Climbing the InfoSec Career LadderNopSec CEO on Challenges Women Face
Breaking into the information security field - a male-dominated profession - is a challenge for women. Lisa Xu, CEO of NopSec, identifies the hurdles she's had to overcome and offers strategies for women to grow in their careers.
"I have met many brilliant women in the industry that have incredible technical backgrounds and very strong credentials," she says. "The challenge I see is how to translate the technical knowledge into business implications."
For women entering the information security profession, Xu encourages them to step outside their comfort zones. "That will put you in a position to be uncomfortable, and it also gives you the source for growth," she explains.
Xu says women often need to prove themselves to be recognized in the cybersecurity field. "You really have to put in extra effort to make sure you're technically sound, you're able to articulate the business value ... and create value for customers and for your peers," she says.
During this interview, Xu discusses:
- How her career path evolved from management to information security;
- How having people and technology skills can make job candidates stand out;
- Why cultural differences can be advantageous in the job market.
As chief executive, Xu is responsible for strategic direction, investor relations, financial management, human resources, sales and operations. Under her leadership, NopSec has more than tripled revenue since 2009. Before joining NopSec, Xu advised Fortune 500 enterprises on data security, privacy and technology risk management. She started her career as a management consultant at Accenture (Andersen Consulting) and led many diverse teams at Ally Financial (GMAC), KPMG and Blue Cross Blue Shield. Xu holds a bachelor's degree in economics and master's degree in finance from Boston College. She also attended the Harvard Business School Executive General Management Program. Originally from China, Xu has lived and worked on three continents and has traveled to more than 30 countries.
Management to Information Security
TRACY KITTEN: Tell us a little bit about your background.
LISA XU: I started my career as a management consultant at Accenture and later at a consulting practice at KPMG. I also spent quite some time in the financial and healthcare industries, at Ally Financial and BlueCross BlueShield, where I have seen IT security really evolve from a customer's perspective. I've been heavily involved in privacy, security and technology risk management. When an opportunity came up to join NopSec - it's a market that I'm quite familiar with - I was at a point with my career that I was ready to make the next step.
KITTEN: What would you say were some of the barriers to entry when it came to information security?
XU: If you take a look at our space in IT security, there are very few women - women engineers, women developers or even women managers. One of the challenges as a woman, what I had to overcome as it's seen professionally, is the ability to bridge the gap between technology and the business. I have met many brilliant women in the industry that have incredible technical backgrounds and very strong credentials. The challenge I see is really how to translate the technical knowledge and the ability into business implications, the ability to articulate what's the business value and impacts surrounding IT security.
Education vs. Experience
KITTEN: What would you say played a bigger role in your career, education or experience?
XU: I spent most of my academic years studying business, and my college education really gave me a very solid foundation. As I grew professionally, I realized what's most important is the experience in the field and continuing learning and self-improvements. When I worked at Ally Financial in Europe, I was in charge of a very large IT security implementation project. I was running a very large team coming from Belgium and the UK.
From those experiences, I made up my mind that I need to continue to improve my technical ability and obtain IT security certifications to really help me build the solid foundation. Through that experience, it gave me a very well-balanced education and experience that play a very important role in my personal development.
CEO of NopSec
KITTEN: You're now the CEO of NopSec, which is a company that focuses on vulnerability management. How long have you been at the helm and how did you get there?
XU: I have been in the CEO role for about 18 months. When I first joined NopSec, I was the chief operating officer. I was responsible for running the day-to-day business. Now, being a CEO is all about studying the strategic direction and vision of the company and really inspiring our people to execute towards our common goals.
KITTEN: When did you join NopSec?
XU: I joined in 2009.
KITTEN: Was this a big transition for you or was this something that was relatively seamless?
XU: Transitioning from chief operating officer to CEO was a pretty natural flow of transition. I got the opportunity to see the ins and outs of the business day-to-day, running the business perspective, and being the CEO really helped me step back and look at where the industry evolves. What's the market opportunity? What are the strengths and weaknesses that we have as a business, and how can we capitalize that opportunity and be a player in the market? It was a good transition for me to get to know the business better in order to step up and qualify for the CEO position.
People and Technology Skills
KITTEN: What first attracted you to the vulnerability management space?
XU: What attracted me the most is the management part of the vulnerability. What does the management mean? Management means it's an ongoing process that involves the people and the technology. If we take a look at what's in the market nowadays, the market is saturated with the technology of products. If we're looking at real effective vulnerability management, it cannot be a point solution. It has to be an integrated process and system, embedded with the technology and embedded with expert knowledge. What we have seen are the real pinpoints out there with the customers. Customers buy the technology but they don't know how to use it. They don't know how to interpret it and they remain vulnerable to intruders. What I see is there's this hugely underserved market. Certain customers pinpoint their real problem. That's what attracts me the most.
KITTEN: What would you say helped to prepare you for the role as CEO?
XU: Being a CEO in a fast-growing company, my real job is to optimize the very constrained resources and deliver the best outcome. In the business of contacts, what I see is I have to leverage the strengths of our team, make divisions and make tradeoffs that will ultimately benefit our customers. Putting together the resources and maximizing the outcome really comes natural to me.
Benefits of Cultural Differences
KITTEN: As a woman of Asian decent, how would you say that your heritage helped to influence your management philosophy?
XU: The short answer is it helped a great deal. In the Eastern culture, there's a concept of yin and yang that really describes the country forces. They're inter-connected and they're inter-dependent in the natural world. Even if you look at our logo, we have incorporated those duality concepts into NopSec's logo. In our company, what we're trying to foster is an environment of respect and curiosity. We encourage our people to be respectful of other people's time, resources, different opinions and diversity. At the same time, I think it's critically important that you have the curiosity about new ideas, new technology, other people and different business approaches. In the end, what matters the most is really finding the right balance.
Women in IT Security
KITTEN: What would you say are some of the advantages of being a woman who's a CEO in the IT security space?
XU: Clearly, there are not too many women in the IT security space, especially CEOs, so I guess the perception is traditionally IT security is a male-dominated space. In recent times, I've met amazing women entrepreneurs and IT leaders at an event. At the event, I also met Marissa Mayer, the CEO and President of Yahoo. She also shared some thoughts of being a woman in the IT space. What's important is really stepping outside your comfort zone. That will put you in a position to be uncomfortable and it also gives you the source for growth.
KITTEN: Being a woman in the IT security space is challenging. There are advantages, but there are also disadvantages. What would you say are some of the top disadvantages?
XU: A top disadvantage is managing the perception of whether or not you're technical or capable. I think you need to have a time to prove yourself to be recognized. Having a meeting with a room of bankers or IT security guys, clearly you stand out. You really have to put in extra effort to make sure you're technically sound, you're able to articulate the business value ... and create value for customers and for your peers.
Career Advice for Women in IT
KITTEN: Before we close, what advice would you offer to other women who are interested in pursuing careers in information security?
XU: There's a very interesting analogy to what we do at NopSec, what we're telling our people everyday and what we're building as a company. It's most important to recognize your weaknesses, maximize your strengths, prioritize your efforts and very proactively act upon your plan. Being proactive happens to be a very key ingredient to me, personally and professionally, and to the overall growth of our company.