybody. So now there's no humiliation or shame and making mistakes. And I think that's the kind of thing leaders have to do to put in place the right structures and environment. So that, that psychological safety can really shine through,
Uh, wonderful. Chris, I suspected that, uh, you might've had a reaction when I suggested that, you know, somebody interpret a, Kimberly's just trying to be nice. I use the word tough, but fair. Can you help, uh, square those a few thoughts?
Yeah, certainly. I mean, you know, at the end of the day, we, we have to get our objectives met, uh, and we have to have accountability to do that. So I think what's great is, you know, Kimberly, you know, sets a, uh, a really high bar for us to meet. She was talking about these challenges. Like we don't do easy things here. Um, and we don't make things easy for ourselves either for that matter, especially when you have a lot of legacy applications like we do. And like, I love it. And the, the unicorn project, the complexity debt, we're, we're paying down complexity debt at scale right now. It's, uh, it's a lot. And, you know, and ultimately we have to have that level of accountability. Um, so not only do you have to have psychological safety so that you have the transparency that you need in order to make good decisions, you can't make good decisions. If you don't have good information and you can't have good information, if people are afraid to share it with you. And so I think it's really important that we get that out there because we can make better decisions. We can lead better. We can move the ball down the field faster, um, as, as we can. And, but, but all the while we have to be accountable to ourselves as well. Hmm.
Awesome. Uh, currently, can you talk about, uh, what you look for in your leadership team? How do you build and develop these capabilities that you talk about in other words, uh, are these, uh, things that you are born with, uh, and if you don't have them, you'll never get them or can they be learned and if it can be learned, uh, how,
Yeah, no, I think that's a terrific question. Gina. I don't know if there's one magic answer, but I can say that I think as a leader, you kind of have three important jobs, but one is to build a good team. Second thing is to actually bring out the best in every person on your team. And the third thing is really about creating the right environment, where everybody can work together and the sort of, some of the parts is worth more than old, right? Like, so, so that's the three things that leader has to do. And when it comes to building a team, I always look for a variety of different attributes, right? And you can't have everybody in your team thinking the same way, approaching things the same way. I love building diverse teams. And I don't mean just like people of different races or genders.
I mean, people who have gone to different types of colleges or have different educational backgrounds, people who've worked in different industries and areas, and making sure you have people who are short-term problem solvers and people who are long-term dreamers, you need to have a little bit of everything to get the right balance and building teams like that makes it a little hard to get work done because when people are naturally all in, you know, complete concert with each other, it does get a little challenging to navigate through those conversations and the problem solved. But the results you get are so much better if you bring in all those different views. So I'm a huge builder. I, I believe that work as a team sport and having a good team is, is the number one thing that determines whether or not you're gonna win.
Chris, you've worked with Kimberly for five years. I trust that, uh, those things that she talks about, you've actually seen it over the last five years.
Yeah, absolutely. I I've been on, uh, two different teams that were quite different from, uh, uh, diversity of ideas. Uh, for instance, uh, when she was running the chief risk officer organization, you know, that's a completely different set of, uh, folks that come from very different backgrounds, uh, diverse from a business perspective as well. Uh, but also how they think about risk. And then you come over to the technology side and you've got a completely different group. Her, her organization is, is much broader in the sense of what she's covering when it comes to technology, cloud security data, our operations team. I mean, it's a wide variety of, of, uh, perspective, certainly. And, you know, I like to think that maybe I bring some of that awkwardness to the problem solving sessions with my differing perspectives as well.
Awesome. Chris, Hey, Jean, I wanted to go back and answer one more thing that you asked about. Cause I think it's really important. You're asking about whether or not that like good leadership is inherent and people are born with it, or whether it be taught and something Chris said really resonated with me. He said to me, you know, he said, Kimberly really holds us to a high standard. And to me, that's, that's a gift, right? Like high expectations are a true and honest gift to the people that you're giving them to. And I believe in that in a long time, I, I once read it's about a study of, so was like a social science study that happened back in the sixties. And I think it was Robert Rosenthal who had done this back with Harvard. And he had gone out to San Francisco and, and picked out a group of elementary school students.
And he gave them all IQ tests and he randomly sorted, um, a handful of those students. And he went and he told the teachers that these students had aced this IQ test and they had really high potential. And it was their job as teachers to bring out what students and these were students that did not have the highest IQ scores. They, they were randomly selected and they tracked these kids over the course of their lifetimes. And they actually did have higher and higher, a huge and better outcomes and had terrific life experiences just based on the fact that one teacher, one time in their elementary school years had focused on bringing out the best of them because they thought they had a lot of potential. And that just really struck me as, uh, an amazing insight that just believing in people can actually make them better. And so for me, again, high expectations, believing in people, understanding and knowing what makes them tick and helping them navigate the kinds of things that they can't always control really does bring a true belief in, in your team being able to achieve high things. And I've, I found it is the magic ingredient to high-performing teams.
Oh, so incredible. Well, thank you so much, Kimberly and Chris, I'm such an admirer of everything that you've achieved and thank you for taking the time to teach, uh, this community, uh, about leadership. Uh, can you tell everyone, um, what, uh, how people can best reach you and what, in particular you would want people to reach out to you about? Is there anything particular, um, in terms of help you, that you're looking for Kimberly,
Um, Jean, thank you for that opportunity. We're always looking for help. We've been on our dev sec ops journey now for about a year and a half, and we are making terrific progress. I am so thrilled with the way that our teams are going through adoption, but I'd say that the big question we have is about scale, right? Like doing this across hundreds to thousands of people is something that we are learning as we go along. So if you do have any of your, uh, your, your constituents out there who have done some of this at scale, we would love to treat some stories about that.
Yeah. Same thing. Uh, you know, anything around automated security testing, uh, we've also recently develops, uh, something called the security champions program where we're educating developers on security. Uh, we've just sort of kicked that off and I'm really excited about some of the initial results we've had. Uh, but if folks want to reach out to me, they can reach out to me on LinkedIn or they could hit me up on Twitter at a CD Porter zero, zero. Thank you. Thank you so much. Kimberly and Chris. Thank you, Jim. This has been a pleasure. Yep.
Unlimited users from organization
Gene Kim's Audit and Security Playlist
Matt Bonser, PricewaterhouseCoopers LLP; Yosef Levine, Deloitte; Jeff Roberts, Ernst&Young; Michael Wolf, KPMG; Gene Kim, IT Revolution
How Fannie Mae Uses Agility to Support Homeowners and Renters
Kimberly H. Johnson, Fannie Mae; Tim Judge, Fannie Mae; Christopher Porter, Fannie Mae; Ramon Richards, Fannie Mae
From Your Auditor Friends: What We Wish Every Technology Leader Knew
Clarissa Lucas, Nationwide Insurance; Rusty Lewis, Nationwide Insurance