All Resources

CISO to CISO Webcast with Olivia Rose, CISO of The RealReal & Former CISO of Mailchimp

Webcast and Podcast | Altitude Networks, October 26th, 2020

Olivia is the Vice President of Information Security & Chief Information Security Officer (CISO) at The RealReal, who has 18 years experience delivering cybersecurity programs. Before TheRealReal, she was the CISO of Mailchimp, and held senior security roles at Kudelski Security, QloudSecure, ControlScan, Solutionary, IBM Internet Security Systems on security programs. Her areas of expertise include enterprise security programs development and execution, advising CISOs and executive leaders on how to build up and safeguard their organizations.

Michael and Olivia will talk about the role of CISO, transitioning to CISO from security consulting or a variety of backgrounds, success tips for leaders in InfoSec.

Read, Listen, and Subscribe to the Podcast

Apr_1_2020-OliviaRose_CisoToCiso-trimmed.mp3 transcript powered by Sonix—easily convert your audio to text with Sonix.

Apr_1_2020-OliviaRose_CisoToCiso-trimmed.mp3 was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.

Michael Coates:
Welcome, Internet. My name is Michael Cotes. This is our edition of CISO to CISO. So with Olivia Rose, this is a pretty exciting experiment. We're up and running on Zoom. We've opened up the invitation to anyone in the world, so we're going to see what sort of things happen as people join. So this is a live recording. People that have joined us feel free to throw questions into the chat as we go and we'll get to those as we move through the conversation. Do go ahead and continue to stay on mute just to manage additional noise, but otherwise want to jump in. So, Olivia, welcome. Super excited to have you here.

Olivia Rose:
I'm super excited to be here.

Michael Coates:
Yes. Why don't you give us a little bit of an introduction, a little background on yourself?

Olivia Rose:
Well, I've been in the security field for about 17 years now. I was currently former CEO at Mailchimp, the All-In-One Global Marketing Platform. And before that I was about 15 years as a consultant advising CISOs and executive leaders on how to build up and safeguard their organizations.

Michael Coates:
Awesome. Yeah, the consultant to CISO transition is certainly a good one, I've seen that in many different different roles. You've probably noticed it, too. The the CISO role is so varied and so unique. And it's fascinating to watch people come at it from all sorts of different backgrounds, from the consulting background, from being a security engineer, from another business discipline. Really interesting to see how it transitions for different roles. You know, with that in mind, how do you view the role of the CISO? It could be a lot of things, and I think each person brings a unique take to it. How do you how do you think about it?

Olivia Rose:
I think the role of the CISO is often misunderstood. And there's a lot of chatter between CISOs ourselves about what exactly does a CISOs do, because nobody really knows for sure. So new. I regard it as that missing layer between the technical folks and the executive management folks where the two don't necessarily communicate well. So somebody has to be in the middle as the ring leader to translate between the two. And that especially means applying and aligning the security controls in place with the security drivers of the business and vice versa. Explaining to the security staff why we need to go in this direction with the security controls because it meets the demand of the business. So somebody needs to be integrated with those two layers, but also the rest of the business to be that translator, that ring leader.

Michael Coates:
Yeah, I totally agree. And that makes it so, so challenging, too, because you have to have that technical understanding to not just have kind of the wool pulled over your eyes from the ideas coming up or the feedback coming up, but then enough to explain it to the executive layer, like, well, why does this actually manage the business or matter to the business. I've certainly seen that be an area that is a struggle for some people, depending on where their strength lies.

Olivia Rose:
It's incredibly difficult because you have to literally know a little something about all aspects of security and enough to be dangerous. So you understand a PIN test, for example, and why a firewall configure is not necessarily configured the right way. But you also need to understand the larger picture and so you need to understand business on a global scale. So it sounds like an easy role to do, but it's incredibly difficult. I say it's like you have to work with two sides of your brain.

Michael Coates:
I agree, and I think that's why I've seen that there isn't a blueprint for saying like, well, this is the background you need. It's yeah, it is. It's understanding all of those things. It's that flexibility. I've sometimes described it as asking, like the five whys to any situation, like how do you get to like what actually matters to the business. Because sometimes you'll find technologist rathole like, well, you just you have to do this. Otherwise, you know, they could be they could be hacked like, well, why does that actually matter? And then. And then you up. Out all the way. Very interesting.

