Ryan Knisley, chief product strategist for enterprise asset management company Axonius, began his career in the US Army. His goal was to work for the Secret Service, and after eight years in the Army, he did just that. Working for the Electronic Crimes Special Agent Program (ECSAP), he cultivated a range of skills that he would later apply to the private sector.
He went on to work for such companies as Walmart and PwC before stepping into the C-suite at Costco and then Disney. He intentionally limited his time in these roles but remains highly attuned to the responsibilities of the modern chief information security officer — he talks to CISOs across a variety of industries on a regular basis. Here, he shares his professional journey and his insights into the crucial responsibilities of the CISO.
Did you have an early interest in technology? Or did that develop later in your career?
I was playing college football and realized I was not going to go to the NFL. I had always wanted to be a Secret Service agent. My dad’s friend was a Secret Service agent. He said, “You won’t go from the frat house to the White House. You better join the military and do something special.” I told my dad and mom, “I’m quitting football. I’m going to drop out of college. I’m going to join the Army.”
I joined the army and stayed for eight years. During the last half of that time, I was a criminal investigations division (CID) special agent. I was exposed to forensic investigations in CID. When I got into the Secret Service, they were looking for people who had experience in digital evidence collection. I entered the Electronic Crimes Special Agent Program.
What kind of work did you do for the Secret Service?
I sat in the forensic lab and looked at digital evidence to support the prosecution of criminal cases that the Secret Service had taken on. My responsibility was to find the digital evidence to support those cases. Most of those were mundane investigations, such as bank fraud.
I was involved in some really large breaches. I happened to be the duty agent and answered the phone at the wrong time. I was involved in the case of Albert Gonzalez [the person who orchestrated the TJX and Dave and Busters attacks of 2007–08].
Why did you transition from the Secret Service to the private sector?
I thought I would retire from the Secret Service, but I got a call from my wife, who discovered she had cancer. We were 32 at the time and we had young kids. I was traveling a lot. I needed a more stable work life to help care for her. She is fine now. We’ve been married 25 years.
But that was the catalyst. I got connected with a former Secret Service agent who was working at Walmart. That’s how I ended up there — it was my first private sector job out of government.
How transferable were your skills? Did you have to learn on the job?
I had a really strong technical foundation. I think the most challenging part for individuals who transfer from the government to private sector companies is they don’t often learn the language of the business. That has been a key to my success — explaining really complex technical and cyber issues in terms that non-technical businesspeople can understand and appreciate.
How did you end up in the C-suite? What led to your first CISO position?
I was a partner in PwC cybersecurity practice, advising Fortune 500 companies on cyber topics. PwC had been doing some work with Costco. One of the partners there asked if I knew anybody who would be a good CISO. I started consulting with them on candidates. Four or five months into that process, Costco came to me and said, “What about you?”
Two weeks before that, I was at a conference and somebody said, “Would you be a CISO?” I said, “No, it’s a terrible job.” What it came down to was a great brand that really wanted to invest in transforming their cyber practice. I thought: These opportunities don’t come along that often. I better pursue this one.
When I joined, I made the promise to myself that I was not going to be a CISO forever. I’m going to work hard and help them through this transformation. Then I’m going to do other things.
CISOs sometimes observe that they have only recently been taken seriously in the C-suite. During your time as a CISO, did you see any changes in the value accorded to your position?
I certainly saw the evolution of the role as I came up through my career. A lot of the CISOs that I had worked with and for prior to that were very tactical. By the time I had gotten to the role of a CISO, I think the shift had been made to a more business-focused role. It continues to evolve even today. It depends on the industry that you’re in.
By the time I got there, it was considered a true C-suite role. I had a voice in the business. When I would talk to the board, I would talk about business problems, not “cyber problems.”
How did your experience as a CISO translate to your current role?
I always explain my role in three parts. The first part is spending time with customers and learning from them. The second piece is taking all of this customer feedback and working with our product teams to inform the roadmap and evolve the products. The last piece is being the voice back to the market — a champion for our product and platform.
What are some of the concerns you are seeing from the CISOs you speak with?
One of the recurring things that CISOs talk about is educating stakeholders on building a cyber-resilient organization. That involves shifting the mindset from “nothing bad can happen” to “something will happen, but we’re going to build in resilience and elasticity so we can deal with it and recover very quickly.”
The other area that most every CISO I talk with is concerned about is talent — not only talent acquisition but talent retention. Budget constraint has been a significant issue the last 18 months for most organizations. Retaining headcount, and continuing to do more with less, is what these organizations are faced with.
Budget cuts to the Cybersecurity and Infrastructure Security Agency (CISA) are looming. What do you think that means for the typical CISO?
The CISOs I talk with aren’t waiting around for help from the government. They certainly value the partnership. Regardless of what happens with the budget, what a lot of CISOs would like to see remain is information sharing and the public private partnership. I hope that whatever happens to the budget, CISA is able to continue to focus on strengthening and defending critical systems for the US.