Twenty one years of security experience means Olivia Rose has a strong take on a range of topics. Chatting to Material CEO Ryan Noon, Olivia pulls no punches as she discusses her own journey to CISO, asks vendors to focus more on building trust, and pushes hiring managers to give underrepresented minorities a chance.

How did you get into security?

Since I was a young teenager, I’ve always loved to work. While working 40 hours a week has made me street savvy, it was less than helpful in my academic pursuits. I (barely) graduated in Womens’ Studies, which was the only degree program willing to accept me due to my less than stellar grades. I had no clue what I was even going to do with a Womens’ Studies degree, but I knew it meant I could graduate and get into the working world for real.

My first job after college was as the Assistant Manager of a parking garage. I worked nights and weekends, but I didn’t care because I got out of my parents’ house and on my own. I putzed around jobs for a while not really knowing what to do, got fired a couple of times, ate dinners regularly at bars where they had free buffets during Happy Hours because I was broke, and eventually landed a marketing role at ISS [Internet Security Systems]. Part of the role was supporting the consulting team. One day I realized they were getting paid a lot more money than me and I liked the idea of making more. I approached the VP to ask about becoming a consultant, and he told me “We will never hire you as we only hire from the Big Four. But get your CISSP and somebody else will hire you as a consultant.”

I had no clue what the CISSP even was. But those who know me know I never back down from a challenge, even though it was very tempting after I discovered what the CISSP actually entailed. When I walked out of the VP’s office, he knew that I had no idea what the CISSP was and he said to himself, “If she passes on the first try, by golly, I’m going to hire her.” I studied every weekend for six months and passed! The day I passed, the same VP offered me a consulting job. That was in 2005 and security hasn’t been able to get rid of me since.

Are there any trends in the security industry that are making you hopeful?

The clunky companies that have been around for so long are being swept away by innovative young companies with technology that is a lot cheaper, quicker to deploy, easier to use, and simply put, works better. I’m so excited about the direction the industry is going and the innovation it is driving. It’s amazing what’s coming out from Israel particularly.

New founders are looking at old problems with fresh, energetic perspectives and coming up with creative ways to solve problems. Sure, there are still a lot of snake oil products, but with a lot of the stuff I think, “How did you think of that? That’s brilliant!”

What advice do you have for security vendors?

Vendors need to understand that if they have an innovative or reliable way to solve a need or a problem we have, we want to speak with them. I enjoy chatting with vendors, but I will always check with my network as to their experience with that vendor. I only buy from vendors I know personally or who are referred to me by my network. Trust is paramount in my world. Vendors need to understand that it’s imperative to network and build trust rather than send me hundreds of emails.

I don’t get a warm and fuzzy feeling from an email. All that time. All that money. All the effort spent on email campaigns. All that effort should be put into building and leveraging your network. Ask yourself, “Who do I know? Who do my customers know?” Leverage your customers to talk about you. Ask for an intro.

Typically, I discover new products from my CISO communities. There is a Circle of Trust in these communities. If security leaders love or hate something, they will openly share that feedback with others, and that is exactly why your reputation and your product value mean everything.

It's also essential to understand your audience and what type of CISO you’re talking to. It’s rare to find CISOs who are equally strong on strategy and leadership as well as the technical side. In reality, there are two types of CISO: the technical CISO and the business/strategic CISO.

Technical CISOs love facts and figures. They want to see the tool in action. For these buyers, go straight to the demo and let them play around with it. But if the CISO is more on the strategic side, they will want to first understand where your product fits into the overall landscape. How does it help reduce risk for the company? How does it save money? How does it improve innovation?

Sales should work out which type of CISO they are approaching. Trust me on this. It will make you much more successful. It takes almost no time to look at their LinkedIn and you can easily assess from there. As a business/strategic CISO, you are going to lose me in the first five minutes if you come at me with the tech specs right off the bat, and same if you approach Technical CISOs from a strategic perspective.

Finally, if you’re a salesperson at events, be a fun and interesting person to be with. Focus on making that connection and don’t try to sell me. Check back in from time to time and say hello. Know what I care about (mentoring, diversity) and ping me with people you’d recommend as mentors or mentees, and even how your company can get involved. Sooner, rather than later, I will ask you about your product, because we now have a connection.

You’re very passionate about hiring good talent. How can we overcome this talent shortage we always hear about?

There is no talent shortage. What we have is a talent experience shortage. The reality is we have a lack of experienced talent and an overage of inexperienced, new talent. If we take more of a chance on people with less experience and train them up, we will not only fill our needs, but also set them up for success.

The millennials, particularly those from underrepresented minorities in security, I work with are super energetic, very excited, and full of drive. This kind of enthusiasm is infectious. Hiring managers need to start looking at these brilliant, young, driven people who cannot find a job to get their foot in the door. They need a chance to prove themselves. Maybe there’s no immediate job, but let’s be willing to give them internships to get that experience.

Similarly to how the VP at ISS took a chance on me, I think security leaders need to take a chance on young people who have the drive, talent, and enthusiasm. Find somebody with loads of talent and invest in them. They, in turn, will be loyal. They will follow you.

To attract good talent, CISOs need to be thoughtful about building a good reputation that’s strong enough to be accepted into various communities and be trusted. Associations like the Black Cyber Security Association and Cyversity have some truly amazing networks of individuals from a wide range of backgrounds. These candidates have the drive and enthusiasm that you simply cannot teach.