If you are the smartest person in your organization, then you’re doing something wrong. Listen to your host Matthew Stephenson as he talks with Nick Ryan, the CISO at Baker Tilly, about the value of being the dumbest person in the room. Together, they discuss team culture and the different elements that shape successful mergers and acquisitions. Nick also dives deep into the security industry and what we should be paying attention to. Build leadership unlike any other and focus on long-term goals! Tune in to learn more about empowerment for a team to thrive even in difficult times.
Listen to the podcast here
Nick Ryan: Striving to be the smartest person in your organization may not be the best idea.
We are excited to welcome Nick Ryan. Nick is the CISO at Baker Tilly, where he is also the Head of Information Security. To wrap your brain around that, it’s the ninth largest accounting firm in the world. No pressure, but his role includes mitigating risk and meeting compliance along with regulatory and business requirements. Nick, welcome to the show.
I’m glad to be here. Thanks so much for having me.
Let’s talk about another story that has spread out over the time of your career #HamFistedSegue. In several years, you have been involved in 23 mergers and/or acquisitions. What’s that like from a security perspective?
I remember the first merger I was ever a part of. I’ll never forget that one of the leaders at the time had said to me, “You are very lucky if you ever get to participate in one merger and acquisition in your career.” It’s funny because now that I’ve done 23, I’m like, “Who was lucky? The people that only get to do one?” It changes. The exciting part about mergers and acquisitions is that every single one is different and unique. The ones that you think are going to be the easiest are the most problematic. The ones that you think are going to be the most problematic usually end up being a little bit simpler.
The exciting part about mergers and acquisitions is every single one is different and unique. The ones you think are going to be the easiest are the most problematic. The ones you think are going to be the most problematic usually end up being a little simpler.
There are many different angles. That’s the problem from a security perspective. You’re looking at an organization where you truly don’t have any visibility in what they’re doing. They’ll tell you what they do, but inevitably you’re going to get in there and you’re going to find things, under the carpet, bed, in the closet that they didn’t tell you about, “I forgot to mention the Server from 2003. We never told anybody. We have to keep it.”
That can get challenging from all those perspectives and also, time constraints of these things. In the accounting industry, you have your busy tax season, which for the US, is January 1st to April 15th, then again, for extension season between August and October 15th. There’s this giant period of the year that’s our busiest. We have to try to do all the mergers in the off time. There are a lot of components to it. I’m looking forward to breaking some of that down.
In the off time, 1 week in the summer and 2 weeks after Halloween, and then everything else is, “It’s tax season. Let’s get all this stuff crammed in there.” When these things happen, I picture you as Maximus strolling through the troops before going into battle. It’s not that, but metaphorically, it needs to be right. You got to go in and look at everything you are doing. Not to cast dispersion or place blame, but you got to learn everything that’s going on in there. That’s got to be a massive undertaking.
It honestly is. The other element you have to think about is that these organizations are trying to put their best foot forward because especially in the case of an acquisition where there’s cash outweighing assets. This organization wants to come to the table. This is where we’re a great organization. We’re worth integrating. We have all this value. You could put up the smoke screen of what’s out there. You have to work your way through that.
Ultimately, there are many different elements to it. It starts out with taking what they tell you, then you have to go in there before you connect it to your network and validate everything that they said they do and then find if there’s anything. There have been times where you’ll find something that’s so problematic that you need to bring it to the top, to the deal, and say, “We might want to think twice about this. Here’s what we found.”
Once everything goes through the agreement process, then we’re finally going to do it. We’re going to the prom and then it becomes the actual integration. There are many different layers and teammates that play different roles in each merger and integration. Maximus is a great example because it is. For us, it’s funny because we have many mergers on deck at any given time.
It’s usually somewhere between 2 to 4 every 6 months. It’s not quite a merger per month, but it’s up there. You’re constantly going through, trying to galvanize support, and encourage the teams on, “What are we doing for this one? You’re doing a great job over here,” and managing all the different pieces that are moving. It has become quite an interesting experience.
Looking at this through the prism of insider threats, whether they are witting or unwitting, when you either acquire a new company and their culture or company is acquired and your culture is being absorbed into it, do you ever run into something where one side is like, “We don’t do things like that,” and this side is like, “That’s how we do things?” How do you choose in order to make sure that all of the employees and users are in a place to put their best foot forward, do the best they can to keep things secure, and meet the goal of creating a greater culture?
Ultimately, the insider risk to me in a merger and acquisition is probably one of the most significant things that we’re thinking about because there is so much uncertainty, especially for the incoming organization, about what is going to happen. Everybody goes to number 1) “Do I have a job?” Question number 2) is, “Am I going to like that job?” You might have one, but am I going to like what they’re telling me I have to do? There’s that and then also, you’re going to a larger organization, so you’re inevitably going to lose some of your individualization and autonomy. You’re going to a bigger machine. We’re about 7,500 people. We have a program. We’re running it this way.
We’re not making exceptions for the mom-and-pop shop of 20, 50, or even 100 people. There are things that we have to make sure fit into the greater scheme of what we’re trying to do. We go into this telling the leadership and of the incoming firm, “This is what to expect. This is what it’s going to be like.” They’re all on board. Translating that down the pyramid to the folks that are doing a lot of the work, that’s the interesting element.
You have to start thinking about, “Do we have any flight risks?” That’s conversations we have way before the actual integration day happens. Especially from a technology perspective, we want to make sure that we’re best buddies with the technology team with the incoming firm because if we’re not, they feel like, “I don’t get along with these guys. I don’t like what they’re doing. This seems crazy and overwhelming. I’m out of here. Good luck.”
A lot of times in smaller companies, the technology teams tend to have over-provisioned access rights. They have the keys to the kingdom in every single way. They’re usually the single source of truth and knowledge of what’s happening. They become an extremely important asset. If they were to leave or if they were to exfiltrate data, on day one, this all becomes Baker Tilly property and data. It becomes ours. We need to make sure that transition happens and we don’t lose things on the way to get there.
In smaller companies, the technology teams often tend to have over-provisioned access rights. They have the keys to the kingdom in every single way.
You’re going to have people that are disgruntled. They just don’t want to work for a large firm. They think the culture’s going to change so much that they’re going to hate it. Therefore, I’m going to start taking my client’s data before this merger happens, so that after the fact, “I didn’t go with them, but I’m still here to help you,” and not be totally lost out on a client. There are many angles to think about and be considered when it comes to flight risks or any kind of insider risk.
I can speak to that from an experience, a company I worked for that was acquired. On day two of the official thing, suddenly none of my USB ports worked anymore. I got to back up to something to make sure that I still have these things. It had to get to your level. I had to get CISO approval to turn on a USB port.
What were the first thoughts that you had once you heard about the merger? Was that in line with what you thought? Am I going to have a job and am I going to like it?
We were surprised by the company that was buying us. Everybody was like, “What are we going to do?” The good thing from my perspective is they needed the team that I was on, the front-facing loud and rowdy folks. Knowing that there was value there, there were a lot of people that were concerned about redundancies because all the work that they all do is valuable. If you’ve got six people that do mostly the same things, that’s when reality has to kick in. Unfortunately, a lot of those things are important when it comes to tracking sales data, and customer information. That’s a crazy concern.
Extrapolating out from that, staying on the insider threat track, we had a great guest, freakyclown. That’s his actual name and it’s a great episode, so check it out. His company split its time among the human aspects of security, technical, and physical. You mentioned the technical, and some people like small companies compared to big ones. In your position as a CISO when you are either requiring or being acquired, how much does physical security come into your planning and strategy?
