Secret CSO: Marlys Rodgers, CSAA Insurance Group

What advice would you give to aspiring security leaders? “Focus on how to communicate the risk. Often, security people focus on the technical challenges and requirements, but can't translate that to others in terms of risk.”

CSAA Insurance Group

Name: Marlys Rodgers

Organisation: CSAA Insurance Group

Job title: Chief Information Security Officer, Head of Technology Oversight

Date started current role: May 2019

Location: Glendale, AZ

Marlys Rodgers is chief information security officer (CISO) at CSAA Insurance Group. Rodgers is responsible for designing and executing the company's IT security strategy to keep internal and customer data secure.

What was your first job? Delivering the Pennysaver newspaper when I was 13 in the middle of a Phoenix record-setting summer heatwave.

How did you get involved in cybersecurity? It was always an aspect of deploying technology solutions. Working for a Fortune 100 financial institution at the time and rolling out the first-ever cloud instance there, it was considered an area of significant risk. As my team helped transform the employee digital experience, my focus and knowledge increased as we deployed more cloud products, Bring Your Own Device and other collaboration offerings to 100k+ employees globally. When I moved into risk oversight, my cybersecurity involvement morphed into one of regulatory, compliance and risk assessment.

What was your education? Do you hold any certifications? What are they? I hold a Master's in Business Administration / Technology Management, and I'm a Certified Information Security Manager (CISM).

Explain your career path. Did you take any detours? If so, discuss. I have taken a few detours along the way. My career initially started working with pharmaceutical sales data on the business side - that took me to my first role at American Express as a Product Manager for data solutions to Global Corporate customers. The more questions I asked of my tech partners, the more they said "why don't you just join tech?" - so I did! My roles varied - I tried to absorb as many technologies as possible and worked M&A integration efforts.

My last role in technology was deploying to 100k employees - in that role, I was solely responsible for ensuring all areas of operational risk - legal, compliance, operations, technical, security, people, etc. This caught the attention of one of my mentors, who was running Operational Risk at the time and asked me to lead the operational risk management programs, new product approval and enterprise operational risk management committee. That gave me a great perspective in all areas of risk - and a great appreciation for how critical it is to translate risk against business outcomes.

When I left Amex for PayPal, I became responsible for risk and compliance oversight to several of their largest enterprise technology platforms and overall technology oversight. I see my current role as a combination of all of it: understanding the business outcomes against risk and compliance with a deep understanding of the technical and security requirements and challenges that accompany it all - and how to try to orchestrate them all to manage risk for the best opportunities.

Was there anyone who has inspired or mentored you in your career? I have had so many though out my career. Starting as an intern at Arizona Public Service, I spent at least one summer making the 80-minute drive each way to Palo Verde Nuclear Power Plant, and so many engineers and leaders there took me under their wings, and it taught me to seek out mentors and guidance. At American Express, I was fortunate to be mentored by some amazing leaders, including their CISO, Fred Gibbins. As a partner in those enterprise deployments, I learned so much from him and his encouragement drove me to take on the role I have today.

What do you feel is the most important aspect of your job? Understanding (and effectively communicating) the risk associated with decisions and the need to support business objectives. It is easy to point to "security issues" and say no, but it is much more difficult and important to determine how to address the risk and make solutions work to support where the business is going. Being there to assess, consult and stay current to help the business move forward while mitigating risk. Important to this is creating frameworks and transparency to these decisions and involving the business owners. Education is critical to bring everyone along and be informed to make the right decision for the company.

What metrics or KPIs do you use to measure security effectiveness? KPIs and KRIs are critical - the more metrics, the better - patch latency, asset inventory completeness and health, results of security training (and related - phishing simulations, report of incidents, exception requests), response time, disaster-recovery test results - to name a few…

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes, the state of Arizona (where I'm based) has approximately 12k security professionals with 7k openings. They are all challenges with cloud security skills are the most in demand. We need to focus on how to grow resources internally from across IT. We also need to focus on creative ways to bring in less experienced graduates and train/mentor them to build the talent ground up. With so many competing priorities, this is a challenge. We are working on how best to do this while continuing to tackle the mounting priorities.

Cybersecurity is constantly changing - how do you keep learning? Podcasts (a lot of them!), books, webinars, conferences, online training, online reading and most importantly, my network of security peers.

What conferences are on your must-attend list? ISSA/ISACA, AWS Reinvent, SANS, FS ISAC…..

What is the best current trend in cybersecurity? The worst? The best trend I see is the increased amount of collaboration in the security community to work together. Being more transparent with challenges and seeking counsel from others will be critical to fight the collective force of the increasing threats. For example, trends for preventative threat detection via the use of machine learning/AI is powerful - but only through the use and sharing of successes (and failures).

The worst: The continued lack of growth in cyber talent and, specifically, diverse talent. I am on a board (Alliance of Technology and Women Southwest) that is currently working to connect young women and first-generation students (representing a large portion of minorities) to others working in the technical field. And, at every opportunity, I am encouraging kids as young as my children to pursue cybersecurity! The younger, the better to start to influence them - this is an exciting field where the next generation can do some good, which is a great motivator for younger generations to engage in a career field.

What's the best career advice you ever received? Don't ever let fear hold you back. If the worst thing is failure, then at least you've learned something and did not miss the chance to try something and grow.

What advice would you give to aspiring security leaders? Focus on how to communicate the risk. Often, security people focus on the technical challenges and requirements, but can't translate that to others in terms of risk. The most powerful information is what the risk represents, and finding creative and engaging ways to explain that to your audience is vital. It is NOT just about your technical skills - in fact, relationship and people skills are just as critical if you want to influence change.

What has been your greatest career achievement? I think it is the many transitions I was willing to make throughout my career. Each has built out a different area of experience, which helps me to not only understand different perspectives, but communicate with and educate each audience in ways they find helpful - which only helps better progress the critical security agenda that's needed, but not often understood.

Looking back with 20:20 hindsight, what would you have done differently? I would have spent more time earlier in my career attending conferences and networking. The knowledge and insights I've gained in the last six years would have benefited me 20+ years ago when I started.

What is your favourite quote? "Do what you can, with what you have, where you are" - Teddy Roosevelt.

What are you reading now? I am always listening to two audiobooks at any time: Carnival of Snackery by David Sedaris and The Fifth Domain by Richard A Clarke and Robert K. Knake.

In my spare time, I like to… Spend time with my husband and sons traveling & attempting to train my dogs (two French bulldogs) to do anything I say (impossible).

Most people don't know that I… am obsessed with true crime and the study of comedy. Sounds like two extremes, and it is, but I have listened to countless biographies on comedians, serial killer books and all kinds of podcasts across the board. I guess the dark and the light…

Ask me to do anything but… Camp overnight outside. I love being outside, but I like sleeping indoors where there are fewer bugs. Living where I do, scorpions and spiders are in large supply!