The Cybersecurity Career AI Can't Replace: Inside GRC With a Real CISO

All right guys, today we are going to talk about one of the most slept on careers in the tech space currently, but I think one that is going to be massive in the next few years. That is the GRC space. We have an expert in the field. He started out as a GRC analyst and rode that all the way up to deputy CISO of the company LAR as well as Mount Sinai Hospital. His name is Ryan Baras. And Ryan, welcome to the show, man. Great. Thanks to Thanks for having me. Pleasure. Yeah. So, let's let's get into it. You start off in the GRC space. Well, um why don't we just talk about exactly what a GRC analyst does for companies and how someone could maybe get started in that. Yeah. No, absolutely. So, you know, my my history in GRC that that's where I started on the security side. I had a CISO at at sorry at Lonar that brought me into the security field there and we started on the um on the GRC side and and and part of you know part of the reasoning is and and you know his his take on this was like you know the GRC side is really you more the the strategy side is probably most closest to line top of the pyramid in terms of you know the security functions you've got the the operational sides you've got the architectural side but GRC is really more focused on strategy vision and governance uh you know policies and so it's if you come up from the GRC side you're probably closest to um you to to sort of manage managerial thinking so you back to your question like you know what happens on the GRC side well it really sort of depends on like what your area focus is you know you know there's you know it's very broad right you've got policy and compliance falls under GRC you've got risk assessments fall under GRCA you've got policy development you've got security awareness training you've got third party risk management. So it's it's a very broad discipline you know within within the you know security security space cyber security space. Yeah. So what's the kind of career trajectory you start off at GRC analyst and then you know kind of where does it progress from there? I mean obviously you just said it kind of sets you up for that higher level management because you are kind of looking at more of the policy structures that are going to be crucial at that high level. Yeah. So you know I think you the starting point of GRC is is is excellent because you you get to learn from the bottom up. So you know what do I mean with that? So on my side I started on the TPRM side. So starting on TPRM third party risk management allowed me to basically understand all of the various domains that you want to consider and assess from a security standpoint when you're looking at your when you're looking at your outside parties. And even though you're looking at your external parties and your your partners and your vendors, um that equally applies to your own security posture when you're trying to understand like okay, how do we set ourselves up for success from a security standpoint internally? So, you know, that external vision gives you exactly what you need to be, you know, folding up against the light internally as well. And so you know the progression from a from a career perspective would essentially basically be you know analyst and then you know get promoted to to manager and then director and then CISO deputy CISO and then CISO and that's kind of the path I followed right I started as analyst then became manager lead went to deputy CISO at LAR and then later CISO at an outside hospital. Yeah. And and give us kind of an example what does GRC do on a dayto-day? I mean obviously you mentioned the third party risk. what's involved in some of this stuff. So, yeah, I'm trying to think I can best answer because again, you know, it it the GRC side is incredibly broad. So, if you sit on the policy side, policy and compliance side in GRC, then that's your foray, right? You're basically out there seeing, you know, if your policies are up todate, if they're addressing the concerns, you have the controls, right? that they're you're looking to see, you know, have they been updated, you know, and then also, you know, the hardest part on the GRC side is ensuring that they're being enforced because that's unfortunately a lot of times what's lacking on, you know, on on for security folks is the ability to actually enforce the policies that have been that have been designed. So that's on the policy side. Security awareness, you know, also falls under that because security awareness is essentially, you know, a requirement for any organization, right? So you want to ensure that the folks in your organization have been you know you know sufficiently educated on the on cyber risks you know and and that now is even you know being extended into AIS and deep shakes and even you know some cases fraud right so there's entire programs that exist on on just security awareness and generally you do have a dedicated person that does nothing other than you know work on these programs develop them ensure people get trained ensure ensuring that they're you know that they're compliant that they that they complete their training every year. So, you know, it's a that's a full program on its own. If you're on the third party risk management side, that's when you're basically dealing predominantly with with your external vendors and and that's a that's a very full lengthy process. That's that's very painful for almost every organization that that that I've interacted with. You know, the