How to become a cyber risk specialist
In this episode of Infosec’s Cyber Work podcast, host Chris Sienko speaks with Ryan Wallace, cyber risk expert and cyber risk supervisor at HORNE Cyber. They discussed the ins and outs of how to become a cyber risk analyst by delving into such topics as how Ryan got his start, what he does day-to-day, the best and worst parts of the job, tips to those looking to become a cyber risk specialist and more.
FREE role-guided training plans
About Ryan
Cybersecurity professionals come from all walks of life, which makes Ryan well-suited to speaking about this topic. Ryan is a cyber risk supervisor at HORNE Cyber, where he specializes in IT risk-related assurance services. He provides analytic expertise regarding policy design and implementation as well as IT compliance. Ryan also consults on information systems environment compliance and management for public and middle-market clients.
Ryan joined the firm in 2014 with previous experience as a small business owner specializing in branding, graphic design and consulting. He is certified as an information systems auditor in risk and information systems control. Before this, he earned a Bachelor of Accountancy at Mississippi State University.
How Ryan got his start
Ryan grew up in small-town in Mississippi and was “pretty introverted” when he began working on his family computer as a kid. Later, he struggled for direction in community college and took a job in an ISP/PC repair store. Ryan did well interviewing, although he “couldn’t tell you the difference between modem and motherboard”. He earned a degree in Accountancy from Mississippi State University and then took a full-time job as a financial auditor.
Shortly after, his firm offered Ryan an opportunity to assist with IT audits. He immediately fell back in love with tech and wanted to use his varied skill set to do what he originally loved: tech.
Ryan was in more of a help desk role at first but he enjoyed it and learned both technical and soft skills. He ended up reaching a point of “do I want to do this long term?”, which is when he started his own business.
The cyber risk job title
The way that Ryan looks at it is as a prevention of loss in a business. That loss can be financial and ultimately does become financial. However, a lot of it can be reputational, or take other forms such as loss of culture. This eventually goes back to either misconfiguration of technical implementations or architecture, or which is most likely people or processes related to handling that set.
He explains it this way: “The way that it’s structured at HORNE Cyber as a subsidiary of HORNE, which is a business advisory firm, in my role is about the oversight of our assurance, which means leading engagements, compliance, service organizations, even generalized, specialized IT risk assessments.” His role is definitely more about leading the team, having the client contact or content.
Before joining HORNE Cyber, Ryan had a varied work experience: he has been a business owner, LLC member and sole proprietor, so he understands the inner struggles of business. His move from small business owner to cybersecurity really made him feel the knowledge gap but he worked hard to fill this gap as fast as possible. This was accomplished by drawing from his previous experience, and he had people around him to ask questions — either HORNE Cyber or in his community.
Meeting new people helps you open doors. Having first-hand experience as a business owner gives you a lot of insight into what keeps you up at night for businesses.
The day-to-day in cyber risk
HORNE Cyber offers Ryan unrivaled flexibility at work, which allows him to take care of his family and clients at the same time. His clients are appreciative that they can work remotely with them, as it lessens the impact on their daily operations.
On a normal day, Ryan has an internal team project management web-based solution, which is where he starts. He likes to organize his day and week and set expectations. Typically, he has a weekly project management meeting to discuss hurdles and clients they are working on to brainstorm and to work with those issues, discuss strategic compliance.
Then it’s off to the races! Ryan gets his hands dirty but also works with strategic vision, and he doesn’t lose focus on what it actually feels like to test and get in the granular.
In terms of his role, Ryan is a supervisor, so he works under a manager position and has the opportunity to be an advisor. He is typically the main point of contact with clients in the field as well. He has seen cyber risk professionals work on their own and for companies, “it is definitely a mix.”
Bests and worsts
Seeing business improve and grow is one of the best parts of Ryan’s job. The most difficult parts are the administrative end and the paperwork that comes with auditing.
As far as what keeps him up at night, his new and first-year clients — especially clients in emerging sectors or those with a sudden boom in business. You always worry about missing an under-the-radar risk. On a granular level he works a lot with testing matrices. As boring as that sounds, knowing where you are going with that allows you to map out risks.
Ryan holds CISA and CRISC certifications and says CISA is considered a baseline level of competency (one to two years of experience) and focuses on auditing. CRISC requires three to five levels of competency with a focus on governance. His tip for earning these certs is to buy the book for each certification exam, which is a great resource afterwards and the multiple-choice questionnaires help too.
Advice for getting into cybersecurity
Ryan encourages viewers to look into what they love doing in their current roles. Once you get past this, you need to look at how tech and risk influences the business.
There are two ways to get to a job in cyber risk — via the auditing role with a focus on business continuity or via the technical role. You should learn everything you can and look for ways to engage in your current IT department. Depending on your work, there may be some existing opportunities to get your start in cybersecurity and there is a whole host of free to low-cost information out there.
Where is cyber risk going in the next 5-10 years?
This year, Ryan has been focused on customer experience and has changed the way he does audits to meet high-functioning customer experience companies like Disney. In terms of HORNE Cyber, most recently their projects have been focused on the Cybersecurity Maturity Model Certification, CMMC and helping companies with risk-based strategy testing.
What should you learn next?
Conclusion
Want to know more? Ryan can be found at hornecyber.com and on any social network as @cruelbowtie. Stay tuned to Infosec’s Cyber Work podcast for more information packed and insightful podcasts from cybersecurity leaders and shapers of the future.
See Ryan Wallace in conversation with Cyber Work host Chris Sienko.
In this Series
- How to become a cyber risk specialist
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get free resources in your inbox!
Sign up for our newsletter and get free cybersecurity resources in your inbox every week. Prepare for your next cert, learn new skills, increase your salary and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity