Why Companies Should Outsource CISO Services and How the Role Intersects With Privacy Duties

Intro  0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:36

Hi, Justin Daniels here. I am a corporate M&M and tech transaction equity partner at the law firm Baker Donelson. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:59

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com Well, hello, happy Monday after the time change how you doing?

Justin Daniels  1:40

You know I’m sore.

Jodi Daniels  1:42

That is because you do too many sports on that weekend.

Justin Daniels  1:44

I get no sympathy.

Jodi Daniels  1:45

No, no sympathy.

Justin Daniels  1:47

I get what I deserve.

Jodi Daniels  1:49

Did you enjoy your extra hour of morning sunlight?

Justin Daniels  1:52

It was nice to get up and see all the trees and everything was very fall-like.

Jodi Daniels  1:57

Yes, and then it’ll be dark at like four o’clock. But that is for a different discussion. So today, I’m very excited because we have Olivia Rose joining us. She is a CISO and Owner of Rose CISO Group, a former CISO of Amplitude and MailChimp. And Olivia is an award-winning cybersecurity leader and three-time global Chief Information Security Officer. Olivia Rose is the Founder of the Rose CISO Group, and which is a boutique security company delivering exceptional vCISO, board communications, and strategic services to Fortune 1000 companies. Olivia, welcome to the show.

Olivia Rose  2:36

Hey, you two are a match made in heaven?

Justin Daniels  2:45

A little while? Oh, you should see when we present together which will be tomorrow.

Jodi Daniels  2:51

That’s on Wednesday.

Justin Daniels  2:53

Oh, it’s Wednesday.

Jodi Daniels  2:58

Monday, we’re recording on Monday. You want to be listening people at a different time. But we’re actually recording on Monday. And we present on Wednesday. Okay, you want to get the show on the road?

Justin Daniels  3:13

So Olivia, we always like to know how did your career evolve to where you are today?

Olivia Rose  3:18

I have no idea. And that’s honestly the answer I grew up. I never even heard of check. I never even Of course. I mean, this was a long, long, long time ago. Never heard of cybersecurity. There were no cybersecurity classes. There were barely computer science classes in college. So I did go to college and barely graduated by the skin of my teeth by majoring in women’s studies, because it was the only major that would accept me with my dismal GPA was a new blood meter. And they needed people. So never, never thought for a day. So what does one do when you get a Women’s Studies degree? Well, he didn’t go into academia, but with my grades was no way that was gonna happen. And the other option is you go into marketing, because it’s all about how to position messages to different people and how to get the messages across, which has actually come in pretty handy in my career in security since then. So long story short, went into marketing, went to go work for Internet security systems. I assess one of the very first cybersecurity companies out there. And it was a great time I was in marketing. I was supporting the consultants, I was doing a lot of their reports. I looked at them and I thought, well, they make a lot more money than I do. So I want to go do it. There you go. It can’t be that hard. So I did go I get my CISSP. Somehow, the first try in that — this was back in 2005. During the consulting group, my first customer I did by myself, because the person who was supposed to be training me, his wife was about to give birth, threatened him with divorce, if he traveled one more time. So my first client was PayPal, I did their PCI assessment, all by myself, no idea what I was doing show to anybody. And there you go. And then at first is that so over time, 17 years in consulting, and then went in house and became CISO for MailChimp in Atlanta, and then CISO for Amplitude in the Bay Area. And then quite honestly, I got burned out. So I decided to putz around and just do some virtual CISO work. And that was a year. Yeah, about a year ago, a little bit over a year. And I’ve been very fortunate knock on wood, very unfortunate, since then got awesome clients. And it’s a lot less stressful. And I actually see my kids, so that’s nice, too.

Justin Daniels  6:22

You know what? You said something interesting, that I don’t think we’ve ever covered in one of our podcasts is security professionals really struggle with a lot of burnout. And maybe you could help for our audience, explain what makes the job so stressful.

