Growing the number of women in cybersecurity

Chris Sienko: Hello and welcome to another episode of Cyber Speak with InfoSec Institute. Today's guest is Olivia Rose, Director of Global Executive Risk Solutions at Kudelski Security. A veteran security consultant, Olivia is going to tell us today about her career journey in security and give some tips and advice to women who are considering entering the security industry.

Olivia Rose has more than 16 years of security consulting and experience, with particular expertise in providing cybersecurity risk strategies, developing compliance programs, and building and training consulting teams. She currently serves as Director, Global Executive Risk Solutions at Kudelski Security, where she is responsible for the operational execution of designing innovative solutions to help executive clients reduce and manage risk. She serves as the liaison between the sales team and the company's advisory services.

Olivia started at Kudelski Security as Principal Advisor, Global Strategy and Governance, where she developed risk-based roadmaps to improve security infrastructures. Prior to joining Kudelski Security, Olivia held multiple security consulting and sales positions, including at ControlScan and IBM Internet Security Systems. She also founded Qloud Secure, which helped companies like Costco and Google find and close their security gaps. Olivia holds numerous IT and security certifications, including CISSP, CISM, and CCSK, the Certificate of Cloud Security Knowledge, among others.

Olivia is also the founder of the Girls STEM club, an Atlanta-based group that aims to boost girls' interest and confidence in the STEM fields. Olivia, thank you for joining us.

Olivia Rose: Thank you.

Chris: We started by documenting your long and impressive list of career moves and job duties and accomplishments. Let's start at the very beginning. Where did you first get interested in computers and security?

Olivia: Not until pretty late, very late twenties. Grew up not really knowing what I wanted to do. I was steered towards liberal arts, because I didn't know what I was going to do, so go major in English. I ended up majoring in Women's Studies. Had a little trouble finding a job after that. I went into [inaudible 00:02:13]. Then I landed at ISS Internet Security Systems, which was later bought out by IBM, in their marketing group. I was supporting the Consultant Services Team at the time, and I realized, "I really like what they do!" I got lucky. I got fortunate. Whatever you want to call it. I made that jump.

Chris: What was it about security and that aspect of it that appealed to you?

Olivia: I really liked the idea of going onto customer sites and helping customers. I liked the whole concept of good versus bad and the Star Wars thought process. I realized gradually that I think like a hacker. Of course, we all know there are good and there are not-so-good hackers out there. I like to think I'm one of the good ones. I started to realize I think like a hacker and I can go into an environment and list five things right off the bat as to how I would cause damage within the company.

I began to realize not a lot of people think like that. I really like that aspect of it. It's very challenging. It's exciting. Meet a lot of people, see a lot of great things. It's new and different every day. Lots of innovation.

Chris: You said that you had a strong sense of sort of the good and evil aspect of it early on. I ask this of a lot of security folks, but you never ... I assume you never sort of thought like, "Ooh, I could really like turn this into something lucrative or something?" You've always thought, "This was something I can use for good?"

Olivia: Yeah, I'm too scared of jail.

Chris: Yeah, totally.

Olivia: Don't want to get caught.

Chris: Yeah, it seems like it is. It's really sort of ingrained from the beginning. I'm both interested in hacking but also the good side of it.

Olivia: Right.

Chris: Since you started in the trade, how has the cybersecurity landscape procedurally or directionally changed since you first got involved?

Olivia: It's changed a lot. This was about 16 years ago. It was very much technology based. It's very technology driven. I remember there were five kinds of hackers. One of them was a kitty hacker, a strip tagger, skript kiddie. It could be put into these little boxes. It wasn't these worldwide forces that we have nowadays that, that you're faced with. It was very technology driven where you would just throw technology at the problems and help them go away. Throw a firewall at it, make sure that the rule sets are configured accurately.

There wasn't really the conversation about risks. We saw the appearance of all the compliance regulations, industry standards such as the PCI, payment card industry standard come out and HIPAA and many, many more, GLBA. It became more compliance driven. As we all know, compliance is not necessarily equal security.

I think we in the security world veered off on a path to meet the market demand. Then it started coming back onto the path of, "Oh wait a minute, you can still meet the BPCI compliant but you're not necessarily going to stop [crosstalk 00:05:38] the tech." Right?

Chris: Right.

Olivia: We went back to throwing technology at it, tried to solve the problems. Then we started realizing that's just not really working that well. I think the biggest change I've observed is what I call the softer side of security. That is the more policy driven, risk based conversationalist, holistic enterprise approach to "Let's all work on this together." I fixed the problem, let's just not throw technology at it anymore. Technology is one piece of it. We all have to work together and solve it, holistically.

Chris: Well to that end, I'm very curious, could you walk me through your common everyday, workday with Kudelski Security? What are some of the job duties that you perform every day to this end to help people sort of strengthen their ... from a risk based perspective?

Olivia: On a daily basis, I talk with prospects and customers and go on customer sites. I meet with several people within their organization, anywhere from the SISA, the board of director members down to, I don't mean down to, but including the folks in the SOC, right? What I call the folks doing the hands on work. I get their feedback, their opinions about what to be working together.

I look at innovative ways to improve their overall security level as well as their program and thus reduce their overall level of risks. As well and in addition to that, help them achieve those pesky regulatory standards that they need to comply with. Then part of my other side of my job is to help the sales people present, "What is risk" to a prospect. Sometimes the prospect doesn't know themselves. We have a fantastic, SAS offering closer to a blueprint that actually automates business justifications for security, your investiture, prioritizes your investor shares. It translates it for the board and other [inaudible 00:07:46] stakeholders [inaudible 00:07:49] since the last time you were assessed. That's in a roundabout way, that's what I do.

Chris: You sort of told us a little bit about what some of the solutions and services that Kudelski provides. Could you sort of walk me through, what are some of the more common issues that you see when you're sort of assessing someone's risk posture and so forth? What is something that you ... You said that, for instance, that people are getting PCI compliant but they're not necessarily strengthening the actual security. What's one of the more common problems that you've had to sort of talk people through?

Olivia: Really the whole process of detection. Visibility is another way of putting it. What is actually there and what's hidden on your network, your environment, your databases, third party vendors. Each one of those carries risks. In the past it's always been more about defending yourself. What I'm seeing nowadays are a lot of companies focusing less on the discovery and the response and they'll cover a part. The identification of of the vulnerabilities and risks in your environment is key. Because a hacker or an attacker is going to get through if they have multiple [inaudible 00:09:09] and multiple amounts of time, they're going to get through, they're going to get through those defenses you put up.

The key is to identify when someone has managed to get through as quickly as possible, stop the bleeding, stop it from spreading and kick them out as fast as possible. To do so, you really do need to have advanced threat intelligence in place for hunting capabilities, managed services in place and full time staff or a third party to manage it for you. Several companies, because there's a lot of costs involved there and effort don't typically do so well in that entire area.

Chris: You feel that there's sort of a cost cutting. They're cutting costs in the wrong place?

Olivia: I wouldn't necessarily say cost cutting. I would just say not putting enough money aside for budget. Whenever the discussion comes up and they say, "We understand the importance of identification and recovery and response." Then someone in management says, "Well, how much is that going to cost?" The number comes back and either they say, "Well let's take baby steps towards that goal or let's push it up till next year." It's not really cost cutting. It's really more ... It's not seen as a common purchase quite yet. I think that is going to change within a couple of years. I think companies are going to be more open to including it in the budget.

Chris: Here's hoping. Tell me about security consulting as a career. We have sort of a career series here where we sort of walk people through, who are maybe much lower on the security or tech or IT totem pole and sort of walk them up the steps, up the way here. You've done this kind of work for several different organizations. What set of skills or experiences or professional recognition should our listeners be considering if they want to move towards security consultancy as a career?

Olivia: I think the biggest misunderstanding is that you need to be highly technical. That keeps many people away who otherwise would be very, very good consultants. You have to learn how to learn quickly. You have to find what you're good at. You have to know who to ask for the areas that you are weaker in, such as encryption. I'm not that strong in encryption, but I have two people, three people I know I can ask who will help me. You have to know how to listen to people.

I think a common mistake that several consultants make is that they come in and they expect to know the answers right off the bat. But every single customer is completely different, has completely different pressures, different players, different stakeholders from the previous company. You have to just listen and then react. It's a fantastic field to be in. Don't let the technology side of it scare you, just find what you're good at. If it's policy, is it governance, risk and compliance? Are they the technical fields? Focusing on that and become really, really, really good at it. Then couple that with listening and just being ready to learn. You literally are a sponge. Just sit there, listen, learn from some really smart people. It's a fantastic field to be in. I just absolutely love ... I love my consulting days. I still do it.

Chris: Oh, that's awesome. Yeah. It's a lot more collaborative than a lot of people realize. You're not sort of handing the sort of gospel down from the mountain or whatever.

Olivia: Yeah. Yes. They do not need you to come in and beat your chest and have all the answers right away. They tell you what their issues are and then you figure out how to fix them.