From the incoming firms, especially on this side, I should give us a little bit more context here. The 12 to 13 mergers that I’ve done were when I was the Head of IT over a smaller firm that had about 700 people at the end of it. We had done 13 mergers up to that point. Our fourteenth merger was upscale or upriver to Baker Tilly. We went from 700 to 7,500. It’s quite a big jump. The fiscal security from when we were a smaller firm and there were smaller firms that were coming in generally was a higher concern because we were going to keep the offices that we were opening.
When I started, we only had 3 offices and by the time we merged at Baker Tilly, we had 9. We had tripled our office space, which brings out the whole fiscal security concerns, then also going upstream to Baker Tilly, when we merged with them, we had a data center. We have to start thinking about, “Is that something we want to maintain?” The answer is yes. Now we start thinking about, “What does that look like from a fiscal security perspective? Does it meet the standards of Baker Tilly?”
On the Baker Tilly side, when we’re doing mergers and acquiring companies into us, fiscal security is a concern, but not as big because we have the leverage now. We have the leverage to say, “We’re taking everything that you guys are doing or have, and we’re moving you to this office. It’s down the street from you. You’re going to be remote. Everything that you had in the offices will be consolidated.” There’s a little bit more leverage on the larger side of things. It’s certainly a concern.
Ultimately, one of the bigger issues becomes who has access to what. There are times when we’ll go through and look at the after-hours logs of who’s allowed to get into the building and IT closet. They give us a list of those people. Most smaller companies don’t ever clean that up. You’ll find 10 or 15 people that have building access that should not have building access.
You have to think about those kinds of things when you had a data center and consultants go in and help you or past employees and you never took them off the list. Technically, they could go in there after hours and be allowed by the building standard. Those are some things that you have to watch out for or that you don’t think about on a day-to-day basis.
Have you found patterns over the course of doing this many M&As that work for better or for worse when you look at it and say, “I recognize this type of thing leads to this type of thing?” You mentioned that physically people have access to the building. That’s a pattern, something you have seen and noticed. Is that part of what you have done? Have you been able to integrate that to make things more seamless as you do more of these?
The biggest key to a successful merger, and is the pattern that works overall. Number 1) Rip and replace. This was years ago. We finally had to make the case to the leadership of, “The technical debt and burden that you’re bringing on post-integration date by not doing a rip and replace, here are those risks and concerns with security perspective, from a time and personnel hours, and all these things showing how insane the burden is that you’re bringing in.” A lot of organizations will ask the question, “Is this a problem or is this an IT problem?” Most organizations don’t care if it’s an IT problem, which is sad, but it’s true.
It’s going in and leading with, “Here are the security concerns of us not ripping and replacing. Here’s what this opens up, the firm queue. Are you okay with that? Are you sure? Did I tell you it’s a big number?” We’re having to frame this in a business context, so they understand the ramifications. Is there going to be a cash outlay, in the beginning, to buy their new hardware or put everything in? I could guarantee and show you that you will have infinitely better ROI investing initially up front with our equipment and our standards, and then all the technical debt you’re going to carry along the road. To me, that’s number one, rip and replace. Don’t make any exceptions.
Number 2) Timing. If you are trying to execute a merger with less than three months leeway, you’re going to have a bad time. You’re going to have things that are unnecessary security risks that get exposed because of the crunch time, people are cutting corners, and doing things they should not be doing. Number three) What makes a good merger on the incoming side is assuming positive intent. If you are being acquired or you’re merging in, assume that we’re not just the big, bad guys that are trying to rip out everything you do and shove our way down your throat.
There’s a reason we’re merging with you. We’re acquiring you. We like your culture. We believe it’s a good fit. We believe that you have value in our organization. It’s about framing it so that the things that we’re asking for are not to take what’s yours and you no longer have your responsibility to get out of here. A common theme, especially in technology, is to have people that are, “This is my precious.”