Olivia Rose  6:37

You hear all the time about CISOs, struggling, how the job is so tough. And with the recent news events about SolarWinds, you get some of it there. But the key reasons why there’s so much burnout in this industry as a CISO or a senior security leader, either one is that unless you’re at an organization that truly believes and supports, security best practices that are willing to put the resources and the money and the time towards it, then you’re seen as an afterthought. If you’re not, and you have to constantly fight for attention, fight for what’s right, oftentimes, the security function reports up through the engineering or tech, and which is a conflict of interest. Because when you have critical findings from a pen test, and the engineering teams don’t necessarily want to put it on their roadmap, you both report to the same manager. And who are they? Who are they going to really focus on supporting, we’re going to focus on supporting the business rather than the security side of things. And the conflict of interest happens there when that’s my boss. That telling me not to do it. So an audit time comes around, and something’s encryption at rest is not in place, then what do you say, you can’t say my boss told me not to do it. So CISOs are constantly stuck in this drawer, trying to get out and get attention. And you know, when your resources are cut, because you don’t have any breaches, which is a good thing. Well, that’s just that’s just sheer luck, that you didn’t have breaches. It’s not because you’re great or necessarily, but the business sees it as well, she’s doing a great job. She doesn’t need to have as many people or as much money in 2024. So you know, we haven’t had any breaches, that means we’re good. But you can never say you’re good at security, as you know. So all of those things together every day, every day, a lot of burnout, unless you’re very lucky. And you’re at a company that does support cybersecurity just as equally as the other business drivers.

Justin Daniels  9:06

So kind of on that point. Because Jodi and I, we wrote a book, and that’s one of our themes, that both privacy and security are are afterthoughts. In your experience kind of give us if you can, a window into the mindset of the business when it comes to privacy and security. Is it just the thought of hey, I just don’t want to deal with this. It’s just another thing or why do you think we continue to persist in privacy and security being an afterthought?

Olivia Rose  9:35

In my experience, I have seen privacy gain some leverage because you have to post publicly your privacy policy and all these things. So security is more hidden behind the scenes and then from what I’ve seen secure privacy being but that’s my experience. I think that I think the common answer you’re gonna get, quite honestly, is that security leaders, of course, are being blamed for that. We don’t position and align security drivers and privacy drivers with the benefits. Because security people tend to be tech people. And a tech person does have a hard time knowing how to shift the other side of their brain to position and present to nontechnical leaders who have the purse traits. So that’s the common excuse that you gotta get in my mind. In my experience, it is that but it’s also what I was saying before, it’s literally one of the worst industries or areas of the business to show results. I mean, what is the result from security? A good result? No breaches that could change tomorrow? You’ve got, I mean, what am I supposed to say? If somebody says, How are we doing? I don’t know. Right? breaches lately? So how do you quantify what you’ve been doing on the privacy and security teams, you can’t be can’t quantify ROI, like you can for the other functions of the business. So I think that’s why it’s an afterthought. If nothing happens, that’s a good thing.

Jodi Daniels  11:30

It’s so interesting, that you say that, in your experience, we’re seeing privacy move forward. I obviously spend a lot of time on the privacy side, and I do see that but I often see privacy after security, because so many companies think about the security measures first, oh, I have to protect everything. And then they think, Oh, I just need the privacy notice. And then I’m done. I don’t have to do anything else. That is the very common philosophy that I see. Especially in those Fortune 1000-level companies. It’s just interesting to see. It truly does depend on the company and the culture and the leadership and where they’re focused.

Olivia Rose  12:08

Yeah, I can see that, But what’s interesting, though, is that privacy has more teeth than security does. So when something’s related to money, and you’re gonna get popped for what was that recent one was a Google for like two-point-something billion dollars.

Jodi Daniels  12:30

There’s always a fine, it’s hard to keep up.