Olivia Rose:
Yeah. And that's where it helps. It helped me to come from that CISO background, I'm sorry, the consulting background, because I had seen a lot of organizations and different ways they were doing things and different strategies, and I was used to going in and very quickly getting a good quick assessment of the business, but also working with different teams to get results. And I think it's a great career path to go from consulting into being a CISO.

Michael Coates:
Yeah, and you probably also had the advantage of seeing a number of different environments and deployments kind of getting that. Well, this is how these groups do it. This is how this company does some successes and failures.

Olivia Rose:
Trainwrecks. Yeah, yeah.

Michael Coates:
Just knowing how different approaches have happened. So you're not looking at it blind or from the first timers it must have been super valuable too.

Olivia Rose:
Yeah, it really was.

Michael Coates:
And as you've tried some of those different techniques or in strategies for security, have you found certain approaches to be more successful than others? What are some of the gotchas people should watch out for or the things that you found to be successful?

Olivia Rose:
Well, there are some of us in this field who have a little bit of an ego. We're known to have a little bit of an ego. Yes. You know, shocks. So it's. That is the first thing that's going to turn people off when you try to influence and partner with them, and I think a common pitfall is going into an organization and you are new there. For example, when you are a new CISO and you fit into their culture and they don't care about your ego and your ego is going to hinder you from making those relationships. And I think that's a big pitfall that a lot of new CISOs do because they get caught up in the title. And to be honest, the title doesn't mean anything. You're only as good as your team. You are not anything better than your team. Trust me. So if you go in with that ego, you're going to lose the, I can't think of the word, the backing of your team and the support of your team. And also you're going to shovel away your stakeholder teams, which are critical to being able to get anything done.

Michael Coates:
Yeah, yeah, totally. It feels like when you come into an organization like if you're the head person of security, then any security failure becomes your failure, which I think is actually not correct, but it feels that. And so then you come in. Yeah, yeah. You come in guns blazing because you don't want to have the failure put on your head. And you're right, totally. Then conflicts with accepting the culture you're in, accepting their risk tolerance. And that always blows my mind too, is each company has different risk tolerances and you have to figure out what they are as the as the CISOs and work within that structure.

Olivia Rose:
Yeah, some companies are very high risk tolerant. Some are not. And it's important to know very quickly where they fall or else you're going to go in guns blazing and it has a very low tolerance for risk. And they're going to go, hey, hey, hey, we didn't sign up for this. So it's very important to do that.

Michael Coates:
Definitely, and as you've as you've adapted to the cultures of different risks or tried to get people on board, are there any things that worked particularly well for you?

Olivia Rose:
Listening, being humble, and then listen some more and listen some more understand that these other groups have been doing things their way and they think they've have been successful, for the most part, doing things their way. So when you come and you're trying to make changes to whether they're needed or not, you're trying to make changes to their way of doing things and you are not going to win any friends. If you come in and you say, well, your change management processes is wrong or your process needs to be fixed up, it just doesn't work that way. So you have to understand the company first. And show what I learned at MailChimp, especially with something very important that I've never actually learned in my career, was vulnerability where it was critical for me to after a couple of months, to show that vulnerability to my team or else they they needed to view me as the leader, but they also needed me to understand what they where they were coming from. And they they were looking for ways to help me. And if you have that armor up all the time as the high and mighty CISO, which, by the way, you're not, then they don't feel they have a way of helping you and you lose a very dedicated support system that way.

Michael Coates:
Yep, definitely agree, I totally agree with that. That's fascinating. So how did you how did you get to the CISO role? You talked a little bit about your journey. You were in consulting. What got you into the field to begin with? Did the security field, the technology information risk? How how did you get there?

Olivia Rose:
I have a very weird way of getting there, and I don't necessarily recommend it, but I started off at Internet Security Systems, ISS back in the day in Atlanta, one of the very first security companies. And it was awesome company gobbled up by IBM. But that was back in 2002 in marketing. And I graduated college with a Women's Studies degree, the Women's Studies degree. And I don't know what I was going to do with that, to be honest. I don't know what I was thinking. I don't know young blood. I have no idea. So I went into marketing and I like marketing because I like looking at things from different ways and how people do things and understand things and adapting the message to that. So I got a job at Internet Security Systems in marketing, and then I was supporting the consulting team and I realized I really liked what they were doing. So I went and talked with the VP of Consulting, so back in 2005 and join the consulting team and I just fell into it. It was literally I was thrown into the deep end, had no idea what I was doing. I had Fortune 500 customers just winging it. You learn as you go. And I fortunately, I loved it. I stuck with it. And I just love the feel today. So I kind of got lucky. But I also look at it as you've got to have some to be successful in anything. I think you have to take chances and you have to see an opportunity and grab it. And if it doesn't work out, it doesn't work out. We move on.

Michael Coates:
Yeah, yeah, when you said the word lucky, actually, that's exactly what I thought was seen an opportunities in front of you and knowing it's super risky and making that leap. For better or worse. So it is it is luck, but luck in that definition of being ready and willing to make that big leap. That's super exciting. What would you say based on everything you've learned and looking back to the the individuals that says, I want to be in the security field, or the person who says I'm in it, I want to be a CISO one day. What do you advise for their career?

Olivia Rose:
I think a lot. And some people may not agree with this, but I think too much is placed on education, formal education. Again, I was a Women's Studies major. I think it's misunderstood how many choices there are of work to do in the security field, where it goes from the very technical, know encryption and pen testing and everything like that, but it goes all the way through to security awareness and governance, risk and compliance and and the softer skills and then, of course, management. So many people misconstrue security as I'm not technical enough to be in this field. I don't live and breathe, taking apart my wireless Wi-Fi hotspot and checking out the encryption. I mean, things like that, you don't have to be like that, but you have to know where your weaknesses and strengths are and try to get up your weaknesses a little bit, of course, but also build on those strengths and go with those strengths are. So, for example, I'm a really good program manager, people leader, program builder of that type of thing, strategic person. And I lean on those as that's what makes me great as a CISO. But I'm not that technical. But I brushed I brushed up on the other things, but I didn't get a too deep of a dive into that. I just know. So that's the first thing is to understand this a lot more to it than what you're thinking right now. I'm telling you right now, all these newbies. Second thing is it's all about connections. And I hear all the time about people saying, how do I get into this field, all these jobs, even for a start, because an analyst are asking for, you know, two years experience, which is ridiculous.

Olivia Rose:
We all think it's that's ridiculous. But at the end of the day, it's not about getting your resume out. It's connections in this field. And every single person I've been in in this career in 17 years has very good intentions. That's why you will never find you will not find out there are nicer folks and caring folks than the people in security. Because look at us. I mean, what do we do for a living? We protect people. And so it's all about going on LinkedIn. Reach out to a bunch of people in your community who are in the field and just say, hey, can I buy you a cup of coffee? Of course, one when we're able to get out again. But can I buy you a cup of coffee? Can I just pick your brain, be humble about it, just say I'm not trying to get a job or anything. It's all about the connections. And then that person or those people will eventually help you get your way into your job. And the third thing is, volunteer at all these events and security conferences. There's a bunch of them I have to say ISACA, Secure World, RSA. I mean, they are massive, volunteer at them. So you get to go for free. Don't need to pay for anything. You meet a whole bunch of people. It is what you make it to be. It's all about those connections. Find out what makes you valuable to the security field with what your strengths are. And just go, go meet people, make friends and connections, and you will eventually get your way in, to where you want to be.

Michael Coates:
Yeah, yeah, I think that's that's great. I mean, you're spot on the CISO role is so diverse in skill set. And I've seen companies try and go out there and hire the person that gave this great talk at, let's say, Black Hat, who was incredibly talented and they're very defined, very specific area. They're the best in the world and then tried to have them lead a security program. And that wasn't their strength because they don't need to be the best at that one, that one narrow vertical. They need to understand all of the areas, understand how to be a leader. I think I think to your point, program management is one of the best skills because like, how do you actually get work done in a big company? You can have the best security ideas, the best of intentions. You either get it done or you don't. And that's a huge differentiator. Yeah. So those are great items and I hope everybody listening takes it to heart with the the breaking down of gatekeeping is awesome. I totally agree. And we don't need the people that start striking required this type of career that so that you can evaluate the candidate themselves with their skills that that's the right direction.

