Secret CSO: Sherry Ryan, Juniper Networks

"There is always more to be done than any security team can possibly do, so prioritizing is essential."

Name: Sherry Ryan

Company: Juniper Networks

Job title: CISO and IT Vice President

Time in current role: 4 years, 8 months

Location: Sunnyvale, CA

Education: This might be surprising, but I hold a Bachelor of Business Administration and an MBA. I’ve found my MBA to be a huge advantage in the cybersecurity field. I have held the two most traditional security certifications, CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager), for several years. Last year, I completed the National Association of Corporate Directors (NACD) Cyber-Risk Oversight Program and earned the CERT certificate from Carnegie Mellon.

As IT Vice President and CISO of Juniper Networks, Sherry Ryan is responsible for the protection of Juniper and its information assets. Previously, Ryan held similar positions at Blue Shield of California, Hewlett-Packard, Safeway and Levi Strauss where she established and led their information security programs. Ryan holds the Certified Information Security Manager (CISM) certification from ISACA and the Certified Information Systems Security Professional (CISSP) certification from ISC2. She is a member of the High Tech Crime Investigation Association (HTCIA) and the Information Systems Security Association (ISSA).


What was your first job? During school, I worked in several short-term and part-time administrative and restaurant jobs.   My first full-time was with IBM’s Data Processing Division in San Francisco supporting large mainframe customers including Chevron, McKesson and Levi Strauss. I had wonderful teammates and formed lasting friendships there. Although I didn’t directly work in cybersecurity while I was there, it was during a time when IBM invested heavily in training their employees, so I developed skills that have been foundational to my career on many fronts.

How did you get involved in cybersecurity? After IBM, I joined Levi Strauss and, over the years, did pretty much everything in IT: managed data center operations, managed global networks, led end-user computing, business and technical architecture, IT strategy and planning, technology procurement, and development of the company’s first distributed computing application. This was a pivotal time in my career as I was constantly learning on the job and developing new skills. I frequently took on special projects including the rescue of an out of control program that was deploying new laptops, new WAN, LAN and email application across the country. After completing this tough project, I discovered that the company had an opening for its first director of global information security. Having been involved in our supply chain reengineering, I knew we were extending our network into our partners’ and planning to sell direct to consumers online, and because I had just deployed new laptops with browsers to all employees and we had implemented an IP network, I had a feeling that security would become a very exciting space. My longtime CIO and the CFO both tried to talk me out of it, thinking I would quickly become bored with security. I persisted, got the job and it’s safe to say the role has never been boring! I quickly realized I was meant to work in the exciting, ever-changing cybersecurity field.  

Explain your career path. Did you take any detours? If so, discuss. Before starting my security career, I pursued an MBA from Notre Dame de Namur, so my background is a bit atypical in the cybersecurity community. After several roles in IT, touching everything from data center operations management and technology procurement to IT strategy and planning, I became Levi Strauss’ first director of global information security. Although this move was a risk that some of my peers cautioned me against, it was an overwhelmingly positive introduction to the diverse field of cybersecurity. Since joining the field, my biggest “reroutes” have involved moving between industries and encountering different needs, resources and capabilities. I’ve spent time in manufacturing, technology, retail and health insurance, and each has presented new challenges and regulatory requirements, and has also made me open to other perspectives. Now, as the CISO for Juniper Networks, I oversee the security programs that protect a company on the frontline of a sophisticated and evolving threat landscape developing cybersecurity solutions.  

Was there anyone who has inspired or mentored you in your career? The cybersecurity field is full of innovative and inspirational minds. There are so many people I have learned from throughout my cybersecurity career. Upon moving into my first security role at Levi’s, I quickly realized how little I actually knew about security. But, I was fortunate to meet Becky Bace and Fred Cohen. Becky has always encouraged me and gave me the courage to push beyond my comfort level, including accepting the CISO position at HP. Fred, known as the “father of the computer virus,” also stands out as someone who has challenged me to continuously learn both inside and outside of work, and to question everything.

What do you feel is the most important aspect of your job? Whether it is building in controls to enable ecommerce, protecting customer and employee data or conducting M&A due diligence, enabling the organization to innovate, thrive and grow all while managing the risk and preserving shareholder value is the most important aspect of my job. If my organization could not innovate or thrive, it wouldn’t matter that my team’s security program made my network impenetrable. It’s all about finding the balance here, and that’s where the most important – and often most challenging – aspect of my job as CISO rests.

What metrics or KPIs do you use to measure security effectiveness? In this role, I need to know that my team’s efforts are always improving the company’s security, so I tend to focus on metrics that are indicators of the organization’s ability to effectively manage security, such as the percentage of servers that have a critical or high-risk vulnerability and the percentage of internet-facing applications with critical vulnerabilities.

I also believe it is important to periodically have independent third-party assessments so that we can benefit from the knowledge and perspective of others and not be myopic, missing the forest due to the trees, or perpetuate a false sense of security.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? Fortunately, during my time at Juniper Networks, we’ve been able to fill our open positions despite the shortage of experienced cybersecurity professionals. However, security architects and especially application security architects are very scarce across the industry. I just read a very sobering article that mentioned only 9 percent of millennials are interested in a cyber career despite the fact that the majority of those surveyed were interested in a computer-related career. I fear that the talent shortage will not be fixed quickly.

Cybersecurity is constantly changing – how do you keep learning? From the attack landscape and vectors to product capabilities and offerings, cybersecurity has changed a great deal since becoming an industry. Staying up-to-date on relevant security readings and industry developments is a critical component of ongoing learning in our everchanging field. When I joined the world of cybersecurity, I knew a lot about IT and little to nothing about security. So, I studied, read security newsletters and blogs, sought out peers who knew about security and asked a lot of questions. And although I’ve now been in the cybersecurity field for over 20 years, I still do those things. I still enjoy the occasional mystery novel, but there is now so much relevant information published daily about our industry that keeps me curious and challenges my thinking. It’s only an added bonus that the content is just as exciting as The Terminal Spy. For example, Offensive Countermeasures:  The Art of Active Defense, really got me thinking differently about defensive measures and how we can make it harder for those who attack our network.

What is the best current trend in cybersecurity? The worst? The best – AI and ML. The worst – AI and ML!

Practically every solution promotes their usage of ML or AI as though they were magical, but they actually require a lot of upkeep. You still have to ensure you’re giving the solutions the right data and, in the case of ML, applying the right model. AI needs feedback to adapt and change. Don’t let the use of the innovative technologies promote a false sense of security or prevent proactive programs – I’ve yet to find one that is a magic 8 ball.

What's the best career advice you ever received? The best career advice I have ever received is to focus on what matters most.

There is always more to be done than any security team can possibly do, so prioritizing is essential. Which applications and assets are critical to business processes? What regulatory or contractual compliance requirements must be met? What information is most valuable to the business? These are the questions that I must always be asking and answering to understand what matters most to the company. One must learn to triage and do enough to mitigate the risk to an appropriate level, and then move on to the next challenge. The ever-increasing number of threats and the sheer amount of work bogging down security teams can trap us in a reactive mindset and prevent us from protecting our most critical assets.

What advice would you give to aspiring security leaders? Stay flexible! A role in cybersecurity requires quick action and adaptability. It is all about addressing the risk to your most important assets and doing enough to protect them, yet not so much that you stifle the business.

What has been your greatest career achievement? In an industry that’s facing a talent shortage, I take great pride and joy in the employees I’ve introduced to cybersecurity or have worked with over the years who have gone on to lead security teams of their own, develop security solutions, contribute to industry standards and be CISOs or hold other important roles in our profession. This is an industry that offers a wide range of opportunities, and we are often all in pursuit of a similar goal: the highest level of cybersecurity possible that effectively thwarts attacks while promoting business goals and innovation. I love reconnecting with previous coworkers to bounce ideas off them and better understand how they’re tackling the issues that we both face.

Looking back with 20:20 hindsight, what would you have done differently? If I could go back in time and change one thing, I would have gone back to school and pursued a computer science or engineering degree. While I still believe my MBA to be invaluable in this business, studying STEM at an earlier age would have significantly accelerated my career and increased my effectiveness.

 

What is your favorite quote? Abraham Lincoln – “I am a slow walker, but I never walk back.”

What are you reading now? James Comey’s recent book – “A Higher Loyalty” – detailing experiences from his career of over 20 years in U.S. government. Since Mr. Comey addressed my class at the FBI’s CISO Academy at Quantico last year, our industry has continued to experience change. From emerging global regulations like GDPR to an evolving and sophisticated threat landscape, it is fascinating to see just how much has changed since seeing him speak.

In my spare time, I like to… spend time with my horses and cook, especially healthy soups. It has been unseasonably cold this past week, so I made a big pot of my hearty chicken vegetable soup.

Most people don't know that I… own thoroughbred race horses. I’ve ridden since I was three years old and spent my youth riding everywhere. Besides laying on a sunny, sandy beach in Maui, riding is the best way for me to decompress.

Ask me to do anything but… eat a beet salad or babysit your pet snake – even for a second! On a professional note, I am open to trying pretty much anything that the company needs as long as it is legal, ethical and morally sound.