Episode 6: Getting started in tech evangelism | The Job Security Podcast

Introduction

Welcome to The Job Security Podcast, where we explore the unique perspectives and stories of the people who make the cybersecurity industry what it is. This week, we’re diving into a role that’s often mysterious and difficult to break into: tech evangelism.

Tim Chase joins us to demystify what tech evangelism actually means in cybersecurity. With over 20 years in information security—from manual penetration testing in 2002 to leading security teams through cloud migrations to his current role as Field CISO and Principal Tech Evangelist at Orca Security—Tim brings a practitioner’s perspective to a role that sits at the intersection of marketing, sales, and product.

As security teams navigate increasingly complex threats, the role of tech evangelists in bridging technical expertise with strategic guidance becomes more critical. Whether you’re a security practitioner considering a move into evangelism or a leader trying to understand how evangelists can support your managed detection and response (MDR) program and broader security strategy, this conversation offers practical insights into what makes the role work.

As Tim’s wife would ask: what does a tech evangelist actually do all day? The answer is more nuanced than you might expect, involving far more listening than preaching, more advising than pitching, and more relationship-building than connection-leveraging.

Defining tech evangelism: More than just talking about technology

When asked to define tech evangelism, Tim Chase offers a straightforward answer: “A lot of what I do is just talk about tech.” But that simplicity belies the complexity of the role.

Tim Chase: “A tech evangelist to me is just someone that sees what’s going on in the industry. They’ve got the history. They’ve been in it long enough that they can really educate others, whether that’s through doing podcasts, writing blogs, meeting with customers to tell them what you’re seeing and where they should be focused.”

At a practical level, tech evangelism exists at the intersection of three critical business functions: marketing, sales, and product. Evangelists spend significant time on marketing activities—speaking, writing, creating content. But they also take what they learn from customers and industry trends back to product teams to influence roadmaps. And they support sales efforts by providing technical credibility and addressing complex customer questions.

Tim Chase: “You should really be taking what you learn and helping make sure that gets into your product. Because you want to make sure that from a product perspective, you want to be where the industry is going. You want to be leading the industry.”

This creates what Ben Baker describes as a “content flywheel”—staying on top of trends feeds into customer conversations, which inform product development, which shapes the content you create, which sparks new conversations. For Tim, this extends to his LinkedIn training courses on topics like security metrics, where his CISO experience informs educational content that also feeds back into his evangelism work.

The practitioner advantage: Why previous experience matters

One of Tim’s core philosophies for effective tech evangelism is drawing on personal experience as a security practitioner. This isn’t just about having talking points—it’s about genuine credibility that changes how executives engage with you.

Tim Chase: “I think one of the good things about being a field CISO, tech evangelist is the fact that I’ve been there before, and I can draw on my own experience. I always try and put myself in the shoes of the person that I’m talking to.”

This practitioner background creates immediate credibility with security leaders who are constantly bombarded by sales pitches and marketing messages. When Tim introduces himself, the conversation dynamic shifts once they realize he’s not an SDR or seller—he’s someone who has walked in their shoes.

Tim Chase: “I’ve literally seen the face and the conversation change when I introduce myself, and they realize I’m not an SDR or a seller. I’m a practitioner. Then they can understand and then we can talk.”

But experience alone isn’t enough. The other critical element is listening—understanding that every organization is at a different place in their security journey, and what worked at one company may not apply to another.

Tim Chase: “Just because what I… if I go into a customer site and just give the same message every time, it may not resonate because they’re at different places in their security journey. I think especially in cloud security, if I were to plot a path for everyone to be successful, it may not be the same for everybody.”

The journey to tech evangelism: Tim’s career path

Tim’s path to tech evangelism wasn’t a straight line—it was a series of intentional steps driven by curiosity about what comes next.

Tim Chase: “I’m the type of person that always likes to have a plan of what’s next. I could tell you right now—I won’t—but I could tell you what my next two steps I would like to be.”