TPRM process is generally considered painful because it's a it's a lengthy process. You're looking, you're asking your vendors to provide documentation. You're asking them to provide answers to questionnaires which sometimes can be as long as 300 or 300 plus questions. Um, and all this time while you're waiting to get the responses from these these vendors, you know, your your your business stakeholder that wants to onboard this solution or this or this vendor is waiting and and and very often doesn't understand what the holdup is. And, you know, and a lot of times, you know, the finger gets pointed to securityurities holding us up. Whereas in reality, we might be waiting on a on a vendor to provide us with, you know, sufficient, you know, um, answers and documentation. And you part of the reason why this has been so painful is because it's not always as transparent and clear to the business stakeholder. You know, there's there's very few good solutions out there as of up until of recently that that created that level of transparency and understanding. And then to take that a step further once you've actually done your risk assessment on your vendors you know then you basically need to go back to the stakeholder and give them you know your assessment. Okay you know this is we see some concerns here or we see some some high you know or critical concerns here and so you you don't want to uh you know as a security first you don't want to stop the organization from moving forward. You want to be an enabler, but at the same time, you know, if the risks are high enough, you need to have that conversation with the business stakeholder and very often then with the vendor, you know, to basically see if you can come to a, you know, an agreeable solution to still be able to move this forward. It's it's a again it's a lengthy process. I haven't even, you know, dived into the fact that that you then, you know, there's procurement that's involved in this. There's legal considerations. There's red lighting of contracts. So, all of that really belongs to that TPRM process. So that's why I say it's a massive process and that's per vendor right and most organizations will generally onboard well large organizations generally onboard anywhere between 50 and 100 vendors a year and you can imagine how long each one of these process has taken to do that 50 or 100 times a year. Um you know it's it's it's it's it's a little painful. Yeah. And and what have you seen in your career? Obviously, you were able to be in that seat and then quickly progress up into those higher levels, exe eventually the executive level. What kind of separates the analyst that has that progression and like what did you do specifically? Well, what could you have done better kind of along the way to pick up those skills to be able to rise up the ranks? So that's a great question because I I would say that you know what's really needed on the cyber security side is adaptability, willingness to learn and to be adaptable and and and to take the initiative and and the reason adaptability is such an important factor is because you know cyber security is highly dynamic. I mean, it's changing, you know, I don't want to say on a daily basis, but on a daily basis. All you have to do is checking your news feeds and you're seeing that every day we have a new AI version out there or new threat or, you know, new CVE that had that we didn't know about or zero day, right? So, you know, having, you know, being able to be uh highly adaptive in that environment and to learn quickly. But not only that, you know, I think from an analyst perspective, if you also can truly make that connection to, you know, what is it that the business is trying to accomplish, right? Because a lot of times in security, we sit in our own bubble. I remember when I first started on the security side, you know, I s I I was in it. I literally sat next to the security folks and I had no idea what they were doing. Um, you know, it was just a big unknown. It wasn't until I actually got into the security team and started to understand what it was that they were doing so that I could, you know, use that as an as a way to to communicate and educate to the rest of the organization what it is that we're doing. You know, in all honesty, I think for security and and I I say this more often is I think 70% of our job in security is to communicate and to educate because there's, you know, there's there's just this big void. A lot of folks don't know what's happening on the security side and they and they're not sufficiently versed on on, you know, the security threats that are coming at us and and sometimes we lose sight of that in security because we live in a bubble. But but being able to extend yourself outside of that bubble and truly align yourself with what the business is trying to accomplish because ultimately that's that's what we're here for to enable the business. Yeah. So essentially someone that has that business mindset is going to be much more success because obviously the most the best security would be not to do anything right just keep it in a bubble but that's not going to be too good for business right so you have to kind of balance the being safe and making money as well correct yeah it's funny because I I you know I do speak more often at at conferences and you know in panels and you know I often ask folks I said listen you know how do you make sure that you're 100% sec. If you have a car, how do you make sure 100% sure that no one steals your car? Well, you weld the door