They hoard it and they don’t want to give it up. What I found is that if you could build that trust early on and show them exactly what this has been through, what this looks like from start to end, you are going to be in a much better place. Honestly, experiencing it myself helped a lot because before, I was just giving the good word, telling them this is what to expect, but did I know? No, I didn’t. Now I understand. I have the credibility to be able to say, “I know exactly what you’re feeling and thinking. Here’s why it works.” That’s some context that helps out. Those are the three things that take a merger from a scary situation, with a lot of security risks and threats to a good experience.
There are two key things I want to follow up on with that. Not that the third one wasn’t good as well. You’re talking about the notion of human technical, physical. When you come in here, you are the leader of the security team and they ask you the question, “Is this a Problem or is this an IT problem?” How hard is it not to facepalm and slam your head off the desk and be like an IT problem by definition is the biggest problem we could possibly have in this organization, aside from the building catching fire?
I feel like that is the bane of successful existence. We’re translating technical terms and concepts into business language. If done well, they understand it and it makes sense. If done poorly, that’s where you get the people that say, “Is this an IT problem?” They generally don’t understand. Those are the same CFOs who will go through your budget line by line and drill you on increases when they don’t even know what this item does or why we have to increase.
The fine art of being a CISO is trying to meet the business where they’re at, translate any technical concepts to the business language that they’ll understand, take their concerns that they have and be able to play traffic cop to get them the answers they need to be able to be comfortable with the decision, to understand what’s going on the magnitude, the scope of like you said, “An IT problem is a business problem. There are material losses that could happen from this and here’s what they are.” It’s a topic near and dear to my heart.
An IT problem is a business problem.
Ask any company that’s been ransomware attacked if IT problems are not business problems.
“Was that an IT problem? Funny.”
Let’s turn the notion of assuming positive intent around when you are coming in and acquiring a company. Now, you have new teammates to work with. In your role, how do you position that? What is your role coming in there to get people to understand? You’ve got to cheerlead a little bit, but you’ve also got to be the principal a little bit. How do you inspire them to buy into the notion of a different approach, especially if you’re doing a rip and replace? That means, “I got to learn new stuff,” and everybody loves to learn new stuff.
A huge part of going in is every organization and especially, Baker Tilly with all these mergers, we want great talent. We want to bring smart people into our organization and let them thrive. Our tagline is, “Unleashed and amplified talent.” That is something that we take into these mergers and acquisitions. It is the limitations that you had at your previous organization because, undoubtedly, they’re smaller than us. Those get removed.
You’re going from an organization where you have three IT people, maybe you have 10, 20, or 2. You’re coming into us where we have nearly 200. You have possibilities and places to take your career that you simply would not get at your smaller organization. That right there inspires a lot of people. They say, “I never thought of that. I did think of that. Where can I go? What do you guys have?” We have everything. We could get you into any skill set that you have and you’re passionate about. We want to line you up in that role. That’s one area.
The other place is that we have the ability to make the investment in your career in the ways of certifications, classes, conferences, and platforms. You’re able to be on this platform that you are getting to appear on the podcast or other things that are going to help you professionally and personally by coming into this organization.
The opportunities are a must. That’s not to say that we just go into every single M&A and say, “We’re bringing everybody.” It’s that old saying, “Hire slow and fire fast.” If you have somebody that’s problematic on your team, we’re not going to bring them in with us. If you have somebody that you’re on the fence about we’ll do our due diligence on them as if they were going to be hired by Baker Tilly and see if maybe they’re just in the wrong lane and we need to switch them over to something that they’re better at in security, or maybe they’re a better engineer infrastructure.
Part of the problem with M&A is a lot of the people that are working in those smaller companies are wearing multiple hats. They’re the networking guy who also has to look at the security logs, and who also has to set up the laptops for the help desk. There are many different hats they’re wearing and you get a move from being generalized to specialized, which is a huge opportunity for a lot of people. That’s what I try to drive home when I get in there.
Ultimately, there’s a lot of trepidation and fear when it comes to mergers. There’s the uncertainty of, “What’s it going to be like?” I always tell people this, “There are things that your technology or security function does well that might be better than us in certain ways.” There are going to be things that we do well and do better in certain ways than we do.