Chris: Okay. So prior to Kudelski, you founded Qloud Secure spelled with Q-L-O-U-D Secure where you helped Costco, Google and other mega corporations close their security gaps. What are some of the biggest challenges in dealing with security and risk issues with companies of that size? What are some security measures that you implemented at this global level that are still applicable to smaller and locally focused companies and organizations?

Olivia: The primary issue that I see with those larger scale companies is that they tend to have people doing the same thing. Working on the same thing but in different silos and not collaborating and not even being aware that [inaudible 00:13:42] working on the same exact issue or initiative. Where I have always been strong at, as I learned over the years, is bringing people together so they collaborate and look at the problem holistically. There's always that element of surprise with these large companies saying, "What, we're already working on it or so and so has budgeted to do that." I go, "Yes, we can work together."

Chris: Maybe even save some money and make your boss happy.

Olivia: Exactly. That really is the biggest issues I see with large companies. As smaller companies you don't see that as much. You see people more driven. They tend to be more busy. They tend to have a lot of things on their plate, not enough time to focus on those issues. I think the common theme across the board is, all companies can communicate better. All companies can look at security as holistically and at an enterprise level.

Look, you have to be able to get out of your security group and you need to meet with representatives from different areas, finance, HR, sales, third party vendor, risk management, all these different areas. You've got to collaborate, find out what's important to them and how they can help you and it becomes a much more successful initiative to improve your security and reduce your risk.

Chris: In your bio, we noted that you hold a number of high level certifications including the CISSP and the CISM and many others, both of which are offered by InfoSec Institute. What do you feel is the role that professional certifications play in the enhancement of a security career? Now you said that you don't feel particularly technical in some ways and you have problem solving skills that work in other ways. Do you feel that it's important for people who are going to get into this field to do the education side as well?

Olivia: Look, there's got to be some that disagree with me. Say this, but I've always found you've got to get the CISSP.

Chris: Yeah.

Olivia: It's just what you got to do. It's a hard certificate to get and it takes a long time to get it and you might fail a couple of times. There's no shame in that. But you have to get CISSP. I always recommend that one as the first one. If that one is too ... If you don't have the work experience for that one, I recommend other ones such as Security+ or CIS-SAM. Which is more about management or CICSA, which is about auditing and assessing because you have to have certifications in this industry. I've only met a few people who don't need them and these people are very, very advanced skilled penetration testers, who need them. I think the rest of us do.

Chris: Yeah.

Olivia: You don't have them. I think the first question that comes out of somebody interviewing you is, when are you going to get your CISSP?

Chris: Right. Do you think that there are any particular certifications beyond the sort of foundational CISSP that are going to be more important than any sort of up and coming ones in 2019?

Olivia: The one that's been around for a little while is that CCSK, the cloud knowledge. One that has to do with the cloud would be a very, very good one to get. As you decide on your career path, if you want to go down the more technical side of security versus the more procedural side of security management side, there's different certifications for both. The CISSP, you need to get that one regardless. But if you go towards the more management side, you've got the CISM, you got the CISA. I've mentioned before, the auditing. Security+ is just a good general basic one to get. If you're going down a more technical side, you've got the penetration testing ones and also of course the network device ones, from Cisco and so on. All good, none of them are bad. They're all good to have. It's just a matter of which path are you going down and then find and get those certifications.

Chris: Tell me a little more about the Girls STEM Club in Atlanta, which you founded. What does the club do to get girls more involved in science, technology, engineering and math?

Olivia: Well, it's a great endeavor. It started as Girls Lego Club two and a half years ago, because one of my daughters is, well she's seven now, but at this age they don't necessarily want to be in a room with boys. It's a different learning curve. I was looking around trying to find a Lego club for her and it was all boys. It was all older boys. There was nothing that was geared towards girls.

I started it and got a really good following. Every month it's a club that's just held at a local church, donating some room, which is really very nice. Kids from all over Atlanta come out. We have a great time. That has now grown recently, into Girls STEM Club, because the same girls started coming and they wanted to progress.

I think it's important that you make science, technology, engineering, math, you make it fun. Not only fun, but you make it associative with other girls. You're not the only girl who likes science. You're not the only girl who likes robotics? There are other girls just like you out there, even though sometimes it doesn't feel like it. I feel that way a lot in this industry. There are women in security.

Chris: Yeah. Yeah. The the ones I've I've spoken to have said similar things. Understandably, it's definitely a male slanted field at this point. What would you say are some of the more common roadblocks that hinder girls and women from entering science and tech fields, other than feeling sort of very alone within it? Are there certain sort of established issues that need to be sort of dealt with?

Olivia: It's a difficult question. I think a lot of people are trying to figure out the answer. My opinion is you have this, I think it's 90% male, 10% women, approximately, give or take 10%. There are a lot of great women out there going to school for cyber security studies. I've met some of them and they're absolutely fantastic and they're driven.

I think the problem is slowly coming around where there are more women interested in the field. The issue I believe is that it's perceived as a very technical field. It doesn't necessarily need to be a highly technical field. That's one issue. Another issue is that recruiters are looking at people who come out with certain degrees. As in my case I was a women's studies major. [crosstalk 00:21:01], but I made a really great consultant. It's not what you go to school for or what your experience has been. If you are a fast learner, if you have the drive, if you're willing to put in the hours and the time, the effort and you have the initiative. Hey, I'd rather hire somebody like that than somebody who's been in cyber security. A lot of companies, their recruiters just look at the work experience or the school or the subject. That is keeping some women out because some women aren't going into cybersecurity or engineering fields or so on.

Chris: Especially with these sort of positions that are so problem solving oriented. It seems like it would make more sense to find people with diverse backgrounds life experiences and so forth. You're more likely to get a more robust range of solutions. Especially like you said, if you don't need to be crunching the numbers every single moment, you definitely are going to be better served by having different people than the usual white dudes.

Olivia: Look at it this way. I have a six and a seven year old. Ever since I became a mother, my understanding of risk dramatically skyrocketed. I live it every day. There's some traits that come in ... You're right, you just live and learn. They're from your life experience and we shouldn't close the door on those experiences.

Chris: What can we do in the tech industry and security fields to make tech careers more accessible to women? Do you feel like that there are sort of industry wide changes that could be made to make this more accessible? You said that you're seeing more women entering the field, but are there things that we can do to kind of speed that process?

Olivia: I think the issue is more around keeping them in the field. It's a difficult field to ... I'm trying to put this diplomatically. It's a difficult field to do well in, if you're a female. You have to be extremely thick skinned. You have to know your stuff. You may have to know your stuff more than the five other guys in the room.

I've always had a long list of certifications on my business card. Because when I walk into a room, I am automatically viewed as less knowledgeable than the men I'm with, even though I may be more advanced. Until I give them my business card, then they look for certifications and they see, "Oh, she knows or probably knows what she's talking about." You have to be on your toes. You have to constantly learn. You have to know what you're talking about.

It's again, going back to the thick skin, you have to have a very thick skin. You are in an industry that is dominated by men. It's as simple as that. Just like any other field out there that is very, very male heavy, you are going to run into several things that you would not get in a field that's more 50, 50 or more female slanted. You're going to run into different issues there.

You are going to be treated differently. It tends to be not noticeable but it tends to be more on the passive side. You are going to be in meetings where it's literally 10 guys around a table and you. You are looked at to, "Why don't you have the coffee?" [inaudible 00:24:39] about a year ago. You know, I'm like, "I don't know, why don't you guys have the coffee?"

Chris: Yeah. Absolutely.

Olivia: You are seen as not a normal part of the everyday workings of the security, the function and security world. But that being said, because you are not ... You can also often surprise people. You can do extremely well in this field if you're a female. The hiring of course is fantastic. A lot of companies are looking for women to make it more even. It is a male driven industry and you have to watch how you're perceived. These events such as RSA, I'm just picking them out of thin air, when you go there are very, very few women. You'll see a woman over there and a woman over there. It's important to join forces and collaborate with other women. The misconception is that it's women against men or men against women. It doesn't need to be either of those. You just need to know who can help you and support you. You are a minority in this business.

Chris: To that end, how can we make the tech industry as a whole, apart from you said, obviously interviewing is better, but the tech industry as a whole might not necessarily understand that more women in tech ultimately makes the entire industry stronger. How do we get that message across so that it's not just more women are being hired, but all the people that are there are sort of closing ranks and getting defensive and so forth? How do we sort of change hearts and minds over the course of the next 10, 20 years?

Olivia: Again, some people might disagree with what I'm about to say. You have to look at what tends to be more feminine qualities. They tend to be, I'm generalizing of course, that they tend to be listening, organization, taking multiple concepts and joining them together to create a more succinct message, bringing people together. Some of the very best of people and consultants I've ever met in my entire career have been women, because they listen, they come up with the solution and they collaborate.

They tend to come across as less threatening in a way. It's important to recognize what makes you great as a woman in this field. Don't discount those qualities because they are very much needed in security nowadays. We need to become more collaborative. We need to join forces internally to reduce risks. We need to open up conversations between groups that weren't there before, such as finance and security and IT. One should not discount the female traits that you're good at, for example. [crosstalk 00:27:50] Use them to your benefit.

Chris: Where do you see security practices going in 2019 and in the years to come? What are some innovations and ideas you're looking forward to seeing and some of the challenges to be addressed?

Olivia: It's going to become just like everything else, more tech savvy. Of course, it's going to be more for remote. It's going to become more connected. Cloud of course, that changed the entire landscape, but then you've got AI, you've got [inaudible 00:28:21], you've got cryptocurrency. There's so many areas where security now has a hand in. That is just going to grow and no matter how fast we are with figuring out a vulnerability in a blockchain, for example, the folks overseas in another country that probably thought of it first and if they haven't, they're going to leverage it faster. We can protect it.

It's just going to grow. Such as 10 years ago did we have this worldwide phenomena of global attacks? Not as much as we have today. That's just going to get worse and worse and worse, so we need more people in this field. As you were saying earlier, hiring more women will certainly help. We're going to need all the people we can get people. Smart people who are technology savvy, who can understand the cloud, but we also need people who will look at best practices and how to reduce risk in the cloud and partner up and work together. We're going to become more connected with this whole IOT innovation. It's exciting times for someone who likes to see things like that explode and the impact on the world in general, but it's also a very scary time.

Chris: Now, as we wrap up here, if folks want to learn more about Girls STEM Club or Kudelski security, where would they go online?

Olivia: Girls STEM Club is easy. It's girlsstemclub.com. Kudelski Security is K-U-D-E-L-S-K-I Security one word.com. We are based in Switzerland. It really a fantastic innovation lab out there. Very exciting stuff coming out of there. Also a home base in multiple cities in the US, Phoenix and Atlanta, as well.

Chris: Let me wrap up. Any final tips for women entering the industry? Any advice for the coming year?

Olivia: I say go for it. It's such a great field to be in. It's tough. Yeah, it's tough, but a lot of things are tough. It's been a fantastic ride for me. It's allowed me to work from home. It's allowed me to have a more flexible schedule when I'm not traveling. It's allowed me to meet so many people at so many companies and just branch out. I would say, "Don't be afraid. Don't think that you need to have these big hacking skills or encryption skills of firewall networking skills." It's great if you have them, great, but if you don't, that is fantastic too. We need all kinds of people in this field, so don't be thrown off.

I would say one of the best ways to get into this field, people ask me this all the time, is not only get of course those certifications that we talked about earlier, but just talk to people in this field. This field has some of the friendliest people. I think it's because of how good versus evil as we were talking about earlier. This field has some of the friendliest, nicest, most helpful people. We all try to work against the bad guys, so we're all pretty cool people.

We all have egos. Sometimes we can't fit through doors. If you go and talk to folks in this industry, if you approach security people on LinkedIn the right way to say, "Hey, we're both in Atlanta, can I buy you a cup of coffee? I know you're really busy. Do you mind if I just picked your brain?" Nine times out of 10 they'll say, "Sure, where? Where do you want to meet?"

Because we always like the young talent. Some of the best way of meeting security people on mass is volunteer at events. Your local ISSA, go to that event. Volunteer SACA, RSA, I mentioned, SecureWorld. There's so many of these events that people put on in every single city. There is no reason why you cannot go. Call them up or email them and just volunteer. You will meet, not only do you get to go for free, you'll be able to attend the sessions and you will meet so many people.

Just talk to them, network, get to know them, what they're looking for and keep in touch with them. You will get a great job out of that. I've never seen anybody really do that. I always think, "That's a really great idea." Don't be afraid. Go get it. We need everybody. Just network, reach out, go to meetings, participate, find out all you can know and again, don't be intimidated.

Chris: Olivia Rose, thank you so much for joining us today. This was a great talk.

Olivia: Thank you. It was good to be here.

Chris: Okay, thanks. Talked right over you. I apologize. Thank you all today for listening and watching. If you enjoyed today's video, you can find many more of them on our YouTube page. Just go to youtube.com and type in Infosec Institute to check out the full collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday. All of our videos, including this one, are available as audio podcasts.

Please visit infosecinstitute.com/cyberspeak for the full list of episodes. If you'd like to qualify for a free pair of headphones with a class signup podcast. Listeners can go to infosecinstitute.com/podcast to learn more about that offer. If you'd like to try our free security IQ package, which includes phishing simulators you can use to fake Phish and then educate your friends and colleagues in the ways of security awareness, visit infosecinstitute.com/securityIQ. Thanks once again to Olivia Rose and thank you all for watching and listening. We'll speak to you next week.