How to become a cyber risk specialist

Chris Sienko: We at the Cyber Work Podcast recognize the COVID-19 pandemic and its resulting impacts to communities in every corner of the globe. Our thoughts are with everyone impacted during these unprecedented times.

I want to assure our viewers and listeners that the instructors and staff at Infosec remain dedicated to you and your organization’s success, as well as to your continued health and well-being. Now here are three ways we're supporting our community as we weather this outbreak together; opportunity number one, you can immerse yourself in a live online boot camp from the safety of your own home. To help students in these stressful time, Infosec is extending our exam pass guarantee to all students and waving the normal requirements.

In addition after your boot camp, you'll get 90 days access to Infosec skills where you can continue to learn with hundreds of on-demand courses, hands-on labs, skills assessments and more. Through the end of April, you'll also save up to $1,000 on any upcoming online boot camp enrollment.

Opportunity two, you can help reinforce good cybersecurity habits as employees transition to remote workstations. Use our free remote working training module, infographics and e-mail template to help keep your employees and organizations secure.

Opportunity three, for listeners who are not yet in the cyber security field, or who are now finding themselves revising their career strategies, please see the link in the description to learn more about the Infosec Cares Scholarship. It's designed to cover the cost of the security plus, or network plus training course and certification exam you'll need to qualify you for entry level cyber security position. Stay safe. Stay healthy and thank you as always for tuning in.

Now let's start the episode.

Welcome to this week's episode of the Cyber Work with Infosec Podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of Infosec professionals, while offering tips for those trying to break in or move up the ladder in the cybersecurity industry.

I'm excited to talk to Ryan Wallace of HORNE Cyber for a number of reasons today. He is the Cyber Risk Supervisor and has been certified as an Information Systems Auditor in Risk and Information Systems Control. We haven’t had that many cyber risk experts on the show yet and it's a valuable and growing career field and I know some of you have been asking about how to break in, so we want to feature that. In addition, I noticed this on his official bio.

Ryan joined first in 2014 with previous experience as a small business owner specializing in branding, graphic design and consulting, as well as a bachelor's degree of accountancy at Mississippi State. I think this is noteworthy for listeners of Cyber Work, especially because it's important to note that cybersecurity professionals come from all walks of life.

You can do your job really well and pursue opportunities in the cyber security field, even if you haven't been hacking into government mainframes since childhood as a few of our guests have. Today, I want to talk with Ryan about his life and career journey to this point, how he found himself interested in cybersecurity and how he leveraged his non-tech background into an interesting and satisfying career.

Ryan Wallace is a Cyber Risk Supervisor at HORNE Cyber, where he specializes in IT risk related assurance services. He provides analytic expertise regarding policy, design and implementation, as well as IT compliance. Ryan also consults on information, systems environment compliance and management for public and middle-market clients. Ryan joined the firm in 2014 with previous experience as we said, in small business ownership specializing in branding, graphic design and consulting. Ryan earned a bachelor’s of accountancy at Mississippi State University.

Ryan, thank you for joining us today.

Ryan: Thanks for having me, Chris.

Chris: Most of my interviews start out with a stock question, which is namely, how did you first get interested in computers and tech and a lot of our guests have stories going back to the childhood of Commodore 64s, or learning basic out of a book from a library. Your story is interesting to me, because it seems like you came to tech and cybersecurity later. Can you tell me about your early interests and your schooling and sorry, your first career steps before moving over to risk?

Ryan: Yeah, happy to. I grew up in a smaller town. You can probably realize from my friendly accent at West Point, Mississippi. I grew from the south. I was pretty introverted as a child. I found myself working on our family computer most days after school. This was around the mid-90s. It was Windows 95. Good old solid OS architecture.

Chris: Sure, sure.

Ryan: After graduating high school, I went to live with a community college for about a semester, but I really struggled to just find direction. I took a job at a local ISP PC repair store. I guess, I did well in the interview, even though at the time I couldn't tell you the difference between a modem and a motherboard. The job really solidified my love for tech and got me interested in how I guess tech influences business.

Eventually, I went back to college. As you stated, I earned my bachelors of accountancy at a State University. I took a full-time job at my current place of employment afterwards in public and the middle market as a financial auditor. That way, more financial-based than what I do now.