His journey began in 2002, when CISO roles were not yet common and automation in security testing was minimal. While working as a manual and performance tester, Tim asked if he could do security testing on the side—using proxies to modify payloads and manually test for cross-site scripting and SQL injection vulnerabilities.

This side interest evolved into his primary focus when he joined Nielsen (the ratings company). He negotiated a deal: he would only join to do performance testing if they also let him build their application security program. That bet paid off—he convinced them to purchase Fortify for application security testing, and before long, he was owning AppSec for the entire company.

From there, Tim’s career progression included:

• Running security for Nielsen’s Buy division (now Nielsen IQ), managing vulnerability scans, risk assessments, and AppSec
• Building the team from 3 people to over 50 (onshore and offshore mix)
• Leading Nielsen’s cloud security program during their rapid multi-cloud adoption—experiencing firsthand how organizations go from “we’re all-in on one cloud” to multi-cloud within months
• Moving to HealthStream in Nashville to run their security program, including cloud security, AppSec, and board reporting
• Joining the startup world at Cyberhaven for go-to-market experience, learning how sellers operate and how vendor relationships work from the other side
• Spending three years at Lacework (to the day of the acquisition) running their field CISO team
• Brief time in identity security before landing at Orca Security as Principal Tech Evangelist

Tim Chase: “The path to it was a little bit convoluted. I didn’t set out for this, but at each stage, it was kind of like, what’s my next step? I’d like to work more in the field. I don’t want to be a seller because I have kids. I don’t want to be out taking people eating and drinking every night. But how can I be a seller but not be a seller?”

That question led him to field CISO roles, and his natural inclination toward speaking and writing ultimately led to tech evangelism.

Beyond connections: What companies should look for in tech evangelists

In a recent LinkedIn discussion about what makes evangelism roles work, Tim offered a contrarian perspective: don’t hire for connections alone. This advice challenges a common hiring strategy where companies seek evangelists with extensive networks in the CISO community.

Tim Chase: “The problem with that, at least from my experience, is you can only expect a certain number of those connections to really pan out. Because once you go over to what they consider the sales world, they don’t always pick up the phone the same way that you would expect them to. Because they know that you’re trying to sell them a product. They look at you more as sales now.”

The reality is that those connections typically work for six to nine months before drying up. Building genuine, lasting relationships requires solving problems for people, not leveraging pre-existing networks.

So what should companies prioritize instead? Two key qualities: communication skills and executive presence.

Tim Chase: “One of the most important things is someone who is a good communicator to the—and I would say broadly, but also to the executive level. I think a good evangelist can walk into a room and start talking and people are going to pay attention. You have the ability to talk CISO to CISO or security executive to security executive.”

Executive presence matters because tech evangelists often need to engage with senior security leaders who are inundated with vendor pitches. Having the credibility and communication style that resonates at that level makes all the difference.

But evangelists also need to communicate effectively with practitioners building security programs—not necessarily being the most technical person in the room, but able to explain concepts in ways that different audiences can understand and apply.

Adding value without the pitch: The art of relationship building

One of the most important principles Tim emphasizes—and that Ben Baker reinforces from his marketing perspective—is that cybersecurity professionals don’t want to be sold to. They want help.

Ben Baker: “Something that I’ve learned being in the industry for several years is that people don’t want to hear you hawking your products. They just want help. One of the things that I’ve noticed about executives specifically—CISOs, VPs and above—is I feel like there are so many unknowns and uncertainties inside security, and a lot of times they’re left wondering: Is this just me? Am I alone in this?”

This is where effective tech evangelism creates value. By speaking their language and sharing what trends you’re seeing across multiple organizations, you help security leaders understand they’re not alone in their struggles—and you provide context for solutions that others are finding.

Tim Chase: “If I get on a sales call, I’m going to listen and I’m going to help understand what problem they’re facing. And if I’m going to talk about the product, I’m going to talk about how we can help you solve the problem that you’re facing. I’m not going to pitch every single feature that Orca can do.”

This principle extends to Tim’s writing as well. His blogs focus 95% on educating readers about topics like AI security or building cloud security programs, with only a brief mention at the end that Orca might be able to help.

Tim Chase: “I think that positioning myself, positioning our company as thought leaders, will put us in the spot that we want to be in anyway. Ultimately, the goal is to make Orca more well known—make people think ‘these people know what they’re talking about.’ If you do that and you elevate the company as a thought leader, I think the sales will come.”

The philosophy is simple but powerful: let the sellers sell, and let the evangelists evangelize. There are enough sellers already. The evangelist’s job is to talk about problems, share insights, and build the company’s reputation as a trusted advisor.

The surprising importance of listening in tech evangelism

Perhaps the most counterintuitive aspect of tech evangelism is that listening might be even more important than speaking.

Ben Baker: “It’s ironic to me that one of the primary responsibilities of an evangelist is to listen, because I think a lot of times when you think about evangelism it’s speaking, speaking, speaking. But it sounds to me, Tim, based on what you just said, that listening is just as important as speaking for a tech evangelist.”

Tim Chase: “Yeah. It is in multiple ways. It is just from a learning perspective. Because one thing that I like about this role and about cybersecurity in general is that you never stop learning. I’m not the type of person that likes to do the same thing over and over again day in and day out, year in and year out.”

Listening serves multiple purposes for tech evangelists:

Continuous learning: Cybersecurity evolves rapidly. Listening to practitioners on the front lines keeps evangelists current on what’s actually happening in the field, not just what analysts and vendors are talking about.

Understanding context: Every organization has unique challenges based on their industry, maturity, size, and existing infrastructure. Listening helps evangelists tailor their guidance rather than prescribing one-size-fits-all solutions.

Building genuine relationships: People can tell when you’re genuinely interested in their problems versus when you’re just waiting for your turn to pitch. Listening builds trust and credibility.

Product feedback loop: What evangelists hear from customers directly informs product roadmaps, helping vendors build solutions that address real-world problems.

This emphasis on listening doesn’t mean evangelists should be passive. But it means being thoughtful about when to speak, what to share, and how to make sure the conversation is genuinely helpful rather than self-serving.

Breaking into tech evangelism: Practical advice for aspiring evangelists

For security practitioners interested in moving into tech evangelism, Tim offers concrete advice on how to prepare and build the necessary skills.

Tim Chase: “I think the best thing you could do is figure out your medium that you like to communicate best, and just start there. When I ran a team, I had some folks that would write but they didn’t like to speak. They would speak but they weren’t great writers.”

The key is to identify your gaps and systematically work on them. Being able to communicate in multiple ways is important for tech evangelism—you have to write, speak, and engage in various formats. But you can start with what feels most comfortable and gradually expand.

Stretch yourself gradually: If you don’t like speaking in front of groups, start with webinars where you’re just answering questions in a field you’re comfortable with. Or start a podcast where you’re interviewing others rather than being the sole focus. For writing, even if you’re not naturally gifted, you can get better—and you can find people to help polish your work.

Tim Chase: “I will tell you that I’m good at writing. I’m not great at writing. But I’ve got some people that I work with that are great that can help and be like, ‘hey, you should word it this way or word it that way.'”

Learn how sellers work: Understanding sales methodology helps evangelists be more effective. This doesn’t mean becoming a seller, but learning how to ask good discovery questions and elicit meaningful responses rather than yes/no answers.

Tim Chase: “Learning how to ask good discovery questions, learning how to… part of when I try and ask questions to elicit good responses is not yes-no questions. And that’s an art sometimes. Find a good seller or two and just get on their calls and see how they get a customer talking in a way that is not defensive.”

