What help do CISOs need in 2024?

Chris Sienko: 0:00

Hey, today on Cyberwork we're talking to Alicia Olson, vp of Communications at Optif. Alicia came to cybersecurity from the oil and gas sector and she tells us how she got interested in communications for security professionals. She explains how she turned Optif's distributed workforce into a cohesive unit and gives CSOs some crucial advice and ideas for dealing with that moment that no one wants to have to explain the inevitable security breach. All that and the best piece of career advice Alicia has ever received today on Cyberwork. Hello and welcome to this week's episode of the Cyberwork with Infosec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of Infosec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry. My guest today, alicia Olson, is a global communications executive with two decades of experience and strategic communication that drives business outcomes, engage stakeholders and build brand. As vice president of communication for Optif, the cyber advisor and solutions leader, she oversees all aspects of global corporate communications, including executive and crisis communications, employee communications, media relations, analyst relations, social media, corporate marketing, content and reputation and change management. Olson is a founding member and chair of the Optif Women's Network and Optif's Diversity, equity and Inclusion Steering Committee. She is also a member of the Arthur Page Society and the Women in Technology Council in Colorado. So today we're going to be talking to Alicia about the work of communications within a cybersecurity business. So, alicia, thank you for joining me today and welcome to Cyberwork.

Alicia Olson: 1:37

Thank you so much for having me. I'm really happy to be here.

Chris Sienko: 1:39

My pleasure. So, alicia, I want to start out by asking you a bit about your job. Obviously, our podcast is all about people who are considering entering the cybersecurity industry for the first time. Maybe they're a student or young person or someone who's transitioning over from another career later in life, and maybe in a completely different field, and so I wanted to start by talking about your career in communication. So, for those in the audience unfamiliar with your specific job role, what does a VP of communications do for a company?

Alicia Olson: 2:10

Sure, Think of me as the voice of Optif. I'm ultimately responsible for the company's brand and reputation, and that is played out by the roles you just mentioned. I oversee public relations, industry analyst relations, corporate comms, social media and marketing content.

Chris Sienko: 2:27

Okay, so who and like what aspects of the org chart do you manage or oversee and how do you steer messaging and your company's intent through these various campaigns?

Alicia Olson: 2:36

Sure you bet. So we really set, we own the company's brand and how we talk about Optif and are setting those key messages around Optif story and whether that is played out within marketing campaigns or amplified through our CEO's voice or other thought leaders when they're out telling Optif story in the news media or various thought leadership pieces.

Chris Sienko: 3:01

Okay, so, yeah, so you're, are you doing most of the writing yourself? Do you have sort of like departments that cover different aspects of this? Are you sort of doing final overseeing? Are you sort of sending out the directives? We need to do this or this or this.

Alicia Olson: 3:15

Yes, it's all of the above. So communications is really kind of a creative, problem solving type function. It's predominantly a lot of writing, but there's also a lot of counseling that comes in connecting the dots across functions, because we're one of the few functions that interacts and works across the enterprise with every business, and so that could be working with sales or services or legal. It really runs the gamut. So no, two days are the same.

Chris Sienko: 3:44

Okay, well, I want to use you mentioned. No, two days are the same, but I'm going to still put you on the spot here. I want to know what is an average workday in the life of a V of communications that Optif. So, like you know, I know I worked in media relations, you know, 20 years ago, and so I know a little bit that. You know your day can get out of hand real quickly. But what are some of the tasks and projects that are large parts of your job most days and what are some of the surprise tasks and opportunities that tend to require your attention?

Alicia Olson: 4:13

Yeah, you bet. So I'm gonna start internal first. So I often think about my job within internal brand or internal communications, and external. So the best brands are really built from the inside out, right, and so that is all about activating our workforce and our employees so that they feel connected, and so one way that we do that is through a brand ambassador program. So think of that from everything, from like the company newsletter, you know that you get that has company news and information all the way to almost like our own internal social media application that allows people to stay up to date on all the news and happenings of the company but also shares with them thought leaders so that they can share externally with their own social media networks. And so it's almost gamifying communications a little bit, because, if you think about it, the attention span of people today is really that of a goldfish I think it's less than a goldfish, so you have about eight seconds to get someone's attention, and so that communications and that message has to be really concise and compelling, and so it's kind of getting creative. And how do you capture your workforce's attention, especially since most workforces today are very distributed, as we know?