Shortly after that, I was offered a – I was offered to assist with our IT audit team at the time with an engagement and immediately fell back in love with tech. Seeing how I could use my current skill set to do what I originally loved. I was offered a full-time track in that direction and I took it. I love it.

Chris: Yeah. Okay. Yeah, so you say you went into business for yourself for a while there. I assumed that you had some tech elements going on. Anytime you start a business, you got to know something about putting everything together or whatever. Was there a sense of like, “Maybe, a career in tech isn't for me. I'm going to do this thing for a while and see what happens.” Or were you always thinking about trying to get back to that?

Ryan: Yeah. I really loved the tech at the time. However, I was getting more of a help desk role. I enjoyed it. I did learn a lot and learned some soft skills that really helped, I think later on for sure. I think at the time, I was just in a place of I don't want to do this long-term. There's some other options out there to start my own business. I thought I would – I was young, so I ventured out.

Chris: That's the time to do it. Tell me about your current job role. You’re a Cyber Risk Supervisor. Can you tell me what that job entails? Do you oversee a department of risk analysts, or do you just do higher level risk things yourself? Start at the very beginning. Can you, for our listeners, explain the concept of cyber risk as a job title or skill set?

Ryan: Yeah, absolutely. Yeah, cyber risk, the way that we look at it is that want more focus on prevention of loss in a business. That loss and be financial. Ultimately, does become financial. However, a lot of it can be reputational, or take other, take out the forms such as lost of culture. Even though it may not be immediately obvious, this eventually goes back to either misconfiguration of technical implementations or architecture, or which is most likely people or processes related to handling that set. That's what we focus on here.

Chris: Okay. As a supervisor, are you the head of a department, or are you just at a higher level of doing the same risk analysis?

Ryan: Yeah. I guess it’s more – It’s a little of both. The way that we're structured in HORNE Cyber as a subsidiary of HORNE, which is a business advisory firm, in my role was that we were oversight of our assurance, means leading engagements, compliance or HIPAA, were service organizations, even generalized, specialized IT risk assessments. My role is definitely more leading the team, having the client contact, or content. Hope that helps.

Chris: Okay. Yeah. No, that's good. We're going to dig down into your day-to-day, what you do and so forth. I wanted to go back to this. I keep hammering this point home, but before joining HORNE in 2014, you are a member of an automotive service and parts Consulting LLC, sole proprietor of a web and graphic design company, staff accountant for a small healthcare company and computer technician for a local IT company.

At the top of the show, I wanted to let people know who feel that they're somehow too late to get into cybersecurity if they haven't studied it since birth. This is going to be a multi-part question and this is the first part. What security knowledge or skills did you need to acquire before getting this job, or on the job even, and how did you go about that? You were doing all these other things and you decide you wanted to move towards risk assessment or cyber risk assessment. Did you feel there was something you needed to learn between what you were doing then and what you're doing now?

Ryan: Absolutely.

Chris: Yeah. Okay.

Ryan: Great question.

Chris: How did that come along?

Ryan: Yeah. I’ve been a business owner, were embedded as an LLC member and as a sole proprietor. I understand a lot of the internal struggles that, I guess, businesses takes. I guess, there's a strong urge of mine to helping succeed any way I can. In the past, I've seen how technology can directly affect that, whether it's what we mentioned before this configuration, implementations, or knowledge gaps and practice and stuff like that.

I guess the move from small business owner to cyber, I definitely thought that knowledge. Yeah, for sure. I really worked hard to fill that as quickly as possible. It helped that I had some tech background. Local contacts helped coaching through people in the industry, in the ITR industry, specifically for tech. That definitely helped.

Chris: You had people around you that you were able to ask and help you at least know where to start looking for the knowledge that you needed.

Ryan: Yes, absolutely.

Chris: Okay. Where were those folks? How did you know them?

Ryan: Surprisingly, not through the channels you probably would think. Some of them as were embedded along the way in other positions, so the people we have here at HORNE obviously. Others through local church community. It's crazy. It's a small world.