This is not a, “You have terrible ideas, go sit in the corner. How dare you be from a small firm?” You are a talented technology or security professional. You have a lot to add. Come join the dance and you’re going to be pleasantly surprised. Honestly, every single time we’ve done that, great success. To give you some perspective, when I’m a merger for Baker Tilly, I had ten people that worked for me. When we came over, I had two people that didn’t want to go and didn’t want to be part of a big firm. They left before the integration date.
I had one person who retired six months after the merger. We asked them to stay. They stayed a little bit longer. They were already going to retire. It wasn’t because of the merger. I had seven other individuals. Seven of them have been promoted up in the ranks and changed departments. Two of them switched departments. It’s the same level, but still, it shows that what we’re saying is real. You are going to be promoted, supported, and moved up in the organization. That’s usually what I say. In some organizations, you can’t quite say those same things when you do a merger or an acquisition, especially when the companies are of similar size. To me, that’s a much more difficult problem.
You said that you want smart people on your team. We talked about this when we were getting ready for the show. I love your quote because I am 100% with you on this, “You never want to be the smartest guy in the room.” People are counting on you as the CISO. They look up and the assumption is you are among the smartest guys in the room. Care to explain that approach? How has that worked for you? Why is that a good idea?
If we were showing a video, I would hold up my box of crayons to prove that I am certainly not the smartest person in the room. Ultimately, the way this came up for me is that as I was growing up, I played hockey in Colorado. All the time I played hockey, my dad would always say to me, “You should be the worst hockey player out on the ice. Every other player on your team should be better because it’ll naturally elevate you.”
At that time, it was in the ‘90s. It’s Michael Jordan’s heyday. He would liken it to Michael Jordan and say, “Michael Jordan makes everybody around him better.” That’s where it started for me then I realized that the proof was in the pudding because I started playing with kids that were 1 year older, then 2 years older.
Every single club season we played, I was the youngest person on the team by at least two years. Because I had been playing with the older kids for so long, I became better. I take that same approach to security and my department now. I want people that are so much smarter than me. I don’t get threatened by smartness. I used to. That’s something that’s a maturity cycle that a lot of people have to work through, especially when you get to the CISO level. You’ve generally been the smartest person in the room at some point earlier in your career.
To get to that place, you need to be the smartest person and the subject matter expert to be able to elevate in most cases. It’s hard for a lot of people that get into the CISO role to unwind themselves and realize, “I no longer have to be the smartest, brightest, most capable person, Superman or Superwoman.” You need to shift that into, “My job is to be the conductor of the smartest men and women and talented individuals out there.”
The truth of it all is that when your team performs well, it says more about you as a leader versus when you, alone as a leader, perform but your team is nowhere to be found. To me, building leaders of tomorrow is where it’s at. I always joke that if you’re the smartest person in the room, that’s the problem. You’re in the wrong room. You need to get out of there. Find something else.
If you’re the smartest person in the room, that’s a problem because you’re in the wrong room.
You said what happens when you look around and realize you’re surrounded by dips****. Sometimes it happens. Unfortunately, in the accounting industry on the security side, you can’t let that happen. You said earlier, “Hire slowly and fire quickly,” do you just whack everybody? What do you do in that position when you realize that this team is the weak link of the organization that you brought in?
When I came into Baker Tilly, the team looked so much different. I’m not going to go out there and say that we had incompetent people. The first question I ask when I get around and if I’m in a place where I look around and I think, “These are not the right people. Something needs to happen.” There are a couple of things I think.
Number 1) Have they simply been put into the wrong position for the wrong reason? We didn’t have anybody for X, Y, or Z tasks. We had this person. They were a warm body and their eyes blinked when we talked to them. We put them in this role. That’s a real thing. There are people that get into roles that they should never have been into the first place. There is an alignment that you can look at and say, “Let’s go ahead and find out what this person’s all about.” Let’s take some personality tests and strengthsfinder to find out if you have a personality because sometimes that is missing.
