Donna Ross, having completed a degree in economics, was working in one of the business lines at Prudential, but colleagues kept coming to her for help with technical issues. This steady stream of traffic didn’t escape her boss.
“I had a great mentor and boss, and he sat me down and said, ‘You really need to make a decision about which path you want to take. Do you want to take a business path or a technical path?’ And you know, the technical stuff really excited me,” said Ross, the Chief Information Security Officer at Radian Group, a Philadelphia-based mortgage insurance company.
“Ever since I can remember, I’ve been a tinkerer. As a child of five or six I would take apart my grandmother’s radio and put it back together. So, I found a career that works with how I think. I didn’t even know it until this boss of mine, this mentor of mine, explained, ‘This is how you’re wired. There’s clearly something in this if people are coming to you.’”
Shortly after, a colleague who ran the security practice at Prudential asked her to work for him.
“I told him, my degree is in economics. I know nothing about security,” she recalled. “And he said, ‘It’s OK. I see something in you.’ And shortly thereafter he retired, and I got promoted. I found this passion that I have carried with me throughout my career.”
“I’m a continuous learner, and security is a practice where you’re constantly learning and adapting. Every day is different. You don’t know what you’re going to expect from one minute to the next. And that excites me,” she said.
Ross is paying forward the life-changing mentorship she experienced.
“I work hard on coaching, mentoring and championing people,” she said. “People are my greatest asset. When you think about security, there’s people, process and technology. There are a lot of cool technologies out there. And for technology to work, you have to have processes. But the people are what make the material difference.”
The top priority in her role is enabling business success by protecting the data the organization collects and uses, safeguarding the technologies it employs, and allowing the safe operation of applications.
Security, she said, is a team sport and should not be the company’s best-kept secret.
“Security is everybody’s job. It makes the program more accessible, builds confidence in the program, and results in more effective security,” she said.
That team spirit must extend to collaboration and information sharing within the broader industry, she added. Her own affiliations with the security community include the CyberEd Board, Women in Cyber, ISACA and FS-ISAC.
After Prudential, Ross built the security practice at GMAC as it was opening its first bank, then replaced the retiring information protection officer at Corning. She joined Radian more than six years ago.
Ross calls herself a “builder CISO.”
“I was the first CISO at Radian. I was the first security person at GMAC, and I was the first official titled person with a security background at Corning. They sent me to places where they don’t have a program, and I got to build out the program, hire the staff, develop the policies, and improve the program,” she said. “I want to do the hard work and build out the program and grow the talent. To me that’s the most fun.”
She also calls herself “a Diversity, Equity and Inclusion evangelist.”
“All four of my grandparents were from Eastern Europe and I saw the hardship that my grandparents had when people would misinterpret an accent for ignorance. I became an empath, and as a result of that empathy, I became an advocate, and as I gained more influence at work, it became really important to me to use that power for good,” she said.
Her background has led her to advocate for equal pay and visibility for women, coaching African American professionals, and sponsoring LGBTQ professionals, among other things.
Being a woman in tech is always challenging because it’s a male-dominated field, but it’s taught her a lot about timing, she said.
“What I learned to do, and it’s unfortunate that women have to do this is, you speak at the right time when you have the right information, so that when you don’t speak, your male boss will ask you, ‘Donna, what do you think?’”
Another way to deal with the gender imbalance is to develop an expertise beyond your field, Ross said.
“When I have that seat at the table, when I sit on a staff, I should be able to speak to strategy, leadership, budgeting and employees so they don’t look at me as Donna, the security person,” she said. “They look at me as another leader who has a seat at the table and raises the right issues.”
Ross has a degree in marketing, and that’s made her “very, very customer focused,” she said. And while technical skills are very important in security, it’s the soft skills like communication skills, collaboration skills, project management skills and leadership skills that are the differential, she said.
“If you can’t be in a room of executives and talk to them in plain English in a way that they understand, you’re not going to be successful,” she said. “We have a standing item on our leadership agenda: We meet once a week on elevator pitches because the person needs to be able to represent their program in 15 seconds.”
Doing differential work is what distinguishes her team and makes it so valuable to the company, she said.
“My team does not turn cranks or watch flashing red lights or green lights. Managed service providers do that. Where we add the value is helping our business grow.”
By outsourcing the commodity work, she also frees her team to do “fun stuff” like threat hunts and purple teaming when they’re not serving customers, or to take training classes to learn about new developments in the industry, she said.
“I think the culture of getting away from commodities and shifting to what’s important to the business is really core to how I’ve built the programs,” she said.
Adversaries are getting smarter, geopolitical events aren’t going to slow down, and more groups are going to work together, Ross predicted. Supply chain security is another worry.
CISOs continue to get a bigger seat at the table as their role becomes more visible and they become an intricate part of the business, as business leaders as well as security experts. Liability and regulatory changes are a more troubling part of where the CISO’s role is going, she said.
Work-life balance is important for Ross.
“I’m always encouraging my team to take time off to have fun. I love to do anything outdoors. I love to hike. I love to bike. I love to kayak. I have a second home in the mountains that we go to at every opportunity to relax and have fun. Plus, I’m always taking my Sheepadoodle to classes,” she said.
“I also like snowshoeing. I like the thought of being that first imprint on the snow when it’s purely white and no one’s walked there before. That’s kind of cool.”
Volunteering is a big part of Ross’s life. She’s been on several boards of directors, including InfraGard, a partnership between U.S. businesses and the FBI; Women in Cybersecurity; Big Brothers Big Sisters; the Red Cross; and the Bucks County Council for the Arts.
“Some of my soft skills I think I got from being on these boards because you’re around all different people from different backgrounds, and you’re constantly negotiating and reading contracts and hiring staff and making decisions,” Ross said. “I learn as much from mentoring as the person I’m mentoring or coaching.”