Exploring Cybersecurity Leadership
Ryan Knisley, a distinguished former Chief Information Security Officer of Disney and Costco, participates in theCUBE's Axonius Adapt 2025 event. Knisley brings extensive experience in cybersecurity leadership, providing insights into the evolving role of the Chief Information Security Officer and the challenges faced in navigating today's digital landscape.
In this discussion, Knisley explores their career journey from the army to the Secret Service and eventually into the private sector, highlighting key moments that have shaped their leadership approach. They reflect on the transformation of cybersecurity from a technical field to a business-enabling function and their efforts to shift the perception of security teams from being seen as business impediments to essential partners. TheCUBE Research and hosts emphasize the importance of integrating security into company culture and building trust within organizations.
Viewers gain insights into Knisley's perspective on current challenges in cybersecurity, such as the fragmented information technology environment and increasing third-party risks, alongside strategies to manage these issues. According to Knisley, automation and prioritizing high-value work can alleviate team stress and prevent burnout, a concern echoed by analysts. Knisley's reflections on the importance of self-care and maintaining perspective throughout their career offer valuable advice for aspiring Chief Information Security Officers, focusing on trust-building through radical candor and authenticity.
Find more SiliconANGLE news and analysis https://siliconangle.com/
Follow theCUBE's wall-to-wall event coverage https://siliconangle.com/events/
Learn about the latest theCUBE events https://www.thecube.net/
00:00 - Intro
00:05 - Paving the Path: Introduction to Ryan Knisley's Career Journey
02:05 - The Transformation in Cybersecurity
05:26 - Security as a Cultural Shift
10:15 - Navigating the Evolving Landscape: Adapting Workforce, IT, and Supply Chain Strategies
13:00 - Addressing Burnout and Team Support
15:39 - Guiding the Future: Insights and Conclusions for Aspiring CISOs
#AxoniusAdapt2025 #CybersecurityLeadership #theCUBE #DigitalTransformation #EnterpriseTech #CyberCulture
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Axonius Adapt25. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For Axonius Adapt25
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for Axonius Adapt25.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Axonius Adapt25. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to Axonius Adapt25
Please sign in with LinkedIn to continue to Axonius Adapt25. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Ryan Knisley, Disney & Costco | Axonius Adapt 2025
Exploring Cybersecurity Leadership
Ryan Knisley, a distinguished former Chief Information Security Officer of Disney and Costco, participates in theCUBE's Axonius Adapt 2025 event. Knisley brings extensive experience in cybersecurity leadership, providing insights into the evolving role of the Chief Information Security Officer and the challenges faced in navigating today's digital landscape.
In this discussion, Knisley explores their career journey from the army to the Secret Service and eventually into the private sector, highlighting key moments that have shaped their leadership approach. They reflect on the transformation of cybersecurity from a technical field to a business-enabling function and their efforts to shift the perception of security teams from being seen as business impediments to essential partners. TheCUBE Research and hosts emphasize the importance of integrating security into company culture and building trust within organizations.
Viewers gain insights into Knisley's perspective on current challenges in cybersecurity, such as the fragmented information technology environment and increasing third-party risks, alongside strategies to manage these issues. According to Knisley, automation and prioritizing high-value work can alleviate team stress and prevent burnout, a concern echoed by analysts. Knisley's reflections on the importance of self-care and maintaining perspective throughout their career offer valuable advice for aspiring Chief Information Security Officers, focusing on trust-building through radical candor and authenticity.
Find more SiliconANGLE news and analysis https://siliconangle.com/
Follow theCUBE's wall-to-wall event coverage https://siliconangle.com/events/
Learn about the latest theCUBE events https://www.thecube.net/
00:00 - Intro
00:05 - Paving the Path: Introduction to Ryan Knisley's Career Journey
02:05 - The Transformation in Cybersecurity
05:26 - Security as a Cultural Shift
10:15 - Navigating the Evolving Landscape: Adapting Workforce, IT, and Supply Chain Strategies
13:00 - Addressing Burnout and Team Support
15:39 - Guiding the Future: Insights and Conclusions for Aspiring CISOs
#AxoniusAdapt2025 #CybersecurityLeadership #theCUBE #DigitalTransformation #EnterpriseTech #CyberCulture
Ryan Knisley, Disney & Costco | Axonius Adapt 2025
Ryan Knisley
Chief Product StrategistAxonius
Exploring Cybersecurity Leadership
Ryan Knisley, a distinguished former Chief Information Security Officer of Disney and Costco, participates in theCUBE's Axonius Adapt 2025 event. Knisley brings extensive experience in cybersecurity leadership, providing insights into the evolving role of the Chief Information Security Officer and the challenges faced in navigating today's digital landscape.
