Interview: Jennifer Steffens, CEO of IOActive

Written by

Jennifer Steffens, CEO of IOActive, loves sailing. She also loves live music and snowshoeing, but above all, she loves her job. In a suite overlooking Las Vegas Boulevard, Eleanor Dallaway spends an afternoon with the matriarch of the research firm

I know that Steffens loves her job above all because it’s almost impossible to get her talking about anything that she doesn’t ultimately refer back to IOActive. Either she’s the definitive PR machine, or she is genuinely truly enamored with the research firm that she heads up.

After spending an afternoon with Jennifer Steffens, I am confident in declaring it the latter.

Her PR skills aren’t too shabby either, skirting around questions she doesn’t want to answer with the precision of a politician. Her age, for example, is “young at heart.” It’s all part of her charm.

Steffens was hired as senior manager at IOActive in 2008, and within six months was promoted to CEO.

“How could I not be daunted by something like that?” she says candidly. “Even at the time, I put IOActive on a pedestal. I always loved the team and what they were accomplishing, so the fact that I got to run it and help make it into something bigger, and that Josh [Joshua Pennell, founder and president, who Steffens describes as a “great visionary, always a part of the heart and soul of the company”] would trust me with such an amazing position, was exciting, but widely daunting.”

With the company already healthy and growing thanks to the “blood, sweat and tears” of Pennell, Steffens’ job was to expand on that and help evolve the US company into an international firm, growing the “kind of services – and companies – we worked with.”

Steffens spent her first few months on the job mainly observing. “I learnt from an amazing CEO at Sourcefire that you can’t change something you don’t truly understand.”

Her move to IOActive also forced a move to Seattle, and a new home in a place that has “great energy, outdoorsy pursuits, and so much water and mountains.” Equally important to Steffens is the great airports, which allow her to travel to IOActive offices around the world easily.

"I love the idea of building things and getting to wear a lot of hats"

Jedi Mind Tricks

Steffens grew up and went to school in New York, and later, inspired by her dad’s phD and passion for psychology, she studied the social science at college in Virginia. Laughing about how that translated into a career in information security, Steffens grins, “It helps me hack people, and perform Jedi mind tricks.”

After college, Steffens started out in sports marketing, with clients like the New York Yankees. “I loved it, but I was still young and curious, and thought that I should bounce around and see what else was out there.” It was this thirst for exploration that landed Steffens her first job in technology. “I loved the technology, but didn’t like the big company aspect.”

She hit the bull’s-eye with her next job around the turn of the century. “It was a marketing role in a security start-up [Aurora Enterprise Solutions] and I was hooked from day one. It’s such an exciting space, and I lucked out because in all three of the start-ups I worked in, I had amazing, super-patient colleagues who would stay late at the office to teach me the technology.”

A world away from sports marketing, Steffens describes information security as having “more energy, and changes a whole lot more. Every time you think you know something, another attack vector or threat vector pops up. It’s a lot of fun.” She describes her later tenures at NFR Security and then as director of product management at Sourcefire as “super-exciting,” and considers that by the time she arrived at Sourcefire, she had “made the clique”.

Interestingly, Steffens talks with some trepidation about the cliques and elitist aspects of the industry. “It’s not always all-inclusive, but that’s true of almost any industry. There are a number of facets of the industry that are extremely welcoming and interactive, and we need to continue to try and break down any boundaries.”

Pirates for Life

Steffens works hard at IOActive to integrate all of the things she loves about start-up culture into a company that, founded in 1998 and with more than 100 employees, is far from a start-up. “In small start-ups, I love the idea of building things and getting to wear a lot of hats. Everybody rolls up their sleeves and helps everyone else, rather than having a defined role, I like that.” So that energy and culture is something that Steffens emulates at IOActive.

“Even with consultants and clients around the world, we want everybody to know each other, we’re a people company; I know everyone’s name. We work like a start-up, but with the history and financial backing of a strong company.” Steffens says, without hesitation, that the best part of her job is the people she works with, and literally gushes when she talks about them, a proud matriarch leading “super smart amazing talent in all facets of the organization.”

Company culture is so important to Steffens that they’ve even given it a name: Pirate culture. I ask her to expand. “So, in our industry, you’re either a pirate or a ninja, and we’re pirates. Josh [the founder] and I love sailing and the water, so it just works. We wanted something that would tie everybody together; we’re like a big pirate family. Being a pirate means you’re happy and at the top of your game.”

“We work like a start-up, but with the history and financial backing of a strong company”

As she tells me about how employees take photos with pirate pictures or signs wherever they go, and how they sometimes have eye patches and temporary pirate tattoos in the office, Steffens visibly lights up, clearly proud of her team and the culture she has created. It’s when she talks about her people that she is at her ‘sunniest’, which is apt because her friends and family all call her Sunshine.

