Secret CSO: Ryan Davis, NS1

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? “The dramatic shift to the cloud in the last 5 - 10 years has left a skills gap in security.”


Name: Ryan Davis

Organisation: NS1

Job title: CISO

Date started current role: January 2020

Location: Massachusetts

Ryan Davis is the CISO at NS1, the leader in modern application and access networking. Davis joined NS1 this March with more than 15 years of experience in information technology and security. He previously served as CISO and CIO at software security firm Veracode, where he led global IT operations, security and threat management, and risk and compliance. Prior to Veracode, he supported Department of Defense customers while holding several information assurance roles at MIT’s Lincoln Laboratory. Davis’s appointment as CISO helps to unify corporate security strategy while introducing a more cohesive narrative around security as a company differentiator.

What was your first job? My first job was working as a camp counselor at a YMCA day camp. Managing 10 screaming 7 year-olds and keeping them entertained for 8 hours was no easy task, but it’s probably where my passion for working with people started. And I got paid to be outside, which is something I love.

How did you get involved in cybersecurity? My mother ran a secretarial service business out of our home, so we had multiple computers in the house. I started tinkering with computers when I was very young and quickly mastered a number of MS-DOS games. As I got older, I took a typical path for a young wannabe hacker, starting with message boards on the internet and computer groups in high school. For me it was never about any type of gain, merely proving that I could skirt the system or take advantage of weaknesses in the system. Today that mentality still helps me think about what are the types of things we need to safeguard against; with a far more skilled set of adversaries.

What was your education? Do you hold any certifications? What are they? In high school, I had the privilege to take some basic computer science classes through a collaborative program at Bowdoin College. This is where I got my first real formal education with anything IT related. (It is also where I learned that I had no desire to become a programmer!)

I went on to pursue a Bachelor's Degree in Computer Networking at Champlain College. During my tenure there, I enrolled in a secondary newly created Bachelor’s program called in Information Security. Going to school year-round I was able to graduate with a degree in Computer Networking and another in Information Security.   

Over the years I have obtained a handful of certifications including the Security+, CCSK, and am a Certified Scrum Master.

Explain your career path. Did you take any detours? If so, discuss. Like most entering the tech field, I started at the bottom of the totem pole as an intern, working closely with the IT Manager to expand existing Windows 2003 domain and implement new hardware and software throughout the company. I then held a number of help desk positions and worked my way up to network engineering and sysadmin positions. I then got involved in security after undergrad when I landed my first real position as a security analyst in the audit department at MIT Lincoln Laboratory. These positions weren’t as much of a detour as they were helping me build my skills toward a CISO role. 

When I started at Veracode, I initially took a technical program management position and worked my way up to security program architect, information security manager and then as CISO, which is the post I hold at NS1. My time at Veracode gave me the opportunity to sit across the table from executives at Fortune 100 companies; it was a great way to understand how the largest enterprises build security programs. 

Was there anyone who has inspired or mentored you in your career? I have had many mentors and mentees along my career path, but my first mentor was one with whom I did an internship in college. To him, I was the underdog for the position, but he saw qualities in me that he felt were more valuable than grades or extracurricular activities. And I proved him right. One (of many) pieces of advice I have taken throughout my career - “go outside of your comfort zone and take risks.”

What do you feel is the most important aspect of your job? The single most important aspect of my job as a CISO is being the voice and face of security for the company. When we are interacting with customers and prospects, It is important to instill trust that we’re proceeding in a secure way. Internally, I need to do the same plus ask the hard questions and ensure security is a priority for every member of our team. 

Despite being a front-page news topic many days, Security is something that still very much needs to be advocated for. Above all else, I am an advocate for making security a part of our business and a key to our success. 

What metrics or KPIs do you use to measure security effectiveness? The most important KPI in security is the ability to identify and remediate issues in a timely fashion. The business relies on the security team to identify weaknesses in our own defense and in turn figure out how to quickly respond to mitigate any potential threat that weakness poses. 

As a metric that often takes the form of a number of vulnerabilities, flaws, weaknesses, compared to the time to resolution of those items. In business terms, this translates to risk identification and risk reduction. 

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? The dramatic shift to the cloud in the last 5 - 10 years has left a skills gap in security. Everyone is looking for cloud security architects, but there are only a handful of them out there. The challenge is finding people with enough of a cloud background to offer additional knowledge beyond the skills of a traditional security practitioner.

Cybersecurity is constantly changing – how do you keep learning? Cybersecurity challenges and solutions change dynamically, and I like to keep up with technical and security news, as well as general business trends. I listen to podcasts with security leaders and practitioners. I am also a member of a security working group consisting of more than 200 CISOs worldwide and with whom I can learn and share ideas. At one time I actually attended security conferences in person.

What conferences are on your must-attend list? RSA and Black Hat / DEF CON are must-attend conferences on my list. They are the biggest and a great networking opportunity. DEF CON take me back to my roots!

What is the best current trend in cybersecurity? The worst? Supply chain security is probably the best trend. No matter the market you are in, all companies rely on third parties to conduct business. As an industry, we need to hold the businesses we rely on to the same high bar we expect our own companies to achieve. This past year has only continued to highlight that importance.

Buzzwords are the worst. Every year, there seem to be new marketing terms for the same security problems. If there were truly silver bullet solutions we would have all implemented them a long time ago. While I whole-heartedly believe in security innovation, the sheer amount of marketing fluff only complicates the problem.

What's the best career advice you ever received? I have two pieces of career advice to share. The first is ‘don’t stop thinking about what’s next.’ Although it’s nearly impossible for any tech leader to predict the future, we should always be aware of trends and be mindful of what our company and customers will need, and do our best to anticipate those needs. The second best piece of career advice I received is ‘make sure you’re building your brand.’ As a security leader, it’s important to have my own goals and expertise to share within my company and with my customers and peers. You don’t have to be an expert on everything but be an expert on at least one thing, this way you will have something to contribute to your peers.

What advice would you give to aspiring security leaders? I advise aspiring security leaders to continually invest in their education. Don’t stop learning. If you rest on your laurels, it will pass you by. Think about what you learn now that will be helpful in your next role. And always seek out mentors to gain as much knowledge and experience because, one day, you’ll be that mentor. 

What has been your greatest career achievement? My career-long goal was to become a CISO and here I am! Being a people person, I get personal satisfaction helping others succeed. I have built some great teams and had some amazing employees but seeing them go on and do great things is a huge reward for me.

Looking back with 20:20 hindsight, what would you have done differently? I am a strong subscriber to the ethos that with every mistake we can learn from even in some small way. Have I made my share of mistakes? Absolutely. But I have done my best to learn from them. I don’t think there is any major thing I would go back to change for that reason.

What is your favourite quote? Do not try and bend the spoon, that’s impossible. Instead, only try to realise the truth… there is no spoon. Then you’ll see that it is not the spoon that bends, it is only yourself. - The Matrix I like this because it speaks to the perception of how you approach your life and work. The world is what you make of it. How you see it is your reality, and it may not be how it is.

What are you reading now? Dare to Lead by Brené Brown.

In my spare time, I like to… Be outside. I enjoy decompressing in my backyard on a hammock listening to a podcast or playing with my children.

Most people don't know that I… Love to work on classic cars! One of my favorites is a Ford Mustang ‘69 convertible, which I restored with my wife and father-in-law.

Ask me to do anything but… Write extensively. I am more of a talker than a writer.