Chris: Yeah. Yeah. I mean, it's one thing to network at something that's already in your career field, but it's worth noting that just meeting people, they open up doors that you wouldn't think of otherwise come to you later.

The second part of the question is related to your prior skills. In your bio, you noted that you have been able to accrue a variety of experience through your career and that you can bring the tasks you have at HORNE Cyber, you've been able to synthesize these things. I guess, my question is how has your – have your past accomplishments and projects and skills in not tech areas helped you to do your job as a risk analyst better?

Ryan: Yeah, great question. I would say as I mentioned earlier, having that firsthand experience as a business owner really gives you a lot of insight into what really keeps them up at night, right? Having that perspective as I walked into our engagements, really helped frame up where I want to be able to take them as a company.

We talk a lot here about helping people reach their full potential. It really is about that. I mean, it's about helping them think through each of the cost benefit assessments that we do for them and the risk that we've outlined for them and recommendations and think through practically how is this going to help me as a business either get a leg up on the competition, or reach and fill this gap that I’m right now.

Chris: Yeah. Yeah, so that's good. That's an empathy, or at least an understanding of what things can go wrong when you're already juggling so many things.

Ryan: Absolutely.

Chris: Walk me through your average day as a security risk supervisor. What time do you start work? Where does your work take you in the course of the day? What are your most common tasks? When do you get to be done? Can you turn off from the position, or are you always on-call?

Ryan: Yeah. One of the big spent that's working at HORNE, we have something called unrivaled flexibility network. As a dad of two toddlers, that work culture, it allows me to flex in such a way that I can take care of my family and also take care of my engagements and my clients. While I do travel face-to-face, I would say most of the work I do is remote. Many of our clients are appreciative of the fact that we can work remotely with them. It lessens the impact on their daily operations. It also blurs expenses all around.

Chris: What sorts of things do you do in the average course of a day? Okay, so you get in, you got your coffee, you're at home, or at – what happens next? Where do you go from there?

Ryan: Yeah. We have a internal team project management web-based solution that we use. That’s where I start – I like to organize my day and my week, set expectations. Typically, we'll have a weekly project management call, where we discuss any hurdles with the team and the clients that we're on as a group helps brainstorm, get a little more outside perspective of the current engagement to work through those issues.

Then it’s just – it's off to the races. I mean, it’s what sections of the assurance audit, if you complete it today and what items are outstanding for clients for we getting in touch with it.

Chris: Do you get to get your hands dirty and actually do the work? Or are you doing more coordinating?

Ryan: Absolutely. Yeah.

Chris: You do a lot of both?

Ryan: I think to do both, yeah, which is probably the best. It helps me have that strategic vision, I guess, of where we're taking our company, where we remind clients to do it. Then also, I don't lose focus about what it actually feels like to go in and test and go through the granularity.

Chris: Where does a position like risk management, cyber risk stand on the average company hierarchy chart? Who do you report to? Do you have a support staff? Are you largely self-directed, or do you receive feedback and recommendations from the company, or the board, or someone higher up?

Ryan: Yeah, great question. Yes. The way we’re structured at HORNE Cyber is we’re [inaudible]. We’re unstructured in that focus area, as we call it. I’m a supervisor, so I work under a manager position. I also have the up [inaudible] advisor, which is essentially I have a direct report of one of our associates.

I guess more importantly, we plan our audits and assign personnel strategically to work on each of our audits on a field level, I’m typically the main point of contact for the client. That isn't a lot of freedom from a consulting business.

Chris: Okay. In general, are security risk analysts or supervisors usually employed by a single company? It sounds like you are. Or is this something that is also could be a freelancer consultancy position by nature?

Ryan: Yeah. I've seen both. Obviously, I’m employed by HORNE. However, I know people that work under their own shingle and have done great. It’s a definitely a mix.

Chris: Is it a thing where you could break off onto your own and go freelance after you've done it with a firm? Or is it possible to just jump in freelance? I feel like, it seems you would need the structure of doing it with a company first to know the parameters and then you could go on to your own, but I don't know. I'm thinking of people who might be in Wyoming or something that's like, “I want to do this, but there's no places around.” Or I just threw out Wyoming randomly, but you get the idea.