shut so nobody gets in, including you. But that sort of defeats the purpose of having a car, right? So, so the point there is the takeaway is that, you know, security and availability, there's always going to be friction between the two, right? Because availability is needed to enable the business, but security is equally needed to keep the business safe. And um you know the the the example I use most recently is again using thinking of a car. You know, think about back in the 1950s and60s, you know, you know, cars were still kind of new and then people started stealing cars and so what happened? They decided to, you know, to install locks on cars and then later, you know, we installed alarms on vehicles and then even further now we have OnStar and GPS tracking of vehicles, right? So the interesting thing is what you see there is that we've maintained 100% availability of these vehicles, but at the same time we've made our security much stronger. the security posture around these vehicles and and along those same terms, that's how we should be thinking of security in organizations. We're not there yet, right? And I think we all know that we're not there yet, that we're we're we're iteratively improving on security to still enable 100% availability and still have that security. But it's it's a fine line. And do you see GRC as being kind of one of the most difficult jobs for AI to replace? I mean, they're going to want a person to look over, you know, the governance, right? Right. I mean, they can't just outsource that to AI and let AI just handle it and just hope everything goes okay. Correct. Yeah. That's that's um you know, that's the big unknown. Um you know, where are we going to end up? And I think for the for the for the at least for the near and medium term, AI is going to be a phenomenal accelerator in terms of you know, enabling us to to provide our the GRC oversight. So you know having AI to help us develop policies around you know around the right controls and run best practices and frameworks I think that is going to that that's going to you know significantly and enhance how quickly we can do that also um you know the we'll be able to use AI to to make the process more efficient of updating these policies and ensuring that they're reviewed every year and also ensuring that they um that they get signed off and and and you know establish and implementing. So that AI will help there phenomenally where also the TPRM process that I just described you know same thing you know G AI is going to phenomenally uh you know accelerate and increase that process which right now just remains in and you know incredibly painful very often manual process that's you know many organizations are still doing it on spreadsheets and so you know there's there's you know there's there's substantial gains that can be gotten from you know from the use of AI on that side from a process and What what you're hearing from me here is this is all process, right? This is just process, you know, that that where we need to get enhancements from from a now from where the risk probably sit that I think you're talking to specifically is when you're talking about okay, what about the integrity of what it's coming back with, right? If if AI generates a policy for us or if if AI is basically doing the the third party risk assessment for us, can we trust the results? So you you're definitely going to need to have that human in the loop for the you know for the foreseeable future and until until we get to a point uh in time that the human in the loop is the liability right because at this point you know AI will be much more accurate than than a person that we're not there yet uh I do foresee that we will get there um you know but then we're in a different at that point we're in a different world and it's a different discussion. Yeah. Yeah. I mean what about as far as the uh credentials you know for for entry level what did you look for what should people look at security plus is it the CISA is there a GRC specific search what like what did you look for in hiring so my take on that might be a little bit more unconventional uh and the reason I say that is because my background is very unconventional you I actually came out of economic development was the first half of my career I used to do trade missions bilateral, you know, bilateral, you know, international relations between governments and and and private sector trade missions. I mean, you know, very different than it, but you know, because I was doing trade missions that focused on technology and became a practitioner and from after becoming a practitioner, I then was offered the opportunity to step into security and I just wanted to continue to learn. So when when I look for the right type of person for for security, I think there's a couple things there. And number one, you know, you do need to have a you know a a a technical acumen, right? You do need to have it expertise and knowledge, right? Um you because you essentially that's your focus area, right? The technology. So that's a starting point. But I do think, you know, the inquisitive nature of the person and and and the willingness to to learn and be adaptable, I think that's, you know, that that's a that's a that's a huge huge part of my consideration. Is the person motivated? If someone's motivated, they really want to learn and and and they're excited about what they're doing. you know, just to use a, you know, a sports comparison, you can have the best, you know, most talented sports team in the world, but