Chris Sienko: 5:30

Oh, yeah, yeah, and you know, almost certainly you're getting input from a lot of different places at once. So it's like you know you might spend the whole day, just, you know, putting off the fires in your inbox and then Slack is blowing up, and then this is blowing up, and then Teams wants this thing from you, so, yeah, so you have to find a way to sort of float above all of that, and so is it mostly internal communication, or do you deal with, like the press and sort of external sort of things as well?

Alicia Olson: 5:56

It's an happen have. Honestly, my passion is internal and employee communications. But, I would say a large part of the day is very external facing and so, whether that is helping the team with public relations and kind of supporting, you know what are the pitches of the day and what are the perspectives that we really want to push out to creating the content that's aligned with marketing campaigns. So think of that as like that could be field guides or one pagers, white papers you know our own LinkedIn lives, that sort of thing, all the way to prepping executives who might be speaking at external conferences and helping with their speeches and presentations. Of course, to our organic social media as well.

Chris Sienko: 6:43

Okay, so I know that from previous communication that you basically built this communication function at Optif from the ground up and also did something similar with your previous job, which we'll address in a moment here. But like what are some cybersecurity industry specific challenges around communication and implementation of the same that you addressed and solved in your time at Optif?

Alicia Olson: 7:05

I think the distributed workforce is a big one. So, coming from the oil and gas industry, it was largely people were in the office and so it was easy to have an in-person town hall right With everyone there and cascade the communications that way. With cybersecurity, it's a much faster pace, it's much more dynamic, and so with that distributed workforce you have people who you know may not even want to come on camera for calls and are kind of going out about their day, and so problem solving for that has been interesting, and one of the ways that we do that is by trying to make the communications more of like what you would see in your social media feeds, and so when you're kind of looking and consuming news outside of work and inside of work, it's fast, it's dynamic, it's short and it's really two-way communications. It's easy to like something or comment on something, and so we're connecting employees digitally. Now, is that something?

Chris Sienko: 8:03

that you basically were kind of given a blank check to do. Do you have to sort of run it past people? Because you know, I know this all sounds very new and I imagine you know folks up in the top floor might be a little nervous about making you know, making your own communication function into a Facebook like entity. You know, yes, there is a lot of security around all of this.

Alicia Olson: 8:27

Obviously, as a cybersecurity company, that is first and foremost in ensuring that all of our information and that of our clients and partners and people stay secure. Yeah, there was an element to bringing in this platform where we have to show that it can be a profit center as well. So there's not just doing what's right for employees but activating that base. So if they're sharing Opt-in News on their own social media channels, we're getting all of this free advertising. So it's free advertising equivalent. So last year, as an example, our employees generated the equivalent of about $8.4 million in free social media advertising.

Chris Sienko: 9:09

How does that work? They were acting as your branded ambassadors. Do you give them messages to put out in the world, or whatever?

Alicia Olson: 9:18

Exactly. That's what this internal social feed let's say that there's a news release and there's a quick button where they can literally, with a click of a button, share it with their LinkedIn profile, facebook, and then the equivalent of that is how we track it.

Chris Sienko: 9:34

Interesting. That's good. Before joining Opt-in, you were, as I say, communication director for an oil and gas company in Kana, I believe.

Alicia Olson: 9:42

Is it pronounced or In Kana and then we branded to OVENTVE I think a couple of years ago. Oventve Okay.

Chris Sienko: 9:49

What drew you to work for Opt-in in your role as communication director? Was there a specific draw to the security field? Had you interacted with the security aspects of the oil and gas industry in the previous role.

Alicia Olson: 10:00

Yeah, I did so. When I worked in oil and gas, I was predominantly internal communications focused and. IT was one of the functions that I supported, so I had line of sight to cybersecurity through that, although at the time it was much more focused on insider threat and physical security, interestingly enough. But oil and gas is also a very cyclical industry and it is conservative in many ways, and so I was really drawn to the very fast pace and fast evolving landscape of cybersecurity. Not to mention it's a booming industry with just an incredible amount of job opportunity and, of course, the ever increasing importance of cybersecurity to the business. I like to say that cyber risk is business risk.