Ryan: Sure. Yeah, I’ve been to Wyoming. I know. Yeah. I mean, I would definitely say obviously, with the resources of a firm like HORNE behind, yeah, there's definitely a lot of knowledge that I can accrue. There's a safety there and I have a wealth of resources around me. I do know people that have done it on their own. It's harder obviously. I mean, there's higher risk. I guess from my consultant standpoint, there's also more flexibility and after, you have to launch out on your own out honestly and can set your own path.

Chris: Okay. Let’s do a round of best and worse. What do you think are the most interesting parts of being a cyber risk analyst, or supervisor and what are the most difficult and most repetitive parts that you don't like?

Ryan: Yeah. Like I mentioned before, seeing a business improve and growing, that's one of the most rewarding parts of my job. I would say the most difficult, repetitive parts usually come in the form of just the administrative job duties, the daily price which is in paperwork is required with each audit, especially compliance audits. They have very specific requirements there.

I would say as far as what – I know this is one of your questions. I may be jumping ahead, but as far as what stresses me out at night, it's a – our new clients or first-year clients for sure, especially those clients who may be an emerging sector, or they experience a sudden growth and boom in the business. You always worry about missing some risk that may not be on your radar; all that being active.

Chris: Are there any particular – Obviously, it is very satisfying to keep these company safe and so forth, but on a granular level, are there certain problem-solving, or nitty-gritty things that you especially like doing? Is there a certain thing really, all right, we're going to do this and it's totally rad when it works out.

Ryan: Yeah, absolutely. On a granular level, we work a lot of testing matrices. As boring as that sounds –

Chris: Yeah. Sounds great. Do it.

Ryan: All right. Knowing where you're going with that really allows you to map out risk and think through your team and sort this holistic approach. Yeah. I would say that's probably the most thing – the thing that I enjoy the most on a granular level is just doing that in black and white.

Chris: Yeah, I know. I can totally see that. You can see the magic happening at that point, I imagine.

Ryan: Absolutely.

Chris: Tied to that, what types of activities, projects or actions should you really enjoy doing if you're considering security risk as a job? Because there's – I mean, there's jobs where you think, “Well, it would be great. I'm going to help businesses do things.” Then you realize, “Oh, my God. I'm doing this same thing for six hours a day, so you better really like it.” What are some examples of that type of thing in risk positions?

Ryan: Yeah. I would say in my position, the standard internal audit job requirements would really apply here. Attention to detail, the ability to ask questions to get to the root of a problem, willingness to – and this is really a tough one for me, but willingness to ask tough questions of clients that may have more industry experience than you do. They know the industry better. They know the business obviously better than we do, but asking those tough questions obviously is a must, because you really uncover a lot through just communication.

Chris: Yeah. Let's talk a little bit about some of the soft skills. Any cybersecurity position where you're facing the public, you need to be able to talk without talking down and report in a lucid way. What are some other surprising soft skills that you need in risk?

Ryan: Yeah. I guess, it starts with knowing your client. That's not an easy response, but it really does start with knowing – a client knowing their industry. Those are very easy things to be able to do, but not a lot of people take their time to do that. The Internet is a vast resource for getting to know your clients. Understanding the news around their company, reading anything you can on their vision and seeing where they want to go. Those are definitely some skills, I would say. Bringing those to the table when you have that initial contact, meeting with the client and showing that you've invested time learning who they are and what they’re about really helps.

Chris: Your bio notes that you hold both the Certified Information Systems Auditor or CISA and Certified in Risk and Information Systems Control or CRISC certifications. Tell me about the process of learning, studying for and passing these certs and what these skills provided, these cert skills provided you in terms of practical experience.

Ryan: Yeah, great question. I would say in our current focus area, the CISA is considered a baseline measure of competency for the work that we do. It's very focused on knowledge, as opposed to other cyber certifications, maybe more focus on technical requirements.

CRISC is considered three to five-year competency measured exam, so there's a higher focus on managing business risk on a cyber perspective on a governance level. It really is more about at that point in the career chain transitioning from the low work, to getting more in front of executive management, a higher management, board level and having those conversations around that inner cyber programs.