Olivia Rose:
Yeah, I would brush up on your soft skills, brush up on your persuasion skills, negotiation, communication skills, because you are sure as heck going to need them because you are persuading lots of people to try to do stuff that they don't necessarily want to do.

Michael Coates:
So come in and it feels like it's very much in line with the field like that. Social engineering. Social engineering. Yeah, very cool. So looking at technology and and how the world is changing, so we're making massive shifts to to Cloud to distributed workforces, even more so in the current environment. What do you see as the trends that you think about as a see, like how does an organization think about adopting a strategy for security with Cloud in mind?

Olivia Rose:
The Cloud, I mean, I'm not saying anything new here, right. Because the cloud is is completely. Changing how we do things, I mean, the perimeter that we know it is gone, you can't go and hug and hug on your server anymore, your physical server, I know that it's there and enter and configure things directly onto it anymore. You can't do that. You're now working with servers that aren't yours, that you share with other people likely, and you lose a certain warm and fuzzy feeling that you're in control of it. So it's changed the type of roles that we need to fill. It's a lot more about code development now, secure coding. We need a lot of developers who know how to use these cloud technologies and program them successfully. So a lot of times you see I'm seeing now there are issues and struggles between the infra teams, infrastructure teams who manage the on prem equipment. So the physical servers. And between the development team who are managing the cloud and the development team wants to go, go, go, go, go, go, go really fast and just shoot stuff out there, right. Because it's cool and you can spin it really quickly, which is the beauty of the cloud. But yet you've got the on prem team is saying, hey, not so fast. We've got servers on the ground and we still got to protect our physical servers. So there's a lot of struggles there. And the only way to get above and beyond that is to have that management guidance and issue resolution from a higher leader, to bring the two groups together and implement best security coding practices and so on to make sure secure code is being deployed and the team is as happy as well.

Olivia Rose:
So all these barriers are now broken down. And I liken it to a Mailchimp, 80 percent of our employees were under the age of thirty five. So a very millennial culture and I'm not a millennial, so I don't quite understand this love and affection of sharing everything. And that's fine. It's a whole cultural thing. I get it. It is what it is. I have to bend to it and understand it. What's interesting, though, is, for example, Apple, how it's designed in a way to share everything where you can enable your own personal text, text messages on your work computer, if you have them, if you're in the Apple Apple micro system. And that causes some grief to the security team, how we now free flowing information everywhere. So I think with the cloud and how we are knocking down these barriers, I think it's important to understand and just accept that we're moving in a direction where there are no barriers and there is information free flowing and it's not going to stop is just going to get more prolific out there. So you have to adapt and you have to work around that. There's several ways that you could do that. But I think it's important to have that mindset. This is not going to go away, even though I don't necessarily work this way. Majority of the workforce now is moving to that direction.

Michael Coates:
Yeah, yeah, you hit a lot of the things that I've been hearing as well with that free flow of information, and I think that that's really a big takeaway. When the network perimeter goes away, what's left? You have connectivity from different machines, from servers, from cloud, from contractors. And you know, the theory that I adopted, especially at Twitter in my time, there was very much around a data first security program, which is all right if we don't have that old mentality of big walls, keep out the bad guys. What is it we care about? And so we very much thought about like, well, where is the data, what data I care about? How is it moving? How do we protect the data itself, wherever it may live. It certainly has causing a lot of people moments to rethink because I found at least that your old approaches didn't work like the firewall doesn't matter if your data is purposely outside of the firewall to begin with.

Olivia Rose:
Yeah, it's you have to think in really interesting ways because what you went to school for is not necessarily what's happening out there in the real world. Where you you have to think of these interesting ways of, yeah, you're right, the data is not supposed to be out there, but it is. And the firewalls that you learned in school. As what you're supposed to be using as the perimeter, they're not the perimeter anymore, so you have to come up with, you know, be able to use firewalls. So what do I use instead? Access control, things like that, other controls. It's an interesting dilemma to deal with.