Build practical experience: If you’re currently in a practitioner role, look for opportunities to speak at internal meetings, write documentation or internal blog posts, present at local security meetups, or contribute to open source projects. These activities build the communication skills and public presence that evangelism requires.

Interviewing for tech evangelism roles: What to look for

From the hiring side, Tim shared insights on how he evaluates candidates for evangelism and field CISO roles. The assessment combines both soft skills and hard skills.

Soft skills assessment: During interviews, pay attention to how candidates communicate. Are they relatable? Do they come across as friendly and approachable? Can you imagine them engaging executives without being condescending?

Tim Chase: “I’ve interviewed people for the role before, and I could just tell that they would rub other executives the wrong way. Because they come off as condescending, they come off as maybe not liking sales folks. I actually had one guy say he didn’t like sales. And I’m like, you know 75% of your job is working with sellers. That’s a problem.”

Hard skills assessment: Ask candidates how they would generate relationships in areas where they don’t already have connections. For example: “You don’t really know a lot of folks in Washington, or maybe you don’t know a lot of folks in the medical field. What could we do to generate some interest there?”

Strong candidates will have thoughtful answers about leveraging industry groups like local CISA chapters, sponsoring events, participating in professional associations, and building relationships through providing value rather than just making asks.

The combination of soft and hard skills tells you whether someone can build new relationships continuously rather than just relying on a finite pool of existing connections.

The cloud security context: Where tech evangelism adds unique value

Tim’s focus on cloud security provides useful context for understanding where tech evangelism adds particular value. Cloud security moves fast, and many organizations are still figuring out how to secure multi-cloud environments effectively.

At Nielsen, Tim experienced firsthand how quickly multi-cloud can happen. The organization decided to go all-in on Microsoft Azure, declaring “cost doesn’t matter.” That lasted about a month when they realized they were burning $40,000 monthly. Then another department chose AWS because it better met their needs. Then another department picked GCP for AI capabilities.

Tim Chase: “Before long, within the course of two months, we were multi-cloud. That’s the fast-forward journey of how most organizations these days go.”

This rapid evolution creates a constant need for guidance. Security teams need help understanding how to build cloud security programs, what tools to prioritize, how to manage identities and entitlements across clouds, and how to integrate application security with cloud security.

At Orca Security, Tim focuses on helping organizations understand that these domains—cloud security, application security, container security—are more integrated than ever. Orca’s approach with a unified data model addresses this by allowing organizations to query across all their security data with consistent context.

Tim Chase: “One of the keys is that it has a unified data model where you can extract this data so that you can always query on it. You know what you’re sending to MDR providers. It just makes your life a lot easier from the context perspective—not just knowing you’ve got a vulnerability, but all the information around the vulnerability.”

This is where tech evangelism creates value: helping organizations understand not just individual tools or techniques, but how the pieces fit together strategically.

AI security: The next frontier for tech evangelism

Tim also highlighted AI security as a major focus area at Orca, echoing broader industry trends. Just as organizations “threw out all the fundamentals” when cloud came along (a mistake in retrospect), there’s a risk of making similar errors with AI.

Ben Baker: “With the cloud, we kind of threw out all of the fundamentals about cybersecurity that we knew, when we really shouldn’t have done that. And in a lot of ways, it seems like we’re doing something similar here with AI. Let’s keep the fundamentals, guys. They’re there for a reason.”

Orca’s AI security capabilities focus on understanding:

• Where organizations are using AI
• What data AI models are connected to
• What roles and permissions AI users and services have
• How to secure AI agents as they become more autonomous

Orca’s acquisition of Opus earlier in 2024 signaled their commitment to agentic AI security, an area that will only grow in importance as AI agents gain more autonomy and permissions within organizations.

For tech evangelists, AI security represents both a challenge and an opportunity—helping organizations navigate a rapidly evolving landscape while applying security fundamentals in new contexts.