In this discussion, Knisley explores their career journey from the army to the Secret Service and eventually into the private sector, highlighting key ...Read more
exploreKeep Exploring
What are some of the changes in the role of the CISO, particularly in terms of the importance of soft skills and avoiding being an impediment to innovation?add
What analogy did the CISO use to illustrate the shift in culture towards security?add
What impact has the shift to digital had on security budgets and capabilities for companies?add
What is the speaker's advice for maintaining a healthy mindset while balancing responsibilities?add
Ryan Knisley, Disney & Costco | Axonius Adapt 2025
search
Rebecca Knight
>> Hello everyone and welcome to theCUBE's coverage of Axonius Adapt '25 here in Dallas, Texas. I'm your host, Rebecca Knight, alongside my co-host and analyst, Jackie McGuire. We have with us Ryan Knisley. I love the silent K. I mean, we speak to each other. Former CISO at Disney and Costco. Welcome to the show, Ryan-
Ryan Knisley
>> Yeah, thank you. No one gets the silent K.
Rebecca Knight
>> Yeah.
Ryan Knisley
>> They say Kinsley and they'll go, "How do you spell it?" Or, "How do you say it?" And I go, "Oh, it's a silent K."
Rebecca Knight
>> It takes one to no one, Ryan.
Ryan Knisley
>> I've actually had people say, "Oh, you don't see that much." And I was like, "Oh, really? Every word in the English language that I know of that's K-N." So yeah, I should have changed it legally long ago to Kinsley, but it's good to be here.
Rebecca Knight
>> I like it. I like it. I like it. So let's talk about your career, which has spanned some of the most admired brands on the planet, including Disney and Costco, and especially being in the role that you're in, which we want to get into later in the show. But let's just paint a picture for our viewers, right now, of where we are at the state of cybersecurity today and how you've seen it evolve over time.
Ryan Knisley
>> Yeah, we're caught in a bit of a, really, in the middle of a transformation in cyber. I think especially with cyber leadership and the role of the CISO. I think years ago, when I started my career, it was very technical, mostly only technical tracks. We didn't think about the soft skills that much. We were the departments of no business disablers, not business-
Jackie McGuire
>> Impediment to innovation is my favorite one.
Ryan Knisley
>> Yes, if you want innovation to die, send it to InfoSet. And so, I always thought, man, if I can ever be a CISO someday, and it wasn't really a goal, I just thought if I'm ever in a leadership role, I want to do it differently. And I've tried to do it differently, almost sometimes to my detriment, which we can talk about. But I think where we're at right now is we're going to be business leaders eventually. We're getting better-
Jackie McGuire
>> You're saying you're not now?
Ryan Knisley
>> I think we are still treated as tech people trying to be business leaders or the expectation is, hey, we're this business leader, but we're going to treat you like a tech person. And I've seen, in my experience, and friends that are in the same role where we have all the accountability for cyber, but we don't truly have the responsibility of C-suite leadership, sometimes, to make these big, grand decisions for our organization. We still have to go ask for permission to do things because it's tech.
Jackie McGuire
>> One of my favorite books is called Likeable Badass, and it draws this distinction between power and status. And power is like the money, the title, whereas status is your ability to actually influence things. And I think what you're saying, which is what I have thought for a while, is that CISOs are very often given power, so they're accountable for things, they're responsible for things, but not necessarily status and that they have the final say if there's a conflict between C levels on the board. So you think that's going to change?
Ryan Knisley
>> I do.
Jackie McGuire
>> You're hopeful?
Ryan Knisley
>> I do. I'm hopeful. I guess I'm hopeful. At Disney, right, with great power comes great responsibility, except if you're a CISO. No, I'm just kidding.
Jackie McGuire
>> I've always thought that security's more of a culture than anything. It is a group of people, it is responsibilities, but for it to actually work at most companies, it just has to be baked into the culture. So that to your point that the attitude is not, these are the bad guys, these are the no guys. It should be more like, these are the guys who are going to save my butt, or something-
Rebecca Knight
>> These are the heroes.
Jackie McGuire
>> Yeah, these are the guys who come in if I make a mess. So have you had success in trying to shift culture?
Ryan Knisley
>> I have. I actually heard this, I'm going to steal this from a CISO I talked with yesterday who said, "For the longest time we're like physicians, we diagnose problems, we're pointing out problems." And he said, "We need to become sports psychologists, we need to change behaviors." And I thought that was so brilliant. I hadn't heard that. And it's truly what we need to do is really evolve behaviors for the companies that we support. I think cyber, in general, information security, in general, sometimes gets a bad rap. And if I think about some of the government regulatory stuff that's come down really focused on CISOs, the frustration we have is these are your biggest champions for cyber at the company, yet you're pointing your regulatory efforts against them. And it's just a weird situation, right now, I think. But I am hopeful that we're progressing to the next generation of truly business leaders.
Jackie McGuire
>> Yeah. From a case law perspective, there really isn't a lot to tell a CISO where your ... Because as a CFO, you know, okay, I have fiduciary duty and we've been through enough crises and meltdowns that I know where my legal liability ends, what my DNO covers, what it doesn't. I feel like we haven't really gotten there for CISOs, yet, and that there haven't been enough spectacular systemic implosions that there's been enough litigation. So I've been saying the last year, I would rather we proactively offer those kind of regulations and those kind of frameworks than wait for that to happen.
Ryan Knisley
>> Absolutely. They've given us sort of the punishment without the rule by which to go by, the set of rules of which to follow. So it is interesting, yeah.
Jackie McGuire
>> There's 19 different frameworks.
Ryan Knisley
>> Yeah, right. Exactly.
Rebecca Knight
>> Well, I want to ask about your individual career because, as you said, when you were coming up, you said, "If I get to be in that role someday, I want to do it differently." And, yet, you have this real technical background. Were there some defining moments that happened in your career that made you think, I want to do it differently? And how did they reshape how you think about security and how it aligns with the business mission?
Ryan Knisley
>> As far as really defining moments in my life, kind of who shaped, that shaped who I am and how I am as a leader, I got to go way back. First of all is the army. I joined the army when I was 18. That gives you a perspective. So I was in the army from 1997 to 2005. That period of time, that gives you real perspective on what's important and what's an emergency and that sort of thing. And just as a leader, it's a phenomenal leadership program, the US Army or the US military. The second one is I was in the Secret Service, had my dream job, I was loving it. I'm 31 years old at this time, and my wife calls me. We have a two-year-old and a four-year-old, and she says, "Hey, I just got diagnosed with cancer." And it's like, whoa. And it was less than 50% survival rate at the time for what she had. And so that was sobering, and that really gives you perspective on, again, what's important in life and what's meaningful and what's not and what's just noise. And so I went to the private sector, as a result. I had to leave the Secret Service to care for her and the kids. And I carry those experiences with me today of just who I am. And I've been told, "Dude, you're the calmest CISO I know." And it's like, "Well, I try and keep perspective on what's important."
And so those have been some real defining moments. I think my experiences of being the business disabler and where projects and innovation go to die and trying to do it differently. When I started to get these leadership roles, and certainly when I became a CISO, I wanted to be a business enabler and we're going to delight our customers. And I sort of brought a mindset of, yeah, we do have customers and it's the IT teams or it's the technology teams, or it's the businesses we support. I will say, to my detriment, in hindsight, at times, I overdid that. There are times where you just have to say, "No, you can't do this. This puts the company too much at risk."
Jackie McGuire
>> It's such a hard balance to strike, especially with your really, really high caliber engineers that are like, "No, I want a dev box at my house." "You can't have a dev box at your house without EDR on it." They're like, "Yeah, but I want one." Or, like, "No, I want to use a Windows laptop." You're like, "Yeah, but we're all on Macs."
Ryan Knisley
>> Yes.
Jackie McGuire
>> It's like being a parent. I grew up with very strict parents-
Ryan Knisley
>> "EDR is so stupid. It inhibits my productivity."
Jackie McGuire
>> "I can't install anything."-
Ryan Knisley
>> .
Jackie McGuire
>> That's the point.
Ryan Knisley
>> Yeah. So it is finding that balance, and I've gone, at times in my career, a little too far to the let's get them to yes, no matter what, to realizing you've got to be ... sometimes not everybody's going to like you.
Jackie McGuire
>> Yeah. That's all right. I always say in security, people don't have to like you, they just need to trust you.
Ryan Knisley
>> Yes. Yeah, well said.
Jackie McGuire
>> And even if they don't want to go out to dinner with me after the fact, if they trust my judgment, that's okay.
Ryan Knisley
>> I clearly have an inherent need to be liked because Disney, Costco, I want to be with brands that people love. So I must want to be liked, I guess. I don't know.
Jackie McGuire
>> Or just widely available.
Ryan Knisley
>> Yeah, either one, yeah, yeah, yeah.
Jackie McGuire
>> 100% uptime.
Rebecca Knight
>> Well, one truism, and this is what Dean Sussman, who was up on the main stage this morning, was talking about is just the sheer complexity of the IT environment, which has changed dramatically and it is so fragmented was the word he used. And especially now, with what you're talking about, the fragmented workforce, people working from home, people working hybrid, some people contractors, some people part-time. This has really shifted the security landscape dramatically. How have these changes impacted security operations from your perspective?
Ryan Knisley
>> It's made everything harder. I mean, it really has, just the shift to digital. If we just talk about the shift to digital, every company's digital now. The digital footprint at most every company has exploded, yet most security budgets haven't, security teams haven't, security capabilities haven't. So our job, as security practitioners, has gotten harder and harder every year when CFOs will come to you and say, "Hey, your budget's going up 10% every year or 20%," or but mine seems to go down. But sometimes your budget goes up, but yet we're getting worse at security, in a sense, because it's just getting harder. And so we're measured very differently. That's one thing, I think, 2020 with the move to remote work across the board was remarkable. I mean, it was just incredible what it did and what it's done. I think we live in a world where we're probably never going to see fully managed devices and everything's neat and clean. Financial services and highly-regulated industry, certainly, but for the most part, it's going to be a lot of personal devices hitting our network, potentially scary ... So it's just made that aspect of the job even harder, as well.
Jackie McGuire
>> It seems like we've also gone to a much more contractor and partner-heavy economy where there's all these now just as an enterprise we were talking about, you're kind of connected to all the fates of all these other things and entities and machine learning and AI is going to throw a whole boatload on top of that. And so, as a higher level of CISO, how do you think about that kind of secondary and tertiary layer of risk and how you manage all of the different external components that are having to connect into you?
Ryan Knisley
>> I made this comment one time to the board, and I may have used hyperbole, but I'm like, "That's our biggest risk." There's third-party risk because it's so pervasive and it's so highly unmanaged. They're given a lot of trust and a lot of access, but oftentimes they don't have the same security controls applied to ... like a full-time employee would. We have no visibility into their environment and that sort of thing. And as a security person, right, that we don't thrive in that element of lack of visibility. So it is a huge risk, and I think every CISO thinks about it, and it probably keeps them up at night quite often of how to manage that risk. Because if you look at certainly a lot of the significant breaches recently in the last five years, it's usually through either supply chain or third party, some kind of third party-
Jackie McGuire
>> A vendor, yeah. Well, and people request a SOC 2, but nobody actually reads them. I don't think people know a SOC 2 as an attestation. It's basically you saying, we do this. It's not somebody ... And somebody comes in and says, "Yes, they have these things." But they don't say they work or they're effective. And so I think the check the box compliance IN security that's existed for a long time, I don't see that lasting into the future when we're talking about hundreds of billions in damages.
Ryan Knisley
>> Yeah. I think it's a procurement check box or vendor management check box. Like, "Hey, are you guys SOC 2?" "Yeah. Okay, great." I've got to ask that question a bit too. Like, "Hey, should we do this better? Should we do third-party risk management more deeply? Should we ... due diligence on these companies more deeply?" And I'm like, "Yeah, of course." But it's impossible.
Jackie McGuire
>> What's the ROI, though?
Ryan Knisley
>> Yeah, I mean, exactly. I don't have the time, the talent to do it for the number of companies that we're bringing into our environment and the companies frankly don't want me to do it, would not allow me into their environments to do the scope of review that-
Jackie McGuire
>> SOC 2 response?
Ryan Knisley
>> Yeah. That the company wants. So I just think we're in this really uncomfortable situation for most security leaders and companies, really.
Rebecca Knight
>> So one of the other major challenges, and this gets back to what you and Jackie were talking about earlier, is having all of this accountability and responsibility, but none of the status that's needed to actually get things done is that then that creates this cycle of stress and anxiety and burnout.
Ryan Knisley
>> Yep.
Rebecca Knight
>> And that is something that a lot of CISOs see on team members. So how, as a leader, can you support your team and make sure that you're trying to do whatever you can to prevent attrition?
Ryan Knisley
>> Yeah.