Olivia Rose  12:35

When there’s a security breach, it’s kind of a stab in the air. Like, I don’t know how much it’s gonna be, but it’s gonna be a lot. Money talks. I think it depends on the company. And it depends on the type of company, tech companies tend to focus first on product and engineering, getting the products and the features. With that comes a proxy with the data, not necessarily security. However, in other industries, it is more about security than privacy. So I think it depends on where you’re at. But yeah, we’re both bottom of the barrel.

Jodi Daniels  13:12

So what’s your favorite phrase? It depends.

Justin Daniels  13:15

I know. It depends. You complete me.

Jodi Daniels  13:20

Ah, so interesting.

Justin Daniels  13:25

Well, anyway, talk to you a little bit more about your current gig. Can you share more with our audience about what you do? And how a vCISO helps companies,and really like, who needs a vCISO?

Olivia Rose  13:36

It’s a good question. And my opinion, I started seeing this over a year and a half ago. And it’s starting to come true, which I do enjoy being right is that companies are going to stop hiring a CISO internally, and especially with this SolarWinds thing that just hit, they’re really going to think twice in the Uber event as well. They’re going to start thinking twice about bringing in an in-house CISO. And the reasons really are, there’s a lot of liability that you have to take on when you’re hiring a see. So it’s in-house. Also CISOs are very expensive, very expensive resources for a good one who’s been around for a while. Also CISOs are a pain. CISOs are a pain in the neck. Because CISOs are constantly whining for attention. Pay attention to me. And try to make alliances with other teams, especially privacy and legal, that they’re really difficult to have a reason and they’re also a very expensive team with expensive resources, expensive products and tools, and processes. And we want to make changes all the time. So I think we’re gonna start seeing and we already have started seeing a shift to outsourcing that leadership role, but maintaining and keeping the rest of the security team in-house and have them report up to a different function. Hopefully not through tech, because again, that introduces that conflict of interest. I always really like it when a reports up through the general counsel, because I’ve always been buddy buddies with the general counsels. It’s beautiful, privacy and security are like besties. When you start seeing that shift, you start looking at who they can then come in, and be that contractual, part timer. And you also share some of that liability, hopefully not, but you know, I’ve got cyber insurance, and all that business insurance and all that good stuff. And this person can come in and look at your environment holistically. So you look at the type of industry they’re in, you make sure that what are the top trends in attacks, that a company in that industry tends to get, or receive? What kinds are successful, different industries have different attack vectors, possibly a lot of them share. So you’ve got to look at that. And so someone who comes in and can do that, and then create the roadmap, prioritize all these initiatives, actually come up with a real budget, and you know that they are vendor agnostic, you know, that they’re not asking for too much for their own purposes, because I don’t keep the extra. If I asked for a budget, or one internally, my group does, possibly, if there’s any left at the end of the year. And finally, um, it’s just, it’s someone who’s been around the block. Now, the issue that people have with virtual CISOs, or contraction CISOs, is that most of them have never been CISOs, or security leaders, the term vCISO is a, anybody can be a vCISO. Jodi, you can be a vCISO, right? It’s a casual term.

Jodi Daniels  17:15

I wouldn’t, but I could.

Olivia Rose  17:17

A lot of people can be vCISO. Somebody who’s really just being a manager on the security team can tomorrow wake up and start a vCISO company and call themselves vCISO. So you have a lot of, I’m not going to call them hacks, there are some just like there are in every industry, but you have to know that there’s a lot of confusion about who really is vCISO that can actually help you translate to the board. And he’s done it before versus those who are more operational.

Justin Daniels  17:54

Sounds to me like it’s the difference between a financial advisor versus a Certified Financial Planner, who had to go through education and certifications, as opposed to someone who shows up and says, “hey.”