The philosophy of “do what you’re bad at”

Dave Johnson shared a perspective that resonates with Tim’s advice about stretching yourself: “I wrote a blog last year titled ‘Do What You’re Bad At,’ and it was very much: if there’s something you’re terrible at, literally hyper-focus on that. There’s a ton of room for personal growth as a result.”

This philosophy applies directly to building skills for tech evangelism. If you’re uncomfortable with public speaking, deliberately seek out speaking opportunities. If writing doesn’t come naturally, start writing anyway and get feedback to improve.

The conversation also touched on another valuable lesson from parenting: learning to ask open-ended questions instead of yes-no questions. Dave’s six-year-old daughter constantly asks “why,” forcing him to explain complex concepts in detail—recently including a discussion about whether light is a wave or a particle.

Dave Johnson: “It’s forcing me to explain things in granular detail I haven’t maybe had to in a long time. But there was no yes or no. It was: ‘But why is this a wave or is it a particle?'”

This childlike curiosity and the discipline of asking questions that can’t be answered with yes or no are exactly the skills that make tech evangelists effective in customer conversations.

Frequently asked questions about tech evangelism

What’s the difference between tech evangelism and sales?

Tech evangelists focus on education, relationship-building, and thought leadership rather than closing deals. While they support sales efforts by providing technical credibility and addressing complex questions, their primary goal is establishing the company as a trusted advisor. Sellers have quotas and commission structures; evangelists are measured on brand awareness, content engagement, speaking engagements, and the quality of relationships they build. As Tim says: “Let the sellers sell, and let me evangelize.”

Do you need to be a former CISO to become a tech evangelist?

Not necessarily, though practitioner experience in cybersecurity is highly valuable. What matters most is credibility—having walked in your audience’s shoes and genuinely understanding their challenges. Some effective evangelists come from security engineering, threat research, or other technical roles. The key is being able to speak from experience about real security problems rather than just marketing talking points.

How do tech evangelists measure success?

Success metrics vary by organization but typically include: speaking engagements at conferences and events, content engagement (blog views, social media reach, podcast downloads), sales pipeline influence (opportunities where the evangelist added value), brand awareness in target markets, and qualitative feedback from customers and prospects. Unlike sellers with hard revenue targets, evangelist success is often measured in longer-term brand and relationship building.

Can you be a tech evangelist without being extroverted?

Yes. While evangelism involves communication, it doesn’t require being the loudest voice in the room. Some effective evangelists prefer writing over speaking, or one-on-one conversations over large group presentations. The key is finding your communication style and building from there. As Tim noted, listening is often more important than talking in evangelism. What matters is being able to communicate clearly and add value, not necessarily being the center of attention.

What’s the typical career path to tech evangelism?

Most tech evangelists come from hands-on practitioner roles—CISO, security engineer, architect, or analyst positions where they’ve dealt with real security challenges. Some move through field CISO or solutions engineer roles that bridge technical work and customer engagement. The path often involves gradually taking on more external-facing responsibilities: speaking at meetups, writing blog posts, presenting at conferences, or contributing to industry conversations. There’s rarely a straight line; it’s usually a series of intentional steps toward more communication-focused work.

How do tech evangelists balance education with product promotion?

The best evangelists lead with education and problem-solving, mentioning their product only in context of how it addresses the challenges being discussed. A useful rule of thumb is the 95/5 ratio: 95% of content should be genuinely helpful, vendor-agnostic insights, with only 5% mentioning your specific solution. This approach builds trust and positions the company as a thought leader rather than just another vendor pitching products. The sales come from being recognized as an expert, not from aggressive promotion.

This transcript has been edited for clarity and readability.

For more cybersecurity insights and industry perspectives, subscribe to The Job Security Podcast on Apple Podcasts, Spotify, or your app of choice, or visit expel.com/blog for the latest in security news, tips, and threat intelligence. To learn more about how Expel’s managed detection and response services integrate with leading security platforms like Orca Security, reach out to our team today.