Chris: How far into being a risk manager before you studied – I guess, so you must have taken the CRISC pretty recently since you've been doing risk for what? Four years now?

Ryan: I did. Yeah.

Chris: Or six years.

Ryan: Yes. Last September I took it and passed. Yeah, I would say systems is definitely a one to two-year competency measure. When we first have new associates, they may not have any certifications at all and that's typically the first one and we try to give them two – for that reasons.

Chris: Do you have any tips or advice, having gone through these exams for studying for them, things that you don't need to bother with, or things that you really need to hit on? Anything like that?

Ryan: Yeah, absolutely. Both exams are certified through ISACA. They have a great – I would say definitely by the book. Even though you think may need it well. Then it’s also a great resource afterwards. Then the multiple choice questionnaires were very helpful. Most recently, at least when I took my CRISC exam in September, I saw it operated their multiple choice questionnaire to be more adapted, and so you could really analyze your gap area since you go back and read the book and build that knowledge.

Chris: Nice. Could you walk me through the various steps in a career in cyber risk? I think you mentioned it before. There's risk analysis, which I guess is the entry and then your risk supervisor and then you said there's a risk manager above you. Are there further steps within the risk chain above that? What are the scope and responsibilities within each of these roles?

Ryan: Yeah. Yeah, our risk analysts are typically year-one associates. Minimal to no previous cyber security experience, yet they typically have a background in audit and in many cases, previous role in tech, such as mine. Our risk analysts typically are assigned non-complex portions of the engagement to build their knowledge base.

The next level up is the senior risk analyst. Typically, this role there's some level of responsibility for reviewing a level one, or a risk analyst work on their collection. Then really guiding them, thinking through the list for whatever work that risk analyst’s work done. Then the next level would be the monitoring level, the cyber risk supervisor. My role involves oversight from the planning of the engagement, down to the logistics, our testing approach and then our risk analysis all the way through issue the report for the deliverable. Then past that, our managers really focus on looking at multiple simultaneous engagements and then having obviously a big part play in the business strategy.

Chris: Okay. Now there’s something that came to me. The risk analysis department, how are you – what you do, is it interacting, or integrated with other portions of HORNE Cyber? Once you've done your risk and analysis, how do you pass the project onto another part of your company that deals with, I don't know, implementation or things like that?

Ryan: Oh, yeah. Now that's great. Typically, the engagements that we have, there's some standard or baseline framework that we're using. Depending on the engagement type, there may be requirements for that. A typical engagement obviously wouldn't have that. From an internal perspective, we do have a security division in HORNE with some pretty renowned PIN testers. We do have that security side of things, that vulnerability examination side and that function, and so depending on the engagement scope, we may include them in a practical standpoint in this and actually having to go in and perform some work that typically, we use them from a consulting standpoint, just taking through additional risk that we may not be aware of from a highly technical standpoint.

Chris: Got it. Okay, so what advice would you give as someone who jumped from a non-tech positions into cybersecurity, what advice would you have for who are looking to make a career switch into cybersecurity, but might feel intimidated by the tech knowledge barrier?

Ryan: Yeah, great. Great question. I would encourage someone who feels like they’d be interested in field really looking at what they love doing about their current roles. Let's say, do you have an interest in technology? I think that's a good start. Thinking past that, do you have an interest in how technology risk can impact the business?  If that sounds like something that you're drawn to, I think you're a perfect candidate for what we do.

Chris: Yeah. It sounds like your analysts, like you said, they come in with no baseline knowledge. Is that pretty common? If you jump over to being an analyst, are most companies that would hire you going to – it's understood that they're going to train you with what they need?

Ryan: Yeah. It's actually interesting, the way that we’re currently set up, we're definitely coming from this audit role. A lot of people that are in this role start from a more technical background, so they get either an A+, Network+ and Security+, and go through that route. There's definitely two ways to get you the same path, I guess.

Chris: Okay. As a supervisor, do you notice different qualities in those two different types of candidates that have them on each other?

Ryan: Yeah. From a technical background, there's that point, a lot of thought around the practical implementation specifics, or risk on that level. Then from an audit perspective, there's a focus on business continuity and thinking through the strategic plan of the business and how that impacts the current risk that we’re looking at. Yeah, they definitely complement each other.