Jodi Daniels  18:06

I would add to that, though, because I think I could still go get the certification. And that doesn’t mean I’ve actually done the role. And what Olivia is offering is, I could take the certification, maybe I could even have some level of actual experience. But maybe it’s a junior-level experience. Now I leave and I’m just going to wear my vCISO hat. And what Olivia has experienced is actually a CISO in an organization and had to deal with all the fun and glory that comes with that. And challenges and can now package all that up, as she is working with her various clients. And the same with other, you know, vCISOs out there as well.

Olivia Rose  18:49

Yes, yeah. I mean, unless you’ve been in front of the board, getting questions coming at you. And you have to defend the reasons why you made the decisions or the security program and structure and vision and mission. You can’t do that for anybody else. Really, you haven’t been in their shoes. Now, if you’re going for someone who has been a CFO in the past, yes, they are going to be more expensive. Of course.

Jodi Daniels  19:25

Earlier you mentioned your marketing skills being really helpful in this industry. And we were just talking about being able to communicate to the board and to different stakeholders. Can you share a little bit more about maybe some of the lessons you’ve learned and what you apply so that other people listening could also say, “Ooh, those would be some really good tips. I should try that.”

Olivia Rose  19:49

I say to everyone I speak with I speak with a lot of what I call security newbies. I mentor a lot of them. So they ask, “What certification should I go for next?” I always say, you need to go to YouTube or Coursera, or one of those educational online vendors, you need to take an introduction to marketing course. Because marketing teaches you about how to position the messaging to the right person, so it resonates. So you hit them what I call right between the eyes. So if you’re in a meeting, when you’re describing why you need to encrypt data at rest, even though it’s only there in memory for a few seconds, but say you need to encrypt it, you need money for this resources, time, and attention paid to it. I position instantly, in my mind, the message to the engineering leader one way, but to the marketing and HR leaders a completely different way. And you have to know how to switch those messaging, you need to really pick up on what’s important to each of those personas, and tailor and write and convey the message differently. And marketing really helps you to learn how to do that innately. It’s critically important for when you go in front of the board, you find out beforehand, okay, these two people now have a pretty good concept of technology. I gotta watch out for them. I gotta be somewhat deep, but not too deep, because everybody else on the board is not technical whatsoever. They’re more generalists. So when I turn, and I speak to that person who’s tech, I can throw in a few jargon words. And over here, I throw in what no acronyms or if I use that removes, I spelled them. I don’t assume things that they know. That’s what marketing teaches you. Marketing is critically important to live and breathe, when you’re in security.

Jodi Daniels  22:18

Makes a lot of sense. And I’m always talking to our team a lot about different audiences and privacy are working the same thing. It’s cross functional across different types of people. And really nice idea of doing an intro marketing class, we’re going to go search for that and share it with a variety of different people who I think would benefit over time. Really good suggestion in terms of how to learn communication styles.

Justin Daniels  22:42

You know, I think that’s really interesting, because in a data breach situation, what I mean by that is, you’re going to put people under time pressure with incomplete facts to make business decisions. And I find that the forensic investigators have a really hard time translating logs and RDP protocols, to business people. And so what I find I have to do on almost every data breach is I ended up being the translator because if you don’t know how to explain or position your message to the business team in a way they can understand in a data breach situation, the results can be a complete disaster, because now, in a board meeting, you’re not under pressure. But in a data breach. Not only are you under pressure, but you have incomplete facts. And you may be working with people that you’ve never met before. So all the things that you talked about Olivia, to me are magnified when you put people under pressure in a data breach. Oh,

Olivia Rose  23:39

Yeah, you hit the nail on the head right there. That yeah, data breach has tons of fun, right, as you know. But people also jump to assumptions and conclusions. If you don’t tell them what they want to hear. They’ll make their own assumptions. And then you got to steer them back while you’re trying to control everything else going on over here or the business. Yeah, I think that’s a great, great situation, description of what do you really need to understand when to flip? How to give people what they want to hear. And if you don’t have the answer, understanding how knowing from your marketing knowledge and experience, understanding how you think they’re going to react and respond because people react in data breach situations, they don’t respond, they don’t think. So how are they going to take this? And then you pull out right, Plan B. So there you go. There’s a little more food for you. I’ll come back in 30 minutes. Okay, we’ll make it 15-10. I’ll be back in 10. Right. So that’s how you have to negotiate it, and the marketing helps with that.