if they're not, if they're not motivated, they're not going to win the World Cup, for example. But you can have, you know, which I mean, they may not be the best talented, but if they are motivated and and you know, and and looking to deliver, you might walk away with the with the cup. So, it's the same thing. you know in and visit I think if you got that you know that that that that baseline you know and and the hunger to learn and I do I would agree that you know having certifications helps right I mean that's certainly the direction that that business is going nowadays and looking for certifications like security plus or security plus you know uh you know and depending on the role you know what is it you know does someone have a have a C risk or SISM or CISSP right so you know I think that those are probably the foundational thing that I'm looking for, you know, in in in the first. Yeah. And, you know, moving on to obviously would you say third party third party risk management is your area of expertise within, you know, the cyber security space. I would say that's where I started. um you know that that is I I have a lot of depth in that area but you know in my in my in my role as CISO and deputy CISO obviously I need to you know need to be a jack of all trades to certain degree right so what does that mean you know so as director of security operations saw sock you know oversaw oversaw security operations at Mount Si so you know I I do understand you know the you know what goes into it let me rephrase that so you know I I really consider for me in my and you know from my perspective in order to be successful in the CISO role I think it require it's I see it more of a business role right I want to get things done right and that's you know that's how I interpret that role the interesting thing is you can have a hundred different cases in the in a room and they're all going to have a very different profile so this is my perspective right that's the the unique thing about the CISA role it's it's very fragmented in its definition and so if you if you take um you if you take my my perspective I think yeah I really want to get something done. And so I am probably not the most well actually I know for sure I'm not the most technical CISO you will come across. But I'm fine with that because as long as I have those technical people on my team and that I can go down that rabbit hole with and have that conversation with, but then I can rely on their expertise in terms of like making a decision to help the business move forward. That's how I see my role as best serving the the company. And and the reason I say it like that is you I've had the privilege of working with you know some some of the most skilled knowledgeable both IT and cyber security experts and and what I often see is that you know these folks they were born and grew up in technology and so they want to go down that rabbit hole. They love it and they and they you know they they bathe in it and and I and I have full appreciation for that but that's not me. you know, I I want to go down that rabbit hole with them, but I want to keep moving the ball forward and be able to deliver. And uh, you know, give you an example like last year, Mount Sinai, our team was was the only team that completed, you know, 90 95 borderline 100% of all of our product projects that we had on the calendar. And that's because we just kept moving the ball forward rather than getting too stuck in the weeds on just some of these technical technical discussions. Yeah. And obviously so so you were deputy CISO at two vastly different companies. Lenar builds homes. Obviously Mount Sinai is major health system. So question is what kept you up at night at either one? Obviously there there going to be two two different things keeping you up at night. But let's talk about like what really or was it the same? I mean you tell me. So so and just let me clarify. So Mount Lunar I I was deputy CESO at Mount Sina. was the CISO. So, so at at Lonar, what what kept me what kept me up at night there? So, that was I was more in a sec ops rule and it was more of an executive level rule. So, you know, I was looking at the at at what we were doing and our operations from a from a strategic, you know, visionary executive level perspective and looking at, okay, you know, do we have um a security awareness plan in place? do we have, you know, how are we managing our our sock? Is it is it in-house? Is it hybrid? What are our KPIs and our metrics, right? You know, it's very executive level focused. And so I I would say that they're probably the biggest concerns of what keep me up at night is being able to to report on these KPIs, keep the organization safe, but also be able to report to, you know, on these on these metrics to the board in a way that it it met the expectations, you know, of the board. in my role at Mount Sinai that was a little bit it was a little bit less executive as funny as that may sound right even though it was a not a deputy ceil role it was a smaller organization um you know factor factor 8 time smaller and so you know what that means is as like any smaller organization means that you're going to be more involved with the hands-on dayto-day and that gives you a vastly different insight into the organization it's also why intensely why I intensely went into that role I needed and I wanted to have that more um you know hands-on experience and and and learning curve especially because I did not do not come to the table with that highly technical background. That's what I wanted to get out of it. And so what keeps you awake at night there is that then you're seeing actually where the rubber meets the road and then you're actually seeing you know more closely where some of the gaps are from a from a you know from a tool and also from a from a process perspective. And what also factors into this is also you know what is the culture of the organization and how willing are is the organization to to adapt to change and to recognize you know what some of the deficiencies are because believe it or not you know every CEO you speak to everyone you will be jumping up and down and saying we're short on resources we need more resources but I I I I've sort of come to the conclusion for myself is that you more often than not our our resource constraints uh is really rooted in the fact that our processes are not in order. And if we could improve our processes, if we could streamline our processes and and and you know, and and make those more effective and efficient, we will actually free up our resources. But, you know, it's not first nature for most IT people to think in terms of process. Most IT people think in terms of technology tools, right? It's always the tool that's the solution. But, you know, and now here I'm kind of leaning a little bit on my ITLE and and business background. You know, I'm looking at this from a very different different angle and I'm saying, okay, we need to focus on the process because we focus on the process. We're going to free up our resources and give them more time to spend in their tools. Yeah. And and what are you seeing, you know, h had the whole AI thing come in to play at either one of those jobs for the governance like will that fall under the CISO, the AI governance? We're already seeing a lot of these companies did not have governance on the AI and they've burned through millions of dollars in credits because people were just, you know, using AI with no again no processes like you were saying. So, uh, did that come into play at either one of those jobs? Yeah, absolutely. I mean, certainly at Mount Sinai because, you know, you we we had to establish a an AI governance committee, right? So, you know, AI has been on the forefront of people's minds for for for some time now. And I think, you know, the entire world for that matter is still kind of going in circles trying to figure out, okay, how do we do this the right way? And, you know, I have my thoughts on it. I and I really do believe, you know, there's a couple different ways you can go about it. You can, you know, you you can have your C AIO, right? Someone that's basically dedicated specifically to to overseeing, managing, governing, you know, your your AI components. uh it can fall under it can fall under the CISO but that's a massive new task that we're ask we're adding to the CISO right who's who you know look we already have burnout rates of on average what 18 to 24 months on CESO so um you we have a we have a business problem there the fact that that CEOs are burning out so quickly and that's something that you know it's a whole different discussion but that's something that does need to be addressed I believe has to be addressed at the board level where there's a disconnect between you know the board's understanding what the CSU does and and the vast breadth of the role of the CISO and the depth of the knowledge that they're expected to have. However, going back to your going back to your your question, I I think I think we need to change the role of the CISO. I think I think the rule is currently flawed. And um you know, there's there's multiple things you can point to to show why it's flawed. For example, having GRC, you know, G stands for governance, right? You're governing your IT organization, but but more often than not, the CESO reports to the CIO. So you're governing a group that you're reporting to that's inherent conflict with that, right? So but there's also other reasons where why you know that rule is flawed, but predominantly because it's it's it's it's much too broad. I you know, if you take a step back and ask yourself, okay, what does the CISO do? The CISO is expected to be able to speak to the board in business terms, right? to have that board level presence while at the same time be able to go deep into the weeds from a technical perspective. Right? On top of that, you know, the CIOS are expected to have the understanding of the external factors and the internal factors. understand the risk appetite, understand the business, work with procurement, work with work with HR, work with legal, work with marketing and PR, you know, and you understand policy and compliance, you know, to create policies, govern the policies, you know, ensuring that they're enforce, you know, to certain degree those policies. And now we're going to add AI to the mix. So it's you know there I I honestly you know coming out of business and having worked you know cross functionally through many different things I I honestly don't know any other rule in an organization that is that broad you know if you're in finance you generally have your domain well defined if you're in if you're in in marketing you have your domain fairly well defined if you're a CISO you're touching everything you haven't even talked about security awareness training right so so you know it's it's an incredibly broad an incredibly deep role and and that's if you you know if you look at you know career you know sort of like the you know the you the career profiles that you're looking for that that's not an