Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 103
Afternoon Cyber Tea with Ann Johnson 3.25.25
Ep 103 | 3.25.25

Building Resilient Security Teams with Ryan Field

Show Notes
Transcript

Ann Johnson: Welcome to Afternoon Cyber Tea, where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. Today we are excited to welcome Ryan Field, Executive Vice President and Chief Information Security Officer at the Bank of Hawaii. With extensive experience in cybersecurity leadership, Ryan has spent more than two decades securing critical infrastructure across multiple industries. His focus on collaboration has allowed the Hawaii security community grow and thrive, and his emphasis on teamwork across boundaries is setting the example for the next generation of talent. Welcome to Afternoon Cyber Tea, Ryan.

Ryan Field: Thanks, Ann. It's great to be here.

Ann Johnson: I'm thrilled to have you, and I'm jealous that you're in Hawaii. I am in rainy Seattle. So let's get right to it. You were hired into the security field right out of a college, doing security assessments at PwC. How were you interested in cybersecurity? What brought you to the field, and what's kept you here for so long?

Ryan Field: That's a really interesting question. Like many in our generation, I kind of fell into this path. And, for me specifically, I feel like I got even more lucky than most because of the company I got to start in, which is PwC, as you mentioned. I was hired because they saw something beyond what I initially saw in myself. While my background was in electrical engineering and finance, PwC trained me in a broad range of disciplines, including offensive security risk assessments, IT strategy, and large-scale system implementations. That -- that early exposure gave me a really deep appreciation of the complexity and critical role that IT plays in every aspect of technology and business. So what initially drew me in and then what's now kept me here is that constant challenge and the need to think differently. From day one, I was really fascinated by -- by that offensive security mindset and the idea of approaching problems like an attacker. That mindset shaped how I tackle security today, questioning assumptions, anticipating threats, finding creative ways to strengthen defenses. Even now, I love sitting down with my teams to map out attack scenarios, exploring how we'd circumvent the very controls that we design. Beyond the technical aspects, what keeps me engaged is the dynamic nature of cybersecurity. The landscape is always evolving, which means there's always something new to learn, new threats to anticipate, and new ways to innovate. More importantly, security isn't just about technology. It's about the people, problem solving, and building that resilient organization. The combination of challenge and impact is really what keeps me passionate about this field.

Ann Johnson: That's fantastic. And I love how you talk about the attacker mindset because I think too often -- John Lambert likes to say, and I know we quoted my boss, Igor, on a recent episode that attackers think in graphs, and defenders think in lists. So, as you're thinking and building your security program based on the attacker mindset, I'm sure it makes you much more resilient to withstand attacks. But also it has creativity in how you build your program, as opposed to a traditional security program, which just is literally building blocks of defenses but not really contemplating where the next attack is coming from, right?

Ryan Field: Absolutely, absolutely. And it makes it fun.

Ann Johnson: Yeah. It does make it fun, actually, to anticipate that and to be able to think about how you defend against it. And it's an ever-moving object. It's a dynamic nature of the field. You've had some really unique opportunities in your career also. You've built security firms from the ground up. You've built data centers. You've been an adjunct professor teaching the next generation of cyber, which is super cool, by the way. How did these experiences shape your perspective on what it takes to bring diverse teams and diverse people together?

Ryan Field: Yeah. I really like this question, Ann, and I think about it a lot. I've been incredibly fortunate to learn from some of the very best leaders across most of the different sectors, including the military and Department of Defense. Those experiences shaped my leadership philosophy and approach to building diverse and high-performing teams. A few principles stand out when I think about it. The first one is servant leadership. My role is to enable my team by removing obstacles and empowering them with trust and authority. The other one that I can think about is psychological safety. Cybersecurity is a team sport all around, not just our team but community wide. And no one person can know or think of everything. It's critical to foster that environment where people feel safe to speak up, challenge ideas, and take risks to drive innovation. I believe that true diversity extends beyond just the skill sets too. It includes education, personality experiences, and socioeconomic backgrounds. Here in Hawaii we're really fortunate to be part of a richly diverse community, which -- where cultures and perspectives blend and shape how we think and solve problems. Some of the most innovative cybersecurity professionals that I've worked with didn't follow traditional technical paths either. I actively seek out individuals who, like I did in my early career, think differently and have those different experiences or backgrounds. In particular, I found that those with backgrounds in -- in the arts, such as music, bring a really unique creativity and problem-solving approach that many in traditional technical roles might not naturally tap into. These diverse perspectives are invaluable in driving innovation and tackling cybersecurity challenges in new ways and unexpected ways of thinking and getting that -- fostering that collaboration across the team.

Ann Johnson: I think that's fantastic. I often say that, if all we hire are STEM graduates with a PhD from MIT, they're all wonderful people, highly capable, clearly; but they all approach problems the same way. We need to have a broad group of people so we don't get into that -- you know, that group think, right? We need to have people with all kinds of different backgrounds. And I love the way that you actively seek people with different backgrounds so that you're having different sets and opinions but also, Ryan, giving them the space to disagree, right? A lot -- a lot of times we talk about, we're going to bring all these people in. But if they say something that isn't a norm, we're, like, we just ignore them, right? Or we push them out. We don't let them actually have the voice. So you have to create that environment so people have a voice. And I'll ask you about that more in a little bit, but I want to talk specifically about the sector you're in. Banking and financial services certainly have their own unique cyber challenges. How do you tailor your approach, and how do you think about meeting the specific needs and the specific risks within your industry?

Ryan Field: Yeah. Our sector, the banking and financial services sector, faces some of the most advanced cybersecurity threats due to the high value of data that we safeguard and the complex regulatory environment that we also navigate at the same time. For us, our approach to cybersecurity is -- in this industry is built on three pillars. It's risk-based prioritization, regulatory integration, and proactive threat mitigation. For us specifically, rather than treating compliance as a check box, we embed it into the overall security strategy, ensuring that regulatory requirements enhance instead of hinder business operations. And that's the way that we see it as well. At the same time, we also focus on a risk-based approach that prioritizes those security measures based on potential business impact, protecting -- you know, prioritizing things like protecting critical assets such as customer transactions and payment systems. Another essential element is fostering that security culture that we keep going back to. Cyber is not just a technical issue. It's a business enabler. And by ensuring that employees and -- and leadership understand their role in security for the organization, we strengthen our overall bank resilience. I've been really fortunate in that sense, where -- where my executive team has -- and board are really strong advocates of our program and have helped to embed security in our operating culture. And then so, ultimately, our approach balances security, compliance, and operational efficiency, allowing us to safeguard our customers while continuing to innovate and grow.

Ann Johnson: I think that's absolutely the right approach, right. I think that the way you're dynamically approaching it because the environment changes continually is the right approach. And we talk about the sector being unique, and we talked about the sector having unique challenges. But, at the end of the day, there's a lot about security that's common, even across sectors. What's -- what's different is how you're responding to regulatory requests, particularly in your sector, right? And that probably drives a bit of your program also.

Ryan Field: That's right, that's right.

Ann Johnson: So let's talk about that collaboration. We talked about you bringing in people with different backgrounds so they could approach problems in different ways. How do you create this environment where collaboration is not just encouraged but also actionable within the organization?

Ryan Field: You know, actually, we've adopted an ideal; and it's become inherently built into our security strategy. It's an ideal that I learned from you. It's -- we adopted your idea of moving from enforcers to influencers. It's helped us to focus on -- on shifting cybersecurity from being seen as that roadblock to being a business enabler. What we've started to see is that, instead of simply enforcing the rules and controls, our teams in other areas of the bank are now proactively seeking each other out to collaborate, where they're working to understand each other's challenges; and then they're working together to provide solutions that support both innovation and risk management together. Another example of that same impact is, from this ideal, we're seeing that we, the security team, are being pulled left into the organization's broader objectives and cross-functional engagement. We're being pulled earlier on in the process as key teammates. This means that we're partnering early on with the businesses for around their ideas, product requirements, and our architecture teams to integrate security seamlessly into workflows rather than being an afterthought. Then, by doing this, security is no longer perceived as this external force imposing restrictions, but we're instead seen as this trusted advisor helping the business to drive business success. We talked about it earlier, too, and -- but we also are prioritizing psychological safety again. You know, it comes back to that and creating an environment where team members, as well as those across the bank feel comfortable sharing ideas, questioning assumptions, and challenging security practices without fear or hesitation. It's resulting in discussions and new ideas and diverse perspectives from people across the organization, not just within IT or the security teams. These strategies, they really make security a shared responsibility and -- and ensure collaboration, ensure that collaboration is not just encouraged but becomes an integral part into how the organization operates.

Ann Johnson: I love that. And the reason I love it is because -- and we talk -- you said you heard this from me. I actually talked about banking as the example of, if security is early in the conversation and you become a business enabler, let's say your bank suddenly decides they want to issue credit cards in Southern California, right, for whatever reason. You could be the enabler that says, Here are all the risks around that, but here's how I'm going to help you do that in a secure manner. And you're actually driving revenue, you're -- and you're driving security to be a business partner. And that's what we should be. We shouldn't be blockers coming in late. We should be business partners who enable the business. But that means you have to have what you've built, the trust of the business to bring you in early. And that -- that's really important. So, when you think about your business, I know you, like many companies, have a lot of third-party vendors. You have a lot of supply chain risk. How do you think about the managing risk, particularly the third-party risk assessments and your ongoing monitoring of your third-party partners?

Ryan Field: Yeah. Managing risk, especially when working with third party vendors or partners, it requires a really proactive and continuous approach. For us, it's not just about assessing the risk at the onboarding stage. It's about ongoing monitoring and even collaboration to ensure security remains a priority throughout the whole vendor relationship. What we do is we take the -- a similar risk-based approach because not all vendors pose the same level of risk. So we prioritize assessments and the depth of those assessments even based on factors like type of data, type of access, criticality, compliance, financial loss, reputational risk, all the traditional domains and areas of risk that a vendor or partner could pose to us. And then, beyond those initial assessments, continuous monitoring and reassessments are also key to ensuring that these vendors and partners are maintaining their security posture over time. But effective third-party risk management isn't just about those controls. It's about collaboration and shared responsibility. So the other thing we do is we focus on building strong relationships with these vendors and partners. We're ensuring security expectations are clear up front and continuously. That way, they can then hopefully see us as partners rather than auditors. And then, by fostering this open communication, sharing best practices, and then even sometimes working together and sharing threat intelligence, we create this more resilient ecosystem where security is embedded into every stage of the partnership.

Ann Johnson: I think that's great. I think if you treat -- the same way you talked about your business partners, if you treat your third parties also as partners, you're going to -- it's not an adversarial relationship, right? You're going to actually build together and help them get better, which is going to help their business all up. So that's wonderful. I love your collaborative approach. I also love the fact that I know you do a lot of nonprofit work of sharing threat information, best practices, etc. with local organizations, especially small and mid-sized businesses, which don't have the resources of an organization your size and certainly don't have the resources of an organization that's my size. What drove you to create this type of collective group, and what advice do you have for other security leaders who want to start this teamwork or this collaborative or not-for-profit approach to help small- to mid-sized business?

Ryan Field: Yeah. I really enjoy serving in this way because I believe that, by working together, we can make our communities and eventually the world a safer place. In security, we know that no single organization or individual even can tackle challenges alone, especially in small- or medium-sized businesses that many times lack the funding or resources of larger enterprises, like you said. So we recognize that sharing these kinds of insights or threat intelligence and best practices, it doesn't weaken anyone's competitive advantage. Rather, it strengthens the entire community. I've seen how much people enjoy collaborating, exchanging knowledge, and helping each other grow. There's really a shared passion, not just for protecting our own organization but -- but helping others improve and evolve their own security practices. I've even witnessed firsthand how there was a time where a small business really successfully avoided a potentially devastating breach by implementing controls based on information shared within our community. So, you know, in terms of advice, I guess that advice would be to build a culture of trust and transparency. We have to start by encouraging that open dialog and be willing to share our own challenges and successes and then create a safe space where everyone feels comfortable to ask questions and share insights from there. The more we collaborate, the stronger and more resilient the entire community becomes. And make it practical, too, by offering advice that's actionable, that organizations can implement with limited resources. And try to avoid those theoretical discussions. And then, I guess, finally, the thing that's sometimes most fun is celebrating those wins together. When a teammate or member organization successfully defends against threats based on information shared, highlight those successes and talk about it. This really reinforces the value of collaboration and keeps everyone engaged.

Ann Johnson: That's fabulous. I love the example you gave about how a small business was able to defend off fraud just by the information they received from the community. That shows the power of it. But I bet there's also challenges, right? You're working across disparate organizations with different levels of maturities and resources. What are some of the biggest challenges you've faced in promoting cybersecurity collaboration, and how have you overcome them?

Ryan Field: One of the biggest ones that I've seen is -- and it's tied to the same thing; it's trust. It's -- what I've seen is, in the -- geographically the larger and geographically dispersed groups, building trust becomes more difficult and more critical as well. Otherwise, without it, it's difficult to foster that open communication. And the collaboration often stays at a high-level and superficial without delving deeper into the more meaningful discussions that lead to that real impact. So, you know, in some of those cases, to overcome it, what we focused on is creating smaller, more intimate settings where people can engage openly and gradually build that trust, if it's that large of a group. And then it makes it easier to dive deeper into the collaboration over time.

Ann Johnson: That makes a lot of sense. Like, every sentence from you, you talk about collaboration. And it's just such a refreshing approach because security people are known as being blockers or not collaborative. So I love hearing you say collaboration with almost every approach you have. I also am a cyber optimist. I say that a lot. And I like to close out Afternoon Cyber Tea with optimism. So, with that in mind, as we wrap up, I'd love to hear why you are optimistic about the future and your perspective on how we continue to come together and collaborate and defend the digital world.

Ryan Field: In terms of being optimistic in this space, I really am because I see a real shift in what's happening within the cybersecurity community across the country, for sure, and locally, absolutely. People are coming together more than ever, whether it's through sharing threat intelligence, collaborating across industries, or simply supporting each other's growth and through mentorship opportunities. This collaborative spirit is really the key to evolution. And it's helping organizations, both large and small, see cybersecurity as a central part of their business strategy and not just the risk to manage. What also really excites me is how the next generation is being equipped to be even stronger than we ever were. With better access to education and resources, advanced tools like AI, and a growing wealth of knowledge, they're poised to tackle cybersecurity challenges in ways that we couldn't even imagine. AI, for example, it can help predict and prevent threats faster than ever before, automating those tasks that were once time-consuming and allowing new professionals to focus on higher-level problem solving and critical thinking. I truly believe that, with the combination of innovation, this continued, as you said, collaboration and mentorship, and the strength of the next generation, we're on track to create a safer and more resilient digital future.

Ann Johnson: Thank you so much, Ryan. I couldn't have said that better. I really appreciate your optimism. I appreciate you making the time to join me today. I know you're extraordinarily busy. So thanks for joining Afternoon Cyber Tea and spending a little bit of time and informing and updating our audience.

Ryan Field: Thank you, Ann. Glad to be with you.

Ann Johnson: And many thanks to our audience for listening. Join us next time on Afternoon Cyber Tea. I invited Ryan to join me because he spent his career building teams and security programs from the ground up. He's intimately familiar with what it takes to bring partners and communities together. He has this incredible passion for helping others. I know you're going to enjoy the show. You're going to hear Ryan say collaboration, or being collaborative, so many times; and that's truly what we need in cybersecurity. So be sure to listen in and follow us at afternooncybertea.com or wherever you get your favorite podcasts.

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, Corporate Vice President Cybersecurity at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers. Ann and her guests explore the risk and promise of emerging technologies, as well as the impact on how humans work, communicate, consume information, and live in this era of digital transformation. Please note, the opinions expressed by guests on this podcast are their own and are not endorsed by, nor do they necessarily reflect opinions of, Microsoft or Ann Johnson.
Schedule: Tuesdays
Credits: Executive Producer is Charlynn Settlage, Producers are Rob Petrillo and Greg Ormsby. Production Manager is Max Solomon, Scheduling and Administrative Support is Katie Zwart, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft