Gunnar Assmy - Fotolia
Published: 01 Sep 2017
Marcus Ranum crossed paths with Jennifer Steffens at the start of her information security career. She worked for Network Flight Recorder, a company he founded in 1997 to commercialize an intrusion detection system.
Since then, Steffens has moved from product companies to services. Today she is the CEO of IOActive Inc., a global consultancy that offers penetration testing and security assessment of both hardware and software. Ranum caught up with Steffens to find out more about her extraordinary journey from security product marketing to head of a global security provider.
How did you get into technology?
Jennifer Steffens: I didn't grow up super heavily into technology. I was more of an outdoorsy person, but I had computers and played some games. I studied psychology in school and got my career start in sports marketing, which was a ton of fun. I worked on professional soccer and for the New York Yankees and just loved it. But I was really curious about [what] was out there, so I took a job for a security startup in Reston, Va., that was purchased by Ubizen [security service provider]. We were building a security operations center and a web application firewall.
I followed my boss to Network Flight Recorder and came on board to do marketing communications and events. … And [people] said, 'If you're going to represent our company, you've got to know what we do.' I was forced [to go] through all the product training and was so excited by the security industry and how amazing the team was -- I was totally hooked.
And from there, you went to Sourcefire, right? Now you're the boss at IOActive. How did that happen?
Steffens: Getting into Sourcefire [creator of the Snort intrusion detection system] as early as I did, I got into the security product marketing and product management. It gave me the exposure to broader operations. When you're at a security startup pre-funding, you have to wear a million hats and really learn how to grow a business and to handle anything that comes your way. At NFR, knowing I was still too low on the totem pole to have any real impact on the business was frustrating for me. At Sourcefire, getting that exposure over the course of five years and building [it] from $25 million to $250 million was a lot of fun. I got connected with a lot of our investors and got to see that world.
Then I got recruited out to Seattle by an investment bank -- to help them see why one of their series A investments was coming to the end of funding without anything to show for it. It was a one-year 'I agree to help' effort to shut down the company [GraniteEdge Networks] and re-productize the technology, then a relaunch and an acquisition [Vantos].
That is when I connected with Joshua Pennell, our founder here at IOActive. He … wanted someone to run the business. … I've really teamed up well with him, and we're having a lot of fun.
You've learned that you can't be good at everything no matter how wide your bandwidth is. Do you still touch on security product marketing at all?
Steffens: [Laughing a lot] I'm out of it. I still come up with a lot of ideas -- with my background and the exposure I get to our client base at conferences, I kind of can't help [it]. But we have a marketing team that is far more in touch with how marketing is done today.
I've noticed that when you start moving up the executive tree, the skills you picked up on the way are all still useful. I suspect your marketing operations are fairly well-run and your people can't put something over on you.
Steffens: Yes. Changing fields is always a bit scary. But it's always when you're being pushed out of your comfort zone that you can really shine. IOActive is services only, which is very different from my background in product companies. Selling a product is very different because you have to invest up front in R&D; IOActive is self-funded, which was definitely outside of my comfort zone, but it's the best decision I could have made.
At a certain point, you start to learn your personal parameters and think: Well, I'm going to survive this. You learn how much change you can handle. That and, What's the worst thing that could happen?
How do you feel about the industry's security product marketing? Are things getting better?
Steffens: I do think that they are -- there's been an increase in security in mainstream media and movies. It's brought the conversation so much higher in organizations that it challenges a security product marketing team to do better. You've got to tell the why do I care, why is this important story, instead of the fear, uncertainty and doubt story. The products can't just become shelfware, which we used to see a lot of back in the day. I think people call bull on silver-bullet messaging and one-size-fits-all solutions. And we're getting a much more educated discussion about what's needed. What's defense in depth going to look like in the future? How do you respond to issues? There's a lot less of the generic marketing for the sake of security product marketing.
There's still a lot of hype, but there's also skepticism, finally. Machine learning? Cool, I look forward to seeing it work. Not so much just whipping out the credit card when the technology du jour comes along.
Steffens: I think it's a more educated buyer, which means you have to be a more educated seller and marketer.
You're from a younger generation of entrepreneurs. Have you noticed any effect from the demographic changes in the security industry as it matures? I keep waiting to see fewer bearded, graying white guys.
Steffens: To this day, I still get a few people who assume I'm the event planner or the junior person. And I have to remind them that they're talking to me and my event team. There's no reason someone should make assumptions because of my gender or my age: I've just walked out of meetings.
That was something I learned at NFR: It doesn't matter who you are; it matters what you know. And you either know what you're talking about, or you don't. Most of the people in the industry understand that it's knowledge-based. But it's still sometimes a bit harder to get your voice heard. Everyone in the security space needs to be a little better at listening. It's not always our forte. Excellence speaks for itself.
How to perform information security assessments
The risks and rewards of hiring a former hacker
How to meet to requirements for ethical hacking certification