Let’s see what you’re good at. You might be passionate about something that we have a need for in another department. It might turn out that you’re good. You might be sitting in, for example, vulnerability management, but what you’re good at is training and educating people. Let’s take you off of that team and vulnerability management, and put you into security awareness training. Have you started building those presentations and giving those training?
That’s number one. Go and see what you’re working with and what your skill set is. If somebody is beyond hopeless, the other one that’s a little bit worse to me is when somebody thinks that they’re just God’s gift to IT or security. That, to me, is the worst person because they have so much pride and their ego is so big. Sometimes I wonder if their cameras have enough panoramic zoom to fit their head in the frame because they’re so full of themselves. Some quote I read was somewhere along the lines of, “When you have cancer on your team or a bad apple and you don’t do anything about it, that sets volumes to the rest of your team who’s paying the price of this person weighing them all down.”
To me, get those people out. If they are truly a bad apple, they’re negative, they’re bringing the team, the morale, and the culture down. Nobody wants to work with those people, regardless of their skill sets. This is a challenge because sometimes those people can be so gifted in their actual roles. You have to make the decision as a leader to say, “My team as a whole is worth more than appeasing this person and keeping them as the downward drag on the team that they are and fire or get rid of them.” I’ve had to do that one time. It was difficult. We struggled for a little bit, but after that, the entire demeanor of the team changed. It was amazing what it ended up doing for the team, but it was hard at the moment.
If they are truly a bad apple, they’re just negative. They’re bringing the team morale and culture down.
You see it in sports. You see these all-star players that are hall of fame level stats then you got to their webpage and they played for five teams in seven years. It’s like, “Something’s going on here.” There’s a reason they don’t want Russell Westbrook.
Terrell Owens is a great one, too. It’s like, “Why do you not want to be gifted beyond measure, but a terrible locker room teammate?”
You have been in security leadership positions among acquiring companies and companies being acquired. What’s the hardest thing you’ve had to do?
The hardest thing I’ve had to do is make exceptions due to external forces. That’s difficult because not only are the incoming firms and companies interested in having this merger go through, but also the leadership of the firm you’re at. They’re interested in having this go through. There are times when the leaders in the business have asked us to do something that was an exception that created a lot more work for the team, made the cleanup efforts that would have to go into making this right down the road, and extended by one mile.
Those are the ones that I regret because we let the business dictate when we should have been a lot more firm with why that decision was bad. I’ll give you a good example. One was, years ago, we were told one time that we were going to do a merger with an effective date of February 1st, which we said early on in the accounting industry, January to April 15th is a no-fly zone.
We are doing this merger on February 1st. We were told, “Thank you. Good luck.” Instead of saying, “Here are the reasons that we can’t,” I regret this, I took it as, “We can get this done.” I wanted to show them that security and IT, “We’re going to deliver. We’re going to do it.” Once we got down the road and realized you couldn’t transfer any of these people off of their existing software. What are you going to do, get them off of it on February 1st, and then teach them these new tools to have them keep cranking out returns and doing the things they need to do during tax season? It would be ridiculous to think that you could pull that off.
If anyone has dealt with an accountant between January and April 15th, they’re barely a legitimate, real person. They are monsters. They are crazed out of their mind. These are not the people you want to try to tell, “You need to learn a brand new system. Good luck.” That was problem number one. 2) Because they were still using their systems, but we wanted them to use our email and time at billing system, we had to make the jankiest connection between their network and ours in a somewhat secure way so that they could enter time and check emails while keeping their old emails, their old time.
It was a disaster from top to bottom inside now. To me, that’s one where if I could go back and redo it, I would’ve stood up a lot more firm and said, “This will fail. Here’s why.” I got back to that Superman mentality of, “We’ll pull this off. We pull off everything. Why would we say no to this? This is a great opportunity to show them how badass we are.” You can’t go down that road without hurting your credibility truthfully.