Michael Coates:
Fascinating. The last area I wanted to dive into. We've covered in the security role, you have to think about communicating with management, communicate with the teams, the technical elements to get stuff done, elements, the change in technology, all of these things. And you have to be an amazing leader and hire a security team when they have, you know, your job and three other offers on the table at all times.

Olivia Rose:
Whoosh. That's a lot. Yeah. So if it wasn't, you know, easy enough, easy. How how do you think about building great security teams? How do you get the people to agree to join your organization versus another. How do you get them to stay. Tell me about that.

Olivia Rose:
I, I make it very known. I'm a big fan of bright eyed and bushy tailed. I like people who have passion for security, who may not even know it or understand it, but are just excited. And at MailChimp, I had someone who moved from who was a data scientist to move from data science, had all this enthusiasm for security, learned it and became a phenomenal threat, intel and forensics type of role. And you can't beat that enthusiasm and that passion. That's what I look for, so that's how I always build my team teams, there's nuggets of people in every location that you there's someone in marketing, there's someone in training, there's a lot of different groups that you can look at people and see who's really fired up about security. And then you teach them security and they pick it up. I mean, I look at my case. I was a women's studies major during marketing and I picked it up. So if the fire is there. That's what I want. I don't care about where we just go, I don't even care if you finish school. If you have a masters of computer science, it means nothing to me. What means something to me is that you watched YouTube videos on your own time because you're so enthusiastic about it. And then you went and got the security plus certification, even though it's not what you're currently doing because you're so enthusiastic about it and you want to learn more. That's what I'm looking for. If you can't beat that, so I think a lot of companies make the mistake of looking for a degree or looking for people who have that experience, and I think to shore up this hiring shortage that we have nowadays, we've got to start looking at people from other areas and bringing them in.

Olivia Rose:
And then once you have them in, you have to keep them happy because it's a very competitive job market. So the last thing you don't want is the last thing you want is to teach someone all about security and what they need to know and then they jump ship for twenty thousand dollars more. It happens all the time because folks who have some experience are in very high demand. You have to recognize that. So you have to make sure you are a good leader. It's your team first. You are a people leader. And I always say the dirty laundry stays in the family. Nobody outside the team hears anything about what's going on out the bad stuff. Nobody hears it. It's not coming from my mouth. If anybody hears it, they all think that you guys are golden, golden kids, golden children that we've got awesome that we're we're doing great and all that good stuff. It's really critical to gain trust, to walk the walk and talk the talk. And that takes a long time. My team at Mailchimp took a couple of months, but they eventually gained an understanding and saw that I put myself in front of them whenever something negative was happening or I took I took the shots for them.

Olivia Rose:
Right. And once you have that trust, your team will be there at three o'clock in the morning if when there's a breach. And it went it was interesting. It MailChimp where when I was new, I'm sure there was a breach at midnight on a Friday. Sure. They would have rolled out of bed or rolled out of a bar or wherever they were at and come into work. Sure. Because they had to. But after I gain their trust, which is very difficult to do, I had a very large team. I knew I knew right deep down that if there was a breach at midnight. All I had to do was press a button and they would all be there, no complaining because they wanted to be, and that is what is critical in a security team. So if they feel supported and trusted from their leader, they'll feel it within themselves as well. And they will work really well together. So you've got to you've got to really take care of your team, lots of care and feeding a lot of continuing education is very important. And also just calling them up, security people are often, you know, talked down to and just executive management often doesn't want to deal with it. So if you you call up you raise up people on your team to executive management as we're not just a cost center, we are fundamental to the survival of this business. And that goes a long way to retaining people.

Michael Coates:
Yeah, I really like what you mentioned about both taking taking the bullets for the team and keeping things in the house. I've thought of that as like the umbrella leader mentality. Like you shield the bad stuff coming down. If there's a mistake, you're the leader you own up to it. Instead of throwing someone on your team under the bus to some other management and at the same time keep that positive message internally because it's it is challenging. But you have to take it like like a cohesive unit and a small team for sure. That's awesome.

Olivia Rose:
Yeah, that's right.

Michael Coates:
So let's see here. If you have questions and you're on the line, throw them in the chat. We'll get to those in just one sec. And as we kind of wrap things up before the questions, so the CISO journey and the security journey is never ending. What is your future look like? Where are you headed to looking for thinking about?

Olivia Rose:
Well, I'm I'm excited because I'm in a position right now where I'm looking for a new CISO role, a new place to land. I'm looking for a new senior exec V.P. role in security. So if anybody knows of anything, look me up. So that's where I'm at and I'm feeling good about it. I'm excited to watch what's coming. I feel that it's going to be a great opportunity, whatever it is. And I look forward to continuing the journey through the madness of it. That's right. That's right. And by the way, I just have to do one thing for my girl. Hi Sabrina. And Romi, they're watching.

Michael Coates:
So few minutes left here. A couple of questions. Thanks for those of us, those of you that joined, what is the topic at infosec that's not receiving enough attention in professional circles?

Olivia Rose:
Well. Hmm, that's a topic of, oh, I think I touched on this earlier, that the whole millennial mindset of sharing everything and wanting to share everything, I think a lot of people talk about security awareness training. We probably talk about it too much and rely on it too much. We don't talk enough about the side of getting into the minds of where the workforce is going. And designing ways to mitigate and compensate around. That that whole openness, the sharing of information data, the blurring of the personal and professional lives, we definitely don't talk enough about that. So I think that we need to improve as an industry and look at where the workforce is going to be in 5 to 10 years and truly mitigate against what's what's happening there.

Michael Coates:
Mm hmm. Yeah. On this next one, this is the tricky one. But how do you get away from the idea that security is a cost center for an organization?

Olivia Rose:
Oh, well, it's a very expensive cost center, so but it's a very necessary cost center and security costs a lot of money. And a question that every single security leader faces every day is how do I justify what I'm spending and what I'm doing? And there's a lot of philosophies out there. So how do you show that return on investment, ROI, and where I like to go to is there's a methodology called FAIR, F.A.I.R., which is based on translating your risk profile and your specific risks that you found to the organization into dollar signs. The only way you can get away and convince management that security is more than a cost center is if you're able to demonstrate in dollar signs or whatever currency use, the money, why security protects you against. So things like brand reputation, a hit to brand reputation can be translated if you follow the FAIR methodology. It's a little complicated, but it's really, really a cool way to go if you translate that into dollar signs. If our brand reputation gets hit, if we have a breach, what does that ultimately possibly mean in dollar sign loss to the company? That's the only way you can get rid of them.

Michael Coates:
You know, like that in your loss avoidance. Yeah, totally makes sense, like a little bit of money spent here saves a lot of potential loss. Otherwise that makes total sense. Very cool. Well, great, so we're going to go ahead and wrap it up here. Thanks, everyone, for joining live recording. Thanks so much, Olivia, yourself for being with us today.

Olivia Rose:
Anytime. Thank you!

Michael Coates:
My name is Michael Coates. I'm also in the CISO space, is the former CISO of Twitter, have now made the big jump to Altitude Networks as a CEO and founder. And for those that have not heard of our company, we are protecting data and cloud collaboration environments. So think of us as the modern DLP that now lives in the cloud. So this is brought to you as part of our efforts, but really helping continue that conversation with great security leaders. And again, thank you so much, Olivia. Thank you, everyone, and hope to see you on the expansive and a never ending Internet.

Olivia Rose:
Thanks, everyone. Bye bye.

Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Get the most out of your audio content with Sonix. Quickly and accurately convert your audio to text with Sonix. Better audio means a higher transcript accuracy rate. Sonix converts audio to text in minutes, not hours. Create better transcripts with online automated transcription. Sometimes you don't have super fancy audio recording equipment around; here's how you can record better audio on your phone. Sonix takes transcription to a whole new level. Automated transcription is much more accurate if you upload high quality audio. Here's how to capture high quality audio.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Sonix is the best online audio transcription software in 2020—it's fast, easy, and affordable.

If you are looking for a great way to convert your audio to text, try Sonix today.

Subscribe for More

Get notified of future CISO webcast and other excisitng security content

Thanks for subscribing!

Ready to get your Cloud Security in Check?

Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.

We'll be in touch!
OR