Chris Sienko: 10:48

Yeah, yeah, totally. Now I mean, can you speak a little bit more on the quote unquote conservative nature of oil and gas versus the sort of flexible, fluid version of cybersecurity? What were some of the resistance points that you would have before that you don't have now? You know almost industry.

Alicia Olson: 11:06

you know specifically yeah, I think part of it is just the time right 10 years ago. It's almost like pre-pandemic, post-pandemic, right. Like I mentioned, people would come into the office. You know you would have desktop computers that you know you would only, could only work in the office, and so it was more like printed communications. You would get people together and have a town hall, and so I would say you were a little more limited at the time in some of the opportunities that you had to kind of galvanize that workforce. And so I think with cybersecurity it's moving so quickly. People are open to new ideas and being a little bit more creative and having, you know, being a little more informal and having a bit of fun.

Chris Sienko: 11:53

Yeah, now you mentioned that you know obviously you know natural resource industry is very, very high bound and very building bound and it has a lot of, you know, physical security. But that cybersecurity is very sort of distributed, remote for you know realized. Do you think that has that been a big change since 2020 or has you know Optiv already had that sort of fluid you know, in terms of where you're getting your employees from and stuff like that? Is that a big change within the last four years or has that just been their MO for a long time?

Alicia Olson: 12:30

Yeah, it's always been the MO, so I've been an Optiv for over eight years now, and when, I joined and still today we're about 80% of the distributed workforce outside of our two main offices. And even those, the people who are in either Denver or Kansas City, would still work remotely a couple days a week even before the pandemic. So we were all. We were already kind of a step ahead when the pandemic hit to operate and, you know, operations just continued without a hitch.

Chris Sienko: 12:58

Yeah, yeah, it makes sense. Yeah, that's sort of how it was for us as well, but so, at the risk of repeating myself, you came to the cybersecurity field from a comparatively non-tech background. It sounds like you were sort of involved in the cybersecurity aspects of your previous job. But do you have any advice for people who are attempting to enter this field whether it be communication or other similar field, where interpersonal and message crafting skills are more important than hands-on tech? Like, how do you get up to speed quickly on all the sort of cybersecurity lingo, jargon, all that kind of stuff? Because I know for myself, I was frantically looking up Wikipedia entries and trying to figure out what all the alphabet soup looked like and so forth. But did you have someone that was sort of giving you like an explainer? Were you doing outside research for yourself?

Alicia Olson: 13:51

Yeah, you bet, and I would like to answer this in two different ways, if you don't mind. The first one is life is rarely a straight line, right? So I would say, just get your foot in the door and, whether you are in a field like mine, that where communication skills is transferable across industries, or not, there is a shortage of three million cyber jobs out there.

Chris Sienko: 14:13

I think you know that very well, Chris, in the US alone right.

Alicia Olson: 14:18

And so, regardless of where you start, I know so many people at Optiv who are teachers or who were law enforcement officers or who even started working with the company as just being a front desk receptionist or maybe an admin, and they worked in that role for a year or so and then transitioned over to our services organization and got on the job training, and there's a lot of opportunity that way. So I would say the first thing is just get your foot in the door and from there the sky's the limit.

Chris Sienko: 14:48

Yeah, the second. Oh, okay, sorry, sorry sorry, you know you were saying it. I stepped in your answer. I apologize.

Alicia Olson: 14:57

No, worries, I was just moving to answer the second part of your question and that is, yes, coming up to speed. So I've been in the industry for over eight years and sometimes I think there is still a new acronym or term I learn every single week, especially at Optiv. I like to joke around that we love our acronyms and our pets those two things specifically at the company. And there are two really great resources that I would recommend. If you go to optivcom and search cybersecurity dictionary or just dictionary, it's a huge revolving like dial of all of these acronyms and terms. That's very, very helpful, and the other one we call the CISO periodic table and it's kind of like a chemistry elements that we switch it out with cybersecurity terms, and that is a really great high level snapshot to at least understand what the terms are, and then from there, of course, it's as much reading and talking to people as possible.

Chris Sienko: 15:58

Oh, for sure. Now, these are great ideas. Are these things that you spearheaded, or were they in place when you joined?

Alicia Olson: 16:07

They are something that a counterpart of mine and I want to create a team. They're brainchild and kind of helped come through and they're just the best resources. I actually share them a lot when we're talking to like college students or high school kids, like they're just great all around. General resources.

Chris Sienko: 16:23

That's amazing. No, I think that's like one of the best ideas I've heard. That's so cool. So, talking to you about other aspects of your work here, can you tell me about founding the Optiv Women's Network? It's an organization within the company dedicated to diversity, equity and inclusion. So how did you get started creating this organization and what are some of the specific events or resources that it offers?

Alicia Olson: 16:44

Yeah, thank you. You know what? I think it's really important to find something that just fills your cup, and I love my job, but I'm really passionate about empowering girls and women to use their voice. That's what fills my cup. Whether I'm coaching middle school girls volleyball or helping create the In Canna Women's Network and then, when I moved over to Optiv, helped found the Optiv Women's Network. Really, that's all about providing meaningful networking opportunities and resources and tools to help women achieve their personal success and, more specifically, helping increase the number of women who work at Optiv and in the cybersecurity industry and the number of women leaders. We have Lean-in circles. We have a partnership with the Executive Women's Forum for mentoring. We do a lot of webinars on things like personal brands and then some fun things like book clubs too.

Chris Sienko: 17:48

Thanks. Now this would have been a straightforward question before, but I feel like I've grown and learned a little bit about. Do you have any thoughts on women mentoring, women programs and where that stands? Because I know women tend to not have these strong mentor programs, maybe because they don't have counterparts higher up in the organization, because of systemic exclusion and so forth, but then which makes it sound great. But then I've also heard other women tell me it shouldn't be all just women to women, because then it takes men out of the equation, it puts more burden on female execs to have to mentor six starter women in the industry or whatever. Is this something that you address in the Women's Network? Do you have any thoughts on where it stands?

Alicia Olson: 18:45

Yeah, absolutely. I think allyship is so important, regardless of we're talking about the Women's Network or any other employee resource group, and from a mentorship perspective specifically, I think it is beneficial for women who are younger or earlier in their careers to reach out to other women and to help just talk about those things early on in career development as you advance and you get a little bit older. I don't think it matters if it's a male or a female, as long as you have that mentor, that champion that goes along with professional development for sure. We also have I mentioned some lean-in circles that we run through the Optive Women's Network. We have a couple of male circles as well.

Chris Sienko: 19:31

Okay, can you speak on a larger scale to what companies can do to really support and encourage diversity, equity, inclusion in their own companies, and not just for the month or two a year when everybody's watching them?

Alicia Olson: 19:43

Yeah, you bet. I want to mention the allyship Again. I think being an ally is really important. All that means is that you are advocating for other people. The next time that you're in a meeting and you may hear someone speaking and then someone else speaks over them or interrupts them or says oh, I have a great idea, and it was an idea that someone had just shared previously. Speak up, say something, be proactive. There's something that everyone can do to advocate for other people on their team.

Chris Sienko: 20:18

Yeah, I agree. Now you mentioned it briefly, Can you talk about the Women's Security Council in Colorado and tell us a little about that organization and your role in it?

Alicia Olson: 20:29

Sure Women in technology, or WIT, is also I think, a national.

Chris Sienko: 20:35

Thing.

Alicia Olson: 20:36

This one, the Colorado. Chapter yeah yeah, the Colorado Chapter has run through the Colorado Technology Association, of course, and same thing that aims to advance women in technology from the classroom to the boardroom. I participate more from some of the networking events that they have and just trying to connect with other women in this field in Colorado.