You don’t have the luxury of standing up, straightening your tie, clearing your throat, and saying, “Is this a problem or an IT problem?” from an IT perspective. This is in a larger security sense, given the history in your career, anything catching your eye, good guy stuff, bad guy stuff, technology in general that you think we as a security industry should be paying more attention to, something that’s maybe out of the corner of your eye you feel like we should be looking more straight on?
There are a couple of different things. The privacy landscape in the United States specifically is changing so fast and so much that it’s going to catch a lot of people by surprise. Each state has looked at some legislature, if not passed some, that calls out consumer protection or privacy acts that you, as a security professional, need to be prepared or bring if you have a chief privacy officer. Maybe you don’t, but you’re going to have to own some component of that more than likely. What does that mean? That means that you need to make sure that if people in that state request to be removed from your systems, you could do that automatically to show proof you did.
If they want to know what information you have of mine, that you could prove that and show what they have, what we’ve collected of them. That’s something I worry about. A lot of people don’t pay too much attention because they don’t think, “They bought something on my website. That’s not a big deal. We did some work for them. It was one engagement. It was small. It was $5,000.” Your business needs to know that you are collecting personally identifiable information on a daily basis, which is going to be problematic if you were to have some incident or breach of some kind. That’s one to me. There are a lot of afterthoughts of, “We’ll get to it when it becomes a national thing.” You need to prepare for it now. That’s one big thing.
Think ahead. Imagine. It’s almost like you’ve been doing this for a long time.
Have you guys talked about privacy and depth here?
Not yet. We’ve got a couple of people that are vertical inside, especially in what you’re doing. When you talk about PII, that’s it. It’s everything. Don’t even get me started on things like 23andMe or Genealogy.com.
Don’t you want to know that you’re 98% English? Come on. That’s valuable.
I don’t care. I’m certainly not going to pay somebody to tell me that so that I can send them my DNA so they can keep it in a file in case I ever do become a serial killer and then they can find me 40 years later.
Do you want to ruin all your clips? I always tell everybody that I’m 66% ginger, but 100% percent Irish. I don’t want to get my report back and be like, “You’re 90% Scottish and 100% stupid.” I don’t want to have to go and, “I used to tell everybody I was Irish,” but 23andMe ruined that.
A lifetime of jokes out the window. Now you have to go to your 25-year high school reunion to take everything back. Before we go completely off the rails, let’s get out of the building here. Let’s close out. Leadership corner. It’s one of my favorite segments. I’m always curious to see it because we’ve had some fabulous guests. That’s why I ask, “What’s on your playlist? What are you reading? Are there magazines in the bathroom? Are you riding unicycles? What’s going on when you’re not doing this?”
What I’m reading right now is The Slight Edge. I love this book. This has been cool.
For our audience, he did hold the book up. It can be said that he is reading it.
It’s a real book and I promise you, it’s not a coloring book. The other one is I started 75 HARD, which I am a firm believer in and this has been something that I’ve learned the hard way. If you’re not taking care of your body and mind, you are going to falter in every area of your life. Even though it’s tempting as a security professional, you’re sitting at a desk all day long. You’re on a video call and interacting as much, or using your body. You’re not swinging a hammer.
You’re not doing things that get your blood flowing. Getting your blood flowing is super important to me. I started the 75 Hard Program. The most difficult part is no alcohol for 75 days, which I don’t know what kind of exercise program says that. You are rolling there. That would be a tough one. No alcohol for 75 days, a gallon of water every single day, then you have to work out twice a day, every single day for 45 minutes each. One of them has to be outside. It’s getting you outside, getting you going. Now is day one and, who knows what will still happen in 75 days?
This is it right now.
Don’t tease me because, in 75 days, there might be a six-pack on the show.