Justin Daniels  24:52

Well, it just seems to me one of the, I guess takeaways I have from the conversation to this point is when you’re doing table topping to have a whole conversation around how do we position and explain what is going on in a tabletop, to your point about the marketing would really help when you get into the situation, because I still find about eight times out of 10. When I get that phone call, and the house is on fire from a data perspective, they have no plan, they’ve never practiced. You’re just gonna throw a bunch of people together on a team and see what sticks.

Olivia Rose  25:27

Or they have practiced and the company coming in to do the tabletop used all the decoratives and all these technical jargon and concepts. And nobody wants to sit at a tabletop with the rest of their executive leader ship team and ask, I’m sorry, what’s AES 256? What is that? I don’t get it. What is that? Nobody wants to 256.

Justin Daniels  25:57

It’s all about encryption. Oh, that made me happy.

Olivia Rose  26:02

So they probably didn’t do a table top, they probably didn’t do the right things because they have to do it for cyber insurance. And they also have to do it to get that nice little checkmark on their sock to compliance and for other things. So they probably didn’t do it. But did it actually resonate. No.

Jodi Daniels  26:22

I don’t know what to do with the smile on your face.

Justin Daniels  26:23

Just laughing. She had me at AES 256?

Jodi Daniels  26:27

Oh, all right. Fine, I’m going on fine. Let’s move.

Justin Daniels  26:37

So as we talk about the marketing stuff, which was interesting, let’s shift focus a little bit and talk about how, as a vCISO, you see this intersection between privacy and security. Because I know, working with Jodi, or at least when she talks to me about stuff, that you’re seeing in more and more companies that CISOs are getting involved in having to have responsibility for privacy, which you wouldn’t think of. But that seems to be happening. So could you talk a little bit about that intersection?

Olivia Rose  27:06

I think you always need to have a data knowledgeable person. I mean, you can’t, if you’re if your background is in security, you’re not going to pick up the world of privacy, global privacy regulations, you still need someone who knows that stuff. But there’s a lot of shared characteristics between the two disciplines, and the types of people who fulfill those roles. Because privacy and legal when you’re on a zoom call, and there’s like nine or 10, windows, open your allies, whenever marketing comes up with some, we want to open up port 80 to the internet, because we want to allow everybody into our network and you know, kind of younger, slow anybody down. So no two factor authentication for our customers, stuff like that. There’s always that look that goes in between security, and legal and privacy. So I’m kind of grouping this do you kind of share this look of? Okay, we’ll talk about this later. And your power, not against the business, but how to deal with the business. Because as Jody, you were saying before, privacy and security, it’s always typically an oversight, it’s the last step that the business is thinking about. So if they’re coming out with a new product, oftentimes security and privacy are kept in the dark, which is always lots of fun. And that happened at one company, you always have to keep your ear to the ground, you have to maintain a solid, honest, transparent relationship with privacy. Because fundamentally, what you both care about is protecting the company that is your number one goal. And security cares about protecting data. Privacy cares about protecting data. It’s two sides of the coin. This is just different spins to it as to what we focus on. And people who don’t who are security leaders who don’t have that strong relationship with their legal team. I would highly recommend you start looking at building that app because they’ll often hear things that you don’t hear hear of and you’ll hear of things through the you know, so from a little birdie told me that they didn’t know about and you always have to support each other because fundamentally your goals or aims for the camp Many are pretty much the same.