“Once you’ve been at IOActive, and you’ve been an IOActive pirate, no matter where you go, you’re still an IOActive pirate,” Steffens explains. “Consulting is not always the easiest lifestyle, so it’s very important to us that when it’s time for our employees to do something else, we want to help them find the right spot and keep them as part of the family. We have a high number of what I lovingly call ‘boomerangs’; they leave and come back. Once a pirate, always a pirate.”

Pirates are hard to find, especially in Seattle where demand for talent adds a level of challenge to recruitment. “We focus on not competing head-to-head with the competition. We have created a culture and an environment full of brilliant minds where hackers can express their creativity, carry out funded research, and work on some really amazing security challenges.” That is IOActive’s USP, she explains. Ultimately, brilliant minds want to work with brilliant minds, she says, so often the top of the class end up recruiting each other.

Make Impact not Money

IOActive arms its pirates with the tools they need to carry out their independent research projects. It also has a technical advisory committee that looks at everything going on in the market, and ensures that the IOActive story maps to that. “One of our jobs is to stay ahead of the trend, and predict what’s going to be exciting. We were researching automotive security three years ago,” Steffens exclaims. “That research and demonstration led to the recall that consequently led to everybody caring about automotive security.”

From connected cars to smart cities, IOActive researchers around the world have “proven that all [smart city] technology is broken,” says Steffens. “So please don’t make us hack a city to prove that it’s broken.” Instead, she advocates working with the research community from the start, and rolling things out in the most secure way, because “once it gets rolled out, it’s a whole lot harder to change.”

IOActive’s whole mission is to make the world a safer place. “There’s nothing more important to us than protecting our clients,” insists Steffens. This perhaps explains why its policy on hiring reformed hackers is cautious. “We work with the Global 2000, we’re trusted with all their source code and corporate secrets, so we have to be careful. There is a level of professionalism that we must abide by, and we hold our team responsible for that.”

On the flip side, she continues, “we firmly believe that people can be reformed. There are people who have made mistakes, or went into things with a certain level of ignorance, and we believe in second chances and reformation.” We can all read between the lines.

Steffens says her commitment is to make an impact. “We love what we do, but it has to be making a literal impact on the industry, and the world as a whole. That’s how we pick what to focus on, what is actually going to make the world safer. We don’t focus on finances, we focus on the impact that we get to make.”

“We love what we do, but it has to be making a literal impact on the industry, and the world as a whole”

Oh Yeah, She’s a Woman

“There’s an old boys club in infosec that will be regularly and openly surprised that I am a woman and also the CEO, and they’re not shy to tell me that,” she says rolling her eyes. “Being a woman in the industry definitely poses challenges, and probably opportunities too, right or wrong, it is what it is today.”

I’d been cautious of asking Steffens about being a female CEO, because let’s face it, it’s sad that it’s extraordinary or relevant. She was, however, more than happy to discuss the topic. “I’m definitely an advocate for having more women in security, and am a big fan of trying to figure out how to get young women interested in cybersecurity, and making it exciting for them.”

Steffens considers herself lucky to have been taught technology by female teachers. “I do see more female executives, speakers and researchers than ever before. I’d rather celebrate that, make role models out of them, and get to a place where it doesn’t seem unusual, rather than harping on trying to change the opinion of an individual who is set in their ways thinking that women aren’t executives.”

Follow the IO Brick Road

So what does the future hold for Steffens? Well, the answer is unsurprisingly the same as the one she gives when I ask her greatest achievement: IOActive. “Ultimately, I don’t see myself leaving IOActive, so my ultimate career goal is to build it in such a way that it’s the same beyond me.

“I have a strong no regrets policy. Right or wrong, everything I have done has made me stronger, and a better leader and industry advocate.”

A firm believer in ‘love what you do and you never work a day in your life’, Steffens does concede that every once in a while, work does become work. Rarely, though, and the weekends in London, Croatia and Amsterdam, on top of the sailing trips, more than compensate. “I’ve got so much of the world to see, and I’m so lucky to have a job and lifestyle that affords me that.”

Doing what you love is a mantra that Steffens lives by after a serious car crash she was in when she was 21. “I shattered part of my face, cracked my head, spun my car three and a half times on the highway.” It was a wake-up call that life is short, Steffens says, and you should spend it doing what you are passionate about. “So if I was giving my 21-year-old self some advice, I would convince myself to dive headfirst into anything I cared about earlier. I’d be very Nike about it: Just do it.”

Steffens’ messaging is so on point throughout the whole interview that it runs the risk of sounding disingenuous, but yet I believe every word. She may have PR skills that any politician would envy, but she’d still get my vote.

What’s hot on Infosecurity Magazine?