Introduction

Written By Ryan Hays

Over the years, I've started and stopped writing a blog for a few reasons. Usually, it's about not having enough time in the day for everything I want to do. Life always finds a way to consume each day with all sorts of activities and blogging usually took a back seat for me. I am going to attempt to pick this up again and stick with it. I wanted to have a place to share ideas, research, both technical or just simply my perspective on a topic. These will be cybersecurity focused or at least that is my plan but who knows what I might decide later. So, if a topic doesn't quite hit home for you, stick around. The next one just might.

Ryan Hays in a chair

Who am I?

My name is Ryan Hays. I've spent over two decades in cybersecurity, working across many industries, though mostly in finance. I’m a proud veteran of the US Navy and that time really served as a jumping-off point, turning a hobby into a career. No matter the organization or my role—from defense to offense, leader to analyst—my interest is always in solving the puzzle to protect the organization.

Over my career, I've had many roles, from risk and governance to malware analysis and threat intelligence. But my favorite work has been in the offensive security space, leading teams that act like the bad guys trying to break into organizations. It's what lets me jokingly give myself the title, "Professional Bank Robber." That's always a fun way to start a conversation when someone asks what I do for a living.

All of this work has taught me a lot. It's not enough to just have security frameworks, regulations, security controls, defense teams, and offense teams. It's also not enough to just check all the boxes that governance and regulations look to check for. True cybersecurity is about building something that integrates with an organization's main goals and how it makes money. It's a delicate balance of integrating all these things, building controls, and protecting the company from attackers. It's complex and difficult, but when you start breaking things down and piecing them together, it becomes a very rewarding puzzle and challenge.

What I Believe

I think a lot of what has shaped me in this industry is built on empathy. Security programs have computers, software, and blinking lights, but they are all looked over by people and teams. I've found success by building these programs and teams on a foundation of empathy and inclusion.

When you have a team that is encouraged to share ideas—even ones that sound crazy—it builds a team that works together. We can bounce ideas off each other and include each person's unique knowledge to come up with the best plan. Encouraging and allowing this free flow of ideas among the team I have found results in plans that are explored at multiple levels and makes for more thought-out ideas.

Building on that, I also believe in simple language. As leaders, we need to take complex technical solutions and break them down to the appropriate level for the audience. As a consultant, I worked with organizations of all sizes. A small widget shop in Texas might not know all the technical terms, attacks, or jargon of a larger mature organization. So, you have to simplify your message and relate it to their business. Aligning your messaging with the audience makes it understandable and allows you to reach a wider group of people.

Lastly, and this is something you may have caught on to already, but frameworks, regulations, and rules shouldn’t be solid, unbreakable walls. Security needs to be adaptable. It needs to bend and move as the business grows and changes. As leaders, we need to be flexible. We should listen to the business and employees to find the right balance of security and risk.

Why I'm Writing This

I'm writing this blog to share what I've learned. It's my space to talk about cybersecurity in a way that is easy to understand. I want to share stories and give my perspective on things, whether they are technical or just my own thoughts.

I have a lot to say about leadership, about red teaming, and about building security programs that actually work. But I also want to share a bit about the things I do when I'm not in cybersecurity.

For me, that means going to the movies. I enjoy a lot of different genres and find it a great way to disconnect. I also enjoy traveling around the world especially when I can include a theme park in the destination. I also really enjoy spending time out or around the house with my two dogs Padme and Leia. Sometimes, getting away from the screen and into a different world is the best way to recharge.

So, I'm writing this blog to capture all that information and as a way for others to learn from my experience. I hope you'll join me on this journey.

Ryan Hays