Jackie McGuire
>> Other than hoodies.
Ryan Knisley
>> Yeah, but-
Rebecca Knight
>> The swag is nice, but-
Jackie McGuire
>> At least coffee cups.
Ryan Knisley
>> Visits from characters, we call them character visits, at Disney, where they come into the ... Cast members love that. At Disney, I'll steal this from an employee there, who is a brilliant security engineer, and she said, "Hey, we got to engineer out labor." And that doesn't mean let's get rid of people. That means let's use automation to do all this easy stuff that takes time and let's free up their capacity to go do the hard stuff. And so that really became a bit of a mantra for me and for the teams I led of like, "Hey, how can we free people up to go do the really high value stuff, put them on things they want to be doing, take stuff off their plate, give them more capacity, that's amazing, and let them spend time where they want to spend their time and not on this kind of menial tasks?" And so I think we can't keep throwing human capital at it. It's like burnout's real. We can't just add 10% more to head count every year-
Jackie McGuire
>> Especially for how much that head count costs.
Ryan Knisley
>> Well, yes, how much it costs, the scarcity, do you have to be in an office, all of these things, and no one wants to be in an office now. And so, yeah.
Jackie McGuire
>> Well, and I think the manual tasks, I'm autistic as heck, and so I literally know exactly how much I make an hour. And when I have to do one of those stupid tasks at the end of the week, I go back and I'm like, this company really paid me this amount of money to do this thing in Excel that we could do with a macro. Anyway, yeah, so I think that given how neuro-spicy a lot of people in IT and security are, those things matter. And even if they don't say they notice, they absolutely notice. And it all adds up over time. So I think being a good leader and being cognizant of those things is something that a lot of people should take note of, as well, because even if your engineers don't tell you it bugs them, it probably does.
Ryan Knisley
>> We've all learned hoodies and backpacks and free food on Fridays or whatever have a very short shelf life, and it's really engaging sustainable work that they want to be doing is the most impactful-
Rebecca Knight
>> It's making people's jobs better. And, as you said, giving them what is rewarding and meaningful to them and not the toil, not the stupid stuff that is just boring. So one of the things that's so remarkable about interviewing you is how candid you are, even about mistakes you've made in your own career and things that you wish you could have done differently or things you would do differently now. So as we close out, I'd love to hear you say, give some advice to the young up-and-coming people who want to be CISO someday or maybe things that you wish you had known at the start of your own career.
Ryan Knisley
>> Yeah, I was talking to a current CISO at this event earlier today, and he says, "I have a lot of people come up and say, 'Hey, I want your job someday.'" And he's like, "Well, let's talk about that first," eyes wide open on this.
Jackie McGuire
>> Yeah, yeah-
Rebecca Knight
>> Yeah, yeah.
Ryan Knisley
>> I give this advice a lot when I say, "Hey," when I'm talking to people that want to be a CISO or even CISOs that are kind of early in their CISO career of, "don't forget to take care of yourself." And it was said on stage today. I forgot to take care of myself. I was taking care of my family, I was taking care of my employees, my work and all this, and you sort of forget to take care of yourself. And over years, it weighs on you and it builds up. And so, now that I've got some new freedom in my life, I'm really focused on taking care of myself. So don't make the same mistake I did. Make sure you are taking care of yourself along the way.
Jackie McGuire
>> I also think that radical candor is part of what makes you a good CISO-
Ryan Knisley
>> I'm very good....
Jackie McGuire
>> as well.
Ryan Knisley
>> Yeah.
Jackie McGuire
>> And like I said, people don't need to like you in security, they need to trust you. And candor and authenticity are the fastest shortcut to trust, because if people know that you're going to be open with them about what you can, it makes it easier for them to trust you. So having been someone who also neglected their health until a couple of years ago and then was forced to reckon with that, I really appreciate you saying that because I'm on a better health journey now, too, but-
Ryan Knisley
>> Good. Yeah, I'm with you....
Jackie McGuire
>> it took a couple of years.
Rebecca Knight
>> Great advice. Well, Ryan Knisley, thank you so much for coming on theCUBE. Appreciate a really great conversation.
Ryan Knisley
>> Yeah, thank you both.
Rebecca Knight
>> I'm Rebecca Knight for Jackie McGuire. Stay tuned for more of theCUBE's coverage of Axonius Adapt 2025. You're watching theCUBE, the leader in enterprise tech news and analysis.
Rebecca Knight
Jackie McGuire