We are bringing Nick back to the show in 75 days because we’ve got to follow up. He’ll be taller. This is hard to believe. He’ll be even better looking and will be a better CISO at this point, I’m sure. On day 76, he’s going to be completely hungover because you know what he’s doing that night on the 75th day.
You can’t do any cheat meals. You have to do one diet, you pick out, and then you have to read ten pages of a book every single day. This is 75 days of pure hell.
You’re a CISO. That’s easy. You want to add that to your life.
What I ended up doing was scheduling and blocking out workout periods on my work calendar, making them private appointments, so people don’t schedule anything. Now I have to do it. It’s accountable. It’s on it.
This is terrible. I’m a regular gym guy. Now I’m going to have to go harder. I’m going to listen to Slipknot to make sure of my sympathetic approach. Speaking of that, what’s on your playlist? What are you listening to?
I’m completely deaf in my left ear. Anytime I’ve ever had to recite lyrics or sync songs, it’s always been extremely off-tune and the words are completely wrong words. I like music, but I’m not the biggest music buff. If I’m in the gym, it’s all hard rock playlist, anything on Spotify, whether it’s Slipknot, Falling in Reverse, or anything that’s going to get me going. Every now and again, if we’re going to have friends over for a party, we’re doing fun hip hop and whatnot. If I’m feeling sad and I’m out there fishing or something, I might throw on some country. Who knows? It depends if I’m feeling deadly or not.
We found our stopping point. Let’s get to the Shameless Plugs. If people are looking for you, where can they find you? Also, plugs for the company. If you got anything else cool that you want to give a shout-out to, have at it.
Thanks for having me. This is great. The best way to find me is on LinkedIn, @NickRyan, and Baker Tilly, you’ll find me there. I post every day on LinkedIn. I’m active there. I thought about connecting with anybody who would want to connect. I don’t have any social media. I try to stay off of it. Baker Tilly, you could find us. We do tax accounting and consulting work. We do a good job of it. If you’re in the market for that, or your company is, we would love to help you out. Feel free to reach out. We’d love to help you in any way we can.
This is happening. Make no mistake. Consider this your official invitation. Seventy-six days from right now, we are coming back around.
November 21, 2022, is the last day of 75 Hard for me.
That is it for now. I want to thank everybody for joining us on the show. For more information on all that is good in the world of cyber security, make sure you check us out. We are out there getting it done on LinkedIn, Facebook, and ElevateSecurity.com.You can find me at @PackMatt73 on socials.
I have an Instagram. I don’t do much with it. On Twitter, I mostly talk about comic books and sports and dumb stuff. LinkedIn is where I meet people like Nick. That’s where the cool things happen. All we ask is that you subscribe, rate, and review. We are anywhere that you get your pods. That’s where we are Apple, Spotify, and Gaana for our friends in India, all the good places. You’ll never miss out on good folks like Nick and you can come back. Until then, we will see you next time.
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- LinkedIn – Nick Ryan
- Baker Tilly
- The Slight Edge
- 75 HARD
- Apple Podcasts – Friendly Fire: Mitigating Unintentional Insider Risk
- Spotify – Friendly Fire: Mitigating Unintentional Insider Risk
- LinkedIn – Matt Stephenson
About Nick Ryan
Nick Ryan is the head of information security for the 9th largest accounting firm in the world, Baker Tilly. Protecting the firm’s revenue by mitigating risk and meeting compliance, regulatory and business requirements is at the crux of his role. A core focus of Nick’s is to translate complex, technical matters to non-technical C-suite executives to garner support for security initiatives that empower the firm to thrive.
Nick is a proud “forever student” having earned over forty-five (45) industry-specific, leadership and cross-functional certifications. A frequent guest on cybersecurity podcasts, industry roundtables and peer groups with security executives, Nick enjoys strategic thought leadership and giving back to the community. In addition, Nick mentors several individuals who are seeking to break into the coveted cybersecurity space or to be promoted to leadership roles.