Secret CSO: Olivia Rose, Amplitude

Name: Olivia Rose

Organisation: Amplitude

Job title: CSO, and VP of IT & Security

Date started current role: February 2021

Location: Atlanta, Georgia

Olivia Rose is the chief information security officer (CISO), and vice president of IT & Security for Amplitude, the pioneer in digital optimisation. Rose is a seasoned cybersecurity leader with 20 years of experience building, transforming, and optimising successful cybersecurity programs. Rose possesses a unique blend of technical and governance expertise coupled with strong business acumen to ensure security initiatives align with overall business goals and demonstrate value. Rose is a frequently requested speaker at industry events and podcasts, is widely regarded as a mentor and industry expert, and is a champion for diversity. Rose holds numerous IT and security certifications, including CISSP, CISM, CCSK, Security+, and CDPSM, among others, and is an active participant in several industry groups.

What was your first job ever? My first real job was at Baskin-Robbins when I was 14 and I have worked consistently since then, even full time at a coffee shop while carrying a full course workload in college. I’ve always enjoyed working.

My first job was actually not in security, but as a marketing manager at Qwest Communications, a telecommunications company acquired by CenturyLink in 2011. While there I managed marketing initiatives for a suite of data, voice and internet solutions, spending the majority of my time supporting the sales team with pre- and post-sales marketing activities. After that, I hopped around to a few marketing roles before eventually landing in the cybersecurity space.

How did you get involved in cybersecurity? My friend initially connected me to a company called Internet Security Systems (ISS), which was acquired by IBM in 2006, for a marketing role. In my early days at ISS, I frequently supported the consulting team, which I came to find I enjoyed much more than my marketing position. I took a bet with the VP of Consulting that I would pass the Certified Information Systems Security Professional (CISSP) exam on my first try, and the day I did he called me and offered me a security consultant role on his team. Little did I know then that it was pretty uncommon for a security newbie to pass on their first try!

My journey into cybersecurity consulting developed into positions as an advisory CSO for Fortune 500 organisations. In these roles, I’d go onsite and advise current CSOs on things like how to build a strong security foundation, how to develop risk-based roadmaps to improve security infrastructures, and how to implement security and regulatory frameworks like NIST or HIPAA. Through that experience, I became proficient in the role and decided it was time to try it out for myself,  and around that time I got the opportunity to be the CISO at Mailchimp, a global digital marketing and commerce platform.

What was your education? Do you hold any certifications? What are they? Unlike many of my peers, I don’t have a computer science or cybersecurity degree. I hadn’t even heard of security back when I was in college. I graduated with a degree in Womens’ Studies because, quite frankly, it was the only degree program that would accept me with my less than stellar grades. (I was always more interested in working and found classes to be tedious). However, as I progressed throughout my career I have accumulated an array of certifications because, as I was a woman in the security industry, I needed to prove myself more than my male peers. I currently hold certifications in Certified Data Privacy Solutions Engineer (CDPSM), Certified Information Security Manager (CISM), a Certificate of Cloud Security Knowledge (CCSK), Security+, and am a Certified Information Systems Security Professional (CISSP).

Explain your career path. Did you take any detours? If so, discuss. I took a non-traditional route into the industry. Cybersecurity wasn’t a career I had ever considered, and growing up, I was not very good at school, which is somewhat odd being the daughter of two academics. When I graduated, I was unsure of my career plans and landed in marketing by chance. So, while there weren’t any major detours once I got into cybersecurity, I certainly didn’t know that would end up being my career path early on.

Was there anyone who has inspired or mentored you in your career? Coming up in cybersecurity, I really did not have a true mentor, especially a female mentor since there were few women in the field at the time. It was challenging to do alone, and that experience is what motivates me to mentor extensively today, particularly women in cyber. Mentorship is something that is really important to me because I am able to affect real change in people’s personal and professional lives. I subscribe strongly to doing rather than just talking about it. There’s lots of things you can do to help people out, no matter how busy you are; reserving time each week to speak with others, reviewing resumes, making connections and introductions, even liking and commenting on someone’s post on LinkedIn takes no time at all and grants them a much wider viewing audience than if they do it alone.

What do you feel is the most important aspect of your job? A lot of companies over-rotate on technical skills for security leaders, but a big part of being an effective CISO today is possessing “human skills.'' As a CISO, fifty percent of the struggle is getting executive buy-in so a good CISO needs to play the role of an influencer within their organisation. Sometimes that can mean influencing people to do things they don’t want to do but should in the best interest of the company. The key is to put yourself in the shoes of other executives, understand what’s driving their perspective, and then prioritise putting policies in place that improve security posture without hindering other teams’ ability to reach their goals.

What metrics or KPIs do you use to measure security effectiveness? I follow the NIST recommendations for metrics and program measurement. They offer solid guidance and even provide templates.

Is the security skills shortage affecting your organisation? What roles or skills are you finding difficult to fill? Organisations across the industry are dramatically understaffed, but not because there is a lack of talent. We need to address the industry's current perspective on hiring – we have a massive imbalance. Even though there is an influx of newcomers in the field, eager for jobs, there are very few entry-level opportunities because organisations zero in on candidates with more years of experience. This means talented people–especially women and minorities–have an even tougher time entering the workforce. As an industry, we need to unite and rethink our hiring procedures to become more inclusive, take on newbies to train and mentor, and that in turn will help close the skills gap. Equally as important, is the retention of minorities in the workplace. It’s critical to understand microaggressions and identify barriers for their success so you can remove them.

Cybersecurity is constantly changing - how do you keep learning? I’m always reading about the new tactics cybercriminals are leveraging; today keeping up with cybercriminal techniques is an industry imperative. With the industry changing so quickly it feels like there’s a new cyberattack, breach, or trend every day that security professionals can nerd out on. Whether I am reading a breaking news headline or having a discussion with my fellow industry experts, I am focused on continuous education in order to ensure we’re adhering to the best and most advanced practices here at Amplitude.

What conferences are on your must-attend list? Of course, RSA and Black Hat are key security conferences. I’m a huge fan of BSide events that are scheduled in many cities across the U.S. There you’ll find  interesting up-and-coming talent speaking on innovative and energising topics. While I was at Mailchimp, I spoke at RSA Conference about what makes a CISO decide to buy from a startup, which was educational even for myself. Go attend local events, like ISSA and ISACA. Get to know people and talk about big ideas.

What is the best current trend in cybersecurity? The worst? The best current trend is the new way of thinking about Vendor Risk Management programs and how to truly identify and prepare for risk with third-parties. And the worst is our current way of thinking and approaching Vendor Risk Management, because we are doing it all wrong and it’s all smoke and mirrors. Any organisation can buy their way into a compliant SOC2 report, if the price is right. It has no bearing on whether the vendor actually lives and breathes best security practices or not. So I’m expected to place my trust in all these companies being connected to my network simply by asking them a bunch of questions and looking over their SOC2. Of course, no vendor is going to give me a non-compliant report or insufficient controls met when they want the business.

What’s the best career advice you ever received? “You need to do this.” When I was at ISS and offered the consulting role, I was terrified of the expectations, what I didn’t know, the travel that it entailed, failing, etc. Pete Allor, then a Director at ISS, stepped into my cube one day, cut me off during my emotional diatribe, and simply said, “you need to do this.” And he was right. I say that same line ad nauseum to so many people now.

Fear is all manufactured in your head. It’s not real. When you get the opportunity to move forward in some way and you find you are holding yourself back, you truly just need to do it. And even if you fail, you won’t regret it.

What advice would you give to an aspiring security leader? Get out of your head and get into real life. Education is important in life, but nothing beats hands-on experience. Getting real world experience, as early as you can, will allow you to grow your skills, understand the ‘why’ and the ‘how’ of cyber threats, and gain confidence in the field.

Focus less on what you know and more on how you know it. We need people who can respond to an incident with real-world ways of counteracting it. Someone who can jump in and fix a problem as soon as humanly possible is always an asset. The best way to learn is to put this mindset in practice in real life. From volunteering at local groups and associations to helping a neighbor set up their Wi-FI in a secure way - any experience can help.

What has been your greatest career achievement? There are two: Taking on that bet with the VP of Consulting to pass the CISSP exam on the first try as that completely changed the trajectory of my career. Second is when I made the jump from consulting to being an actual CISO. Very different worlds and looking back it took a whole lot of guts to do it so I’m proud of myself for that.

Looking back with 20:20 hindsight, what would you have done differently? I stayed in consulting too long because I was comfortable, and I was nervous about jumping the fence into working for a company on the security team. I also had two kids so I chose to take the easier path rather than the path that would truly challenge me. Looking back, I should have taken the more challenging route. Obviously, I didn’t heed my own advice of “you need to do this!”