Chris Sienko: 20:58

Okay, yeah, nice. Now I guess, speaking more about the communication, the outward communication, what are some of the things that Optiv is trying to put out into the world from a communication standpoint in terms of security issues, or what is Optiv thinking about in this regard? I mean, obviously you want to tell them about your goods and services and so forth, but do you do a lot of message crafting in terms of interacting, optiv, with the bigger questions that are being asked by the security industry as a whole?

Alicia Olson: 21:39

Yeah, I think so. In fact, all of the thought leadership that we put out for my team is just that it's all thought leadership, and it is nothing sales specific. Not to think we're doing a campaign, then write something may align with that. But in general, we feel that, as the cyber advisory and solutions leader, it's incumbent upon us to have an opinion and to be leading from the front as an industry, because we have some of the best minds in cyber, and so we want to be sharing the perspectives of not only things that are very timely, like generative AI, but also reaching topics all the way up to the boardroom. So we do a lot with the National Association of Corporate Directors as an example, to try to help inform board directors why cyber security is important and how that should be part of their governance and oversight. So a lot of perspectives, I'd say.

Chris Sienko: 22:36

Yeah, Now you mentioned before the CISO periodic table of the elements. Are CISOs a big target of what you do in terms of helping them steer a business of cyber practice?

Alicia Olson: 22:51

Yeah, cisos are our primary demographic and our primary partners and those people that we serve.

Chris Sienko: 22:58

Now what, in your view, are some of the big things that are giving CISOs problems right now and just the other day with another guest about how burnout CISOs are becoming, and whether it's because of the blame all going to the top or whether it's the way that the news covers these apocalyptic breaches, like the 45 billion attacks on JP Morgan and so forth? What are some of the issues that CISOs face that you are trying to address?

Alicia Olson: 23:31

Yeah, I think CISOs are in such an untenable position. They really really are, because they are expected to have oversight of thousands of technologies, as an example, and we find that most of our mid-level clients have about 60 to 90 different technologies in their environment and of those, at least about up to a quarter either aren't deployed or aren't deployed properly. And so one of the ways in which we help CISOs is trying to really come in and help understand what is a true audit of their entire technology stack and then does it need to be rationalized or consolidated just to ensure that everything, all of the platforms in their environment, actually are working together and that they have analytics and that they're working how they're supposed to, is number one, so then you can secure it, and then that leads to cost savings. That also leads to how do you justify the return on your investment as a CISO when you are CEO or the higher ups are asking like wait, you're asking for more money. Can it justify that return, justify that security? So, helping CISOs really understand and secure their environment and also helping with the cost savings and being able to have those conversations with the C-suite and the board on some of the cybersecurity issues of the day and really what they need to be thinking about, and that's just one element.

Chris Sienko: 25:03

Yeah, now, ciso is one of those positions that listeners to a lot of our listeners are literally just trying to find their footing for the first time, but that's one of those aspirational like this is what I'm working towards and I know getting there is a long and possibly arduous series of steps and job changes and career changes and skills and so forth. With the CISOs that you work with, do you see certain skills or experiences that are consistently missing that you would hope that people who are trying to get to that should be learning earlier in life? Because I know sometimes a job change just comes on you, an opportunity jumps on and, like you said, you don't think, you just jump and go for it. What are some things that you would like to see in the future that CISOs would be sort of more ready for as they step into these types of positions?

Alicia Olson: 26:01

Oh, great question. So two thoughts on that one. The first one is, I think, CISOs. I don't think a career track ends with CISO. I think, that CISOs should be looking even more to getting, like their MBAs or even executive experience, because more and more board directors are looking for positions with cybersecurity experience and there aren't enough people who are ready to fulfill these board slots. So I think looking at it from like the business literacy perspective not just the technology side, but bringing that in is a really interesting component for people who may not have it already. And I think the second component is for all CISOs out there have your friendly communications colleague on speed dial, because I think we're seeing a lot of interesting things, especially for public facing companies, when, if there is a breach, right, how that impacts brand and so a lot of seeing cybersecurity and just kind of the you know that risk tolerance and protection that is usually within more of the CIO, ciso fields, and then kind of the brand and the marketing really come together and how can they collectively protect a company's reputation and help them secure business outcomes.