Jodi Daniels  30:03

I add to that — security team should also get to know their marketing friends, I recall doing a presentation, there were 100-plus security leaders in the room. And I asked how many of them would say that their friends had a good relationship with the marketing team. And no one raised their hand, I gave them all homework that they needed to really create a relationship to get to know them. Because that’s how you’re going to be able to work through those tough conversations and be able to get whatever what you just said, everyone’s on the same page. So if anyone is listening, and you don’t have a good relationship with, maybe it’s your marketing team, it could be your product team, pick the team that you’re that. I’m just they don’t know them. That’s the team, you need to get to know.

Olivia Rose  30:46

Yes, because they’ll launch a promotion over in Europe. And not think of the data that’s collected or that personal data. Marketing doesn’t necessarily think about where it’s being stored, how long it’s being stored, how it’s being transmitted. You know, it’s not in their repertoire, and that’s fine. That’s not what they do every day. But sometimes, they forget to bring in privacy and security. So yes, that’s a great concept and idea — get to know your marketing team.

Jodi Daniels  31:22

We talk a lot about different privacy and security aspects in a company, we always ask someone, what is the best privacy or security tip that you might offer when you’re out and about with your circle of friends.

Olivia Rose  31:39

I think in this day and age, with the younger generations, there’s this heavy focus on sharing, I want you to share everything with the world. And you know, that’s a beautiful thing, go go do that in lots of health, that’s great. But when you’re merging your personal and professional lives together, those of us who have been who are Gen X, of which I am one, we were raised in the workplace to not combine the two work is work and play as play. And never the two shall meet. You use different devices, different phones, you don’t combine the two. You do your resume, you don’t do it on your work machine, you do it on your home laptop. That’s how we think. However millennials and Gen Z’s tend to think more along the lines of this is a computer and I can use it. Now the problem is when you connect your iPhone, to your computer, and you’re connecting, and you’re seeing your personal text messages on your computer, and if you’re even remotely connected with a breach at the company, the company owns that laptop, they don’t own your phone, typically, but they own laptop, and they can do whatever they want with it. And I always say when I do these security awareness trainings with companies is, think: Do you really want that text message you spent at midnight last Saturday night being read out in court, or being read by attorneys, and Justin, you can speak to, right? You don’t. You want to keep it separate. So protect your own privacy, and protect your own data because everything from your private life that you are putting onto work equipment belongs to the company. There’s no security, there’s no boundaries anymore.

Jodi Daniels  33:52

That’s a good one. We haven’t heard that before. Thank you for sharing.

Justin Daniels  33:55

So when you’re not out being a vCISO and spreading the gospel of security, what do you like to do for fun?

Olivia Rose  34:05

When I got so burnt out a year and a bit ago, it took me a long time to rediscover fun. And I’m discovering fun. I’m trying to be fun again. I think spending time with my kids, of course a fun. I’m very nerdy. And I really enjoy crossword puzzles. And I’ve gotten quite good. It took a few years, three years because I started in the pandemic. So I’m not sure I can be really nerdy but I’m doing that as for fun. And you know, I like to get into the health of the wellness of getting into meditation which is very healthy for me because I have ADHD, so it helps fine tune and tone down my brain and help me think clearer. I recently discovered or rediscovered yoga? So I’m kind of boring, a lot more energetic and fun than I really am. But I’m actually very boring in real life.

Jodi Daniels  35:14

Like, I don’t think that’s boring. I think you just know what you’d like. And it’s not middle school or high school, there’s no judgment. So if people would like to connect with you and learn more, where’s the best place for them to go?

Olivia Rose  35:25

Well, they can go to my website rosecisogroup.com. They can go to LinkedIn, just do a search for “Olivia Rose cybersecurity,” I will pop up. Or just email me at Olivia.Rose@rosecisogroup.com. I’m always happy to chat.

Jodi Daniels  35:47

Wonderful. Well, thank you so much for stopping by and sharing all of your great insights. We really enjoyed the conversation.

Olivia Rose  35:56

Thank you so much. It was great to just to chat with both of you and be on the show, finally. It took a little while with our schedules.

Outro  36:10

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.