Chris: Nice. From an interview perspective, what are some things that you can put on a resume or in your cover letter, you talked about in your interview that would make your prospective employer know that you'd be great for this job even if you don't have the usual signposts to indicate it on your resume?

Ryan: Yeah. That's a good one. Let's say, learning everything that you can, looking for ways to engage with even your current IT department in your role is a great start. Those people are boots on the ground, so they do have a very great knowledge of how cyber risk can impact t the business on a practical level. I would say getting your certification if you have an audit background, or even a business advisory role or something like that that can be met by one of the requirements that it get consists of. This is highly regarded in our current role. We see that at multiple companies and at a national level for sure.

Chris: Okay. Is this a certification is something you can pretty much start studying immediately? It's not like CRISC, where you have this – you need to have this baseline of knowledge and even an experience tally before you can even take the test?

Ryan: Yes. Yeah. I mean, the requirements are lower just due to the years of experience needed, versus a CRISC.

Chris: Got it. Okay. If you find yourself in a position or a career that you don't like and you're trying to make a switch toward cyber risk, what's one thing you can do at your current position, or after work, or on the weekends that would move you one step closer to getting on this path?

Ryan: Yeah. Depending on your work, there may be some existing opportunities there, this is in cybersecurity jobs. That’s how I got started. There's also a host of free low-cost information out there to understand industries and podcast, obviously like this one, to get some real-life –

Chris: Thank you. Text on the mail.

Ryan: To get some insight into where industry is headed as to the whole – so that you can get in front of it. Then in my case, it helped to identify certain security professional that's local and reach out to them. I have yet to meet a cyber professional who doesn't like talking about what they do day-to-day.

Chris: True. So true. Yeah. Yeah. Who are the people in your neighborhood? As we wrap-up today, are there any advancements coming in the world of cyber risk that you're watching or looking forward to? I know it's not quite as tech-focused as say, penetration testing or whatever, but are there any procedural changes, or tools, or analytics that you can see changing the way you do your job in say, the next five or 10 years?

Ryan: Absolutely. It’s where our focus here, especially this year to be on the 2020 is all about the customer experience. We've changed the way we do all this and our engagements to meet high-functioning customer experience companies, like Disney. We're really focused on I guess, how that can be – how our current processes can be introduced to improve that customer experience for clients. On a practical level, that may look like governance risk and compliance platforms to be introduced to them, internal to us to help make that experience better.

Chris: Okay. As we wrap-up today, tell me a little bit about HORNE Cyber. What are some of the big projects, or exciting tasks that you're currently working on there?

Ryan: Yes. Most recently, HORNE Cyber is really focused on the Cybersecurity Maturity Model Certification, CMMC. It's this big in the news today. We've already developed our risk-based strategy testing and encourage to help the companies, contractors out there that will be giving that. I guess, that's probably the biggest thing we're working on right now.

Chris: Okay. If people want to know more about Ryan Wallace or HORNE Cyber, where can they go online?

Ryan: Hornecyber.com. It’s our company website. We have a lot of regular articles on there, from both our assurance team and our investment team. Get the best of both perspectives, I think and addressing changes in the industry. On a personal level, you can find me on pretty much any social network and @cruelbowtie. It’s a moniker. Easy for me –

Chris: Was it Cruel Bowtie?

Ryan: Cruel Bowtie. Yeah.

Chris: Nice. Oh, cruel bowtie. Okay. Yes, yes.

Ryan: From the accounting side, their accounting –

Chris: Oh, sure. All right. Well, this is great. Ryan, thank you so much for your insights today.

Ryan: Thanks so much, Chris.

Chris: Thank you all for listening and watching. If you enjoyed today's video, you may find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you'd rather have us in your ears during your work day, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher of choice.

For a free month of the Infosec Skills Platform that you heard about at the start of today's show, just go to infosecinstitute.com/skills and sign up for an account. In the coupon line, type cyberwork, all one word, all small letters, no spaces, for your free month.

Thank you once again to Ryan Wallace and HORNE Cyber and thank you all for watching and listening. We will speak to you next week you.