ideal profile where you're looking for someone that's incredibly broad any credible team it's generally one or the other and I think it's part of the reason why you see such a high burnout rate with with CISA the demand that's put on them is is is a lot yeah and and speaking of the high burnout rate why don't you walk us through a vendor brief each. What's that like when we like we have an issue here? Just kind of like, you know, quickly walk us through what that is like from the person in the highest position at the company for those type of things. Yeah, that's that's when you have your sort of thumb to Jesus moment, right? When when events are occurring. So So generally and again when you say, you know, event and incident, you know, those are two different things. You know, an event is an alert. And hopefully the alert, you know, turns out to be, you know, nothing to be too concerned about. But if an alert turns out to be an incident, you know, now you got to take a look and say, okay, what type of concern are we doing deal dealing with here? Is this something, you know, low-end incidents or are we dealing with like a SE 2 or SE one? Right now, now, you know, now the temperature in the room is coming up once you're dealing with a higher level severity incident. So, what that looks like generally is, you know, the first thing you want to do, you know, that's where you have a high reliance on your team, right? That's where you do have a high reliance on on your engineers and the SME that you work with and making sure that that they are collecting the information to make an adequate assessment of okay where are we and and and what is the ris what is the risk what does this pose to the risk what risk does this pose to the to the business in general right is this isolated this an individual user we talking about something that's going to potentially affect operations that's your starting point and and really I think the thing that's most key in at the moment is that you know that you need to be able to shift gears quickly, right? Depending on what's happening, you need to, you know, quickly know who to inform. That could be your service desk, that could be your MSSP that's supporting you, that could be your CIO, it could be it could be the board. It's necessary. But, you know, it's it's it's a very subjective call based and it's changing every minute or every second based on the information that you're gathering. you know, more often than not, more often than not, it's something that you can handle with your team internally. You don't have to call the CEO and and you know, and and and get other people involved because it's it's not really going to have much of an effect outside that that individual case here. But there are situations where, you know, you collect information and depending on who could be the potential stakeholder, you may need to get any of the parties I mentioned, including infrastructure team, sometimes you may want to get go to legal first, right? so that you have attorney client privilege which is we don't talk about that enough I don't think in cyber security about how important it is to get your legal team you know involved when you're dealing with an incident. So there's no there's no clear path to answer your question because it really there's there's too many unknowns that factor into you know the incident that's occurring you know and and and then knowing how to pivot and make a decision based off of based off what you the information at hand. Yeah. Okay. And and now I I want to pivot to the fact that you are the ISACA South Florida President. So you are kind of seeing the full market as far as jobs in this area and um you know kind of what are you seeing right now 2026 that surprises you? You're talking to a lot of people. What career paths are hot right now for people to consider? So yeah so thanks. That's right. I've been I saw for president for about a year and a half now where I just got reelected for the for the two coming years and and and I I couldn't be prouder of our board. In fact, we have our our annual strategic meeting coming this weekend. So where we're going to lay out a strategy for the next year. So it's a it's a phenomenal group. What I can tell you is that you know an involvement in a group like this is pivotable. If you pivot if you are in security get involved with a group like this. It doesn't matter if it's Isaka, you know, get involved with an ISSA, get involved with the ISC square, you know, whatever group you want to decide fits most by you, but the reason you want to do this is because you want to build out your network. You want to have people to reach out to. Look, I am the last person that will say, "I know all things security." Because I think that's a red flag if you have someone that says they know all things security. It's nearly impossible given the breadth and the depth of this role. So, knowing your own limitations becomes critical. Knowing that you don't know stuff, that's important. But knowing that you also have people to reach out to that do know, you know, that is that is critical and it's been very helpful for me. If I needed to talk about a specific framework or standard or I just had questions around the security operations or just wanted to get some some some governance in input, there are different people that I can reach out to and among which also some are are you know some folks that have really gone down the AI rabbit hole because of course we've spoken we've talked AI to death at this point, right? and we're