In this episode of Infosec’s Cyber Work podcast, host Chris Sienko speaks with Ryan Wallace, cyber risk expert and cyber risk supervisor at HORNE Cyber. They discussed the ins and outs of how to become a cyber risk analyst by delving into such topics as how Ryan got his start, what he does day-to-day, the best and worst parts of the job, tips to those looking to become a cyber risk specialist and more.
Cybersecurity professionals come from all walks of life, which makes Ryan well-suited to speaking about this topic. Ryan is a cyber risk supervisor at HORNE Cyber, where he specializes in IT risk-related assurance services. He provides analytic expertise regarding policy design and implementation as well as IT compliance. Ryan also consults on information systems environment compliance and management for public and middle-market clients.
Ryan joined the firm in 2014 with previous experience as a small business owner specializing in branding, graphic design and consulting. He is certified as an information systems auditor in risk and information systems control. Before this, he earned a Bachelor of Accountancy at Mississippi State University.
How Ryan got his start
Ryan grew up in small-town in Mississippi and was “pretty introverted” when he began working on his family computer as a kid. Later, he struggled for direction in community college and took a job in an ISP/PC repair store. Ryan did well interviewing, although he “couldn’t tell you the difference between modem and motherboard”. He earned a degree in Accountancy from Mississippi State University and then took a full-time job as a financial auditor.
Shortly after, his firm offered Ryan an opportunity to assist with IT audits. He immediately fell back in love with tech and wanted to use his varied skill set to do what he originally loved: tech.
Ryan was in more of a help desk role at first but he enjoyed it and learned both technical and soft skills. He ended up reaching a point of “do I want to do this long term?”, which is when he started his own business.
The cyber risk job title
The way that Ryan looks at it is as a prevention of loss in a business. That loss can be financial and ultimately does become financial. However, a lot of it can be reputational, or take other forms such as loss of culture. This eventually goes back to either misconfiguration of technical implementations or architecture, or which is most likely people or processes related to handling that set.
He explains it this way: “The way that it’s structured at HORNE Cyber as a subsidiary of HORNE, which is a business advisory firm, in my role is about the oversight of our assurance, which means leading engagements, compliance, service organizations, even generalized, specialized IT risk assessments.” His role is definitely more about leading the team, having the client contact or content.
Before joining HORNE Cyber, Ryan had a varied work experience: he has been a business owner, LLC member and sole proprietor, so he understands the inner struggles of business. His move from small business owner to cybersecurity really made him feel the knowledge gap but he worked hard to fill this gap as fast as possible. This was accomplished by drawing from his previous experience, and he had people around him to ask questions — either HORNE Cyber or in his community.
Meeting new people helps you open doors. Having first-hand experience as a business owner gives you a lot of insight into what keeps you up at night for businesses.
The day-to-day in cyber risk
HORNE Cyber offers Ryan unrivaled flexibility at work, which allows him to take care of his family and clients at the same time. His clients are appreciative that they can work remotely with them, as it lessens the impact on their daily operations.
On a normal day, Ryan has an internal team project management web-based solution, which is where he starts. He likes to organize his day and week and set expectations. Typically, he has a weekly project management meeting to discuss hurdles and clients they are working on to brainstorm and to work with those issues, discuss strategic compliance.
Then it’s off to the races! Ryan gets his hands dirty but also works with strategic vision, and he doesn’t lose focus on what it actually feels like to test and get in the granular.
In terms of his role, Ryan is a supervisor, so he works under a manager position and has the opportunity to be an advisor. He is typically the main point of contact with clients in the field as well. He has seen cyber risk professionals work on their own and for companies, “it is definitely a mix.”
Bests and worsts
Seeing business improve and grow is one of the best parts of Ryan’s job. The most difficult parts are the administrative end and the paperwork that comes with auditing.
As far as what keeps him up at night, his new and first-year clients — especially clients in emerging sectors or those with a sudden boom in business. You always worry about missing an under-the-radar risk. On a granular level he works a lot with testing matrices. As boring as that sounds, knowing where you are going with that allows you to map out risks.
Ryan holds CISA and CRISC certifications and says CISA is considered a baseline level of competency (one to two years of experience) and focuses on auditing. CRISC requires three to five levels of competency with a focus on governance. His tip for earning these certs is to buy the book for each certification exam, which is a great resource afterwards and the multiple-choice questionnaires help too.
Advice for getting into cybersecurity
Ryan encourages viewers to look into what they love doing in their current roles. Once you get past this, you need to look at how tech and risk influences the business.
There are two ways to get to a job in cyber risk — via the auditing role with a focus on business continuity or via the technical role. You should learn everything you can and look for ways to engage in your current IT department. Depending on your work, there may be some existing opportunities to get your start in cybersecurity and there is a whole host of free to low-cost information out there.
Where is cyber risk going in the next 5-10 years?
This year, Ryan has been focused on customer experience and has changed the way he does audits to meet high-functioning customer experience companies like Disney. In terms of HORNE Cyber, most recently their projects have been focused on the Cybersecurity Maturity Model Certification, CMMC and helping companies with risk-based strategy testing.
Want to know more? Ryan can be found at hornecyber.com and on any social network as @cruelbowtie. Stay tuned to Infosec’s Cyber Work podcast for more information packed and insightful podcasts from cybersecurity leaders and shapers of the future.
- How to Become a Cyber Risk Specialist, Infosec Cyber Work Podcast (YouTube)