Chris Sienko: 27:25

Yeah, and also not, you know, make themselves a target necessarily, because a lot of times, if you didn't do any of those things, they then very difficult questions start to get asked. Now can you talk a little bit about that? With regards to, like, say, you're a CISO, something just went wrong, this is big, this is bad. Like what would you, as the sort of communication arm of said company, like if they did the right thing and they went to you first? Like what are some like first sort of remediation actions that you recommend in terms of sort of getting in front of something like this?

Alicia Olson: 28:00

Yeah, the first thing is to make that call right. You're probably bringing in legal as well and you're just trying to understand what is the scope of the breach, because unfortunately, in this day and age, it's not a matter of if you're going to get breached, it really is a matter of when. Right. So, doing a lot of due diligence now so that you have a plan in place and you at least know what to do, or you have one single trusted partner, you can call leg octave right. It will really help. So, once you really understand the scope of the breach and who is impacted, is it just internal to your company or our clients impacted as well? It's kind of like a decision tree of I think. Where do you go as far as notifications, and I am definitely liking the trend of more and more companies being transparent, and this is what's happened and here's what we're doing to mediate it and here's what you should be doing in the meantime.

Chris Sienko: 28:56

Yeah, yeah, and then it becomes educational for everybody and also I think it probably destigmatizes some of the. I mean, we certainly know that a lot of big breaches go unreported and it's because they don't really know how to get in front of it and it's better just to sort of hope that no one finds out, which, of course, everyone always finds out eventually, right? So I think this has been very helpful in terms of helping people who are moving towards like a CISO position to sort of think about some of the things they need to be doing, in addition to the sort of tech and management aspects of things. So, as we wrap up today, alicia, can you tell our listeners the best piece of career advice you ever received?

Alicia Olson: 29:34

The best piece of career advice I have ever received is get comfortable with being uncomfortable, and really what that means is challenge yourself, say yes to another, to a stretch project or a goal or something that you may not really have a lot of experience in, but as long as you're consistently challenging yourself and growing, I think get comfortable with being uncomfortable is my new mantra.

Chris Sienko: 30:02

Yeah, I love that. I think it was. Ray Bradbury said jump off the cliff and build your wings on the way down. Yeah, so, yeah. So, before we go, alicia, if you'd like to tell us more about Optiv and the services your organization provides to its clients, here's the time to do so.

Alicia Olson: 30:18

Thank you so much. Yes, optiv is the Cyber Advisory and Solutions Leader and we really partner with organizations to advise, deploy and operate complete cybersecurity programs, and we manage cyber risk to help companies secure their full potential. And for more information, please check out optivcom.

Chris Sienko: 30:37

Oh, that was my other question. If you wanna learn more about Optiv, where do we look online? Now, Alicia, do you use LinkedIn? Do you like to connect with people in the industry here?

Alicia Olson: 30:48

I would love that. Yeah, I'm on LinkedIn backslash Alicia Olson.

Chris Sienko: 30:52

Okay, great. Well, Alicia, thank you so much for joining me today. This was a lot of fun.

Alicia Olson: 30:56

Thank you so much, chris, I really appreciate it.

Chris Sienko: 30:59

And, as always, I'd like to thank our 80,000 cyber work viewers and subscribers. We just passed 80,000 subscribers on YouTube. Your input and enthusiasm make this a joy to do each week, so if any of you have any topics you'd like us to cover or guests you'd like to see on the show, feel free to drop them in the comments. We started using the community function on YouTube. Feel free to go over there or join our TikTok or whatever. So before I go, I hope you'll remember to visit infosecinstitutecom, slash free. As usual, you get a whole bunch of free and exclusive stuff for cyber work listeners, including work bites, which is our awesome security awareness video series in which you learn security awareness skills with your coworkers, who happen to be pirates, vampires, aliens, zombies and fairy princesses. You can also go for your free cybersecurity talent development ebook, where you'll find in-depth training plans for the most common security roles, including sock analyst, pentester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. Once again, infosecinstitutecom, and, yes, the link's in the description below as well. One last time, thank you to Alicia Olson and Optif, and thank you all so much for watching and listening and until next week, happy learning, 肉ermancom.