still at only at the top of the iceberg, but you know, AI is is the discussion point when you look at what's happening in the market, what what's in the job market. So, I guess there's a couple different things happening. So, number one, entry- level jobs are are are have become more difficult to attain. And so, you know, I I think if you're at an entry- level position, you're just finishing college, I mean, you know, that's another reason you want to join these these associations and these organizations because as much as we're embedding technology in these processes, you just think from a recruiting standpoint, you you've been to LinkedIn, you've seen these jobs that get posted and two hours later have 800 applicants, you that are using AI agents to apply. Well, guess what? On the HR side, they're using AI to filter through these. And in the end we've created just a mountain of work on both sides and how do people end and we're using getting the roles usually through the human connection right who do who knows who and so that's another reason why you really want to get involved in these these organizations and associations so that's you that's the entry level at at the executive level I haven't seen too much change although I have seen you know more movement in the market than we've seen in the last two and a half three years so people are changing roles I I I don't know if that's encouraging or not honestly because it could be a good thing or it could be a bad thing, right? And and uh and at the mid level I think it's you know it's somewhere it's somewhere in the middle obviously you know the the AI governance discussion is something that's that's very hot right now. I think regardless of whatever you know wherever you are in your career it's imperative to like familiarize yourself as much as possible with AI because it's coming if we like it or not and is going to impact all of us you know but what the what the end result of it is you know none of us know right none of the executive you know we think we know how AI is going to impact us we think we understand like how it's going to create you know process efficiencies and we're and we're and we're executing on on on much of that but what the end all result of AI will be we you know none of us know that you know I recently gave a you know I had a presentation from students and they asked the same question where's AI going to take us I said we won't give you the honest answer we don't yet have the answer and and honestly sometimes it takes unexpected turns you know and told these students I said look 25 years ago 30 years ago when I was your agent I was a student you know they invented this thing called the internet and when that came out you know lo and behold little did I know that 30 years later I'd be in a in a role of security security information chief security information officer because that role didn't even exist. We didn't even know that we were going to have all these jobs in security when the internet first came out and that's all unexpected consequences and so I think of AI in the same way. We don't know yet what it's going to bring and how it's going to how it's going to evolve and how things are going to change. But that's why you know adaptability is key. Yeah. So, and I'm going to do a video on this solo video, but you've seen junior people, entry- level people show up to Asaka, kind of network with a highlevel person like yourself or some of your peers and end up getting hired at those organizations. Yeah, I mean, well, I'm trying to think hired directly. I'm trying to think of examples right now or referred, I guess, to Absolutely. I mean, we had an event just a week and a half ago and I was standing around with two other CESOs and and and and the lady came up, you know, a young lady who uh who recently graduated and you know, and we we know we've seen her before. We we've established a relationship and and we started talking to her and and we found out that she, you know, she hasn't landed a role yet. And lo and behold, 5 seconds later, we were introducing her to other people that could perhaps move her, help her into a role. And so, absolutely. I mean, you know, I think I think that's also, you know, that that should be the function and the role of an organization like Isaka is to help one another, you know, and regardless if you're if you're CISO or if you're entry level, at some point or another in our lives, in our careers, you know, we can all use a a helping hand. And and I have to say that's one of the things that that I love about the security community in South Florida. It is it is truly truly a community and and and very open and very welcoming and and and and very helpful. At the same token, it is a small community and so I often you know tell either staff or or students like you know whatever you do to make sure you know that you protect your reputation and your integrity because it is a small community and integrity is everything in security. Yeah. And obviously we've talked about, you know, what we think obviously GRC is kind of a role that will continue to be on the rise. We can say it's underrated. You see anything that's overrated right now in the security space based on your career? So now I got to in my head go through the whole pallet of of of security functions. So I would say so clearly SEK ops is something that's you know in high demand and you know a lot of organizations have you know sock stood up and have sock analysts. I I do think that the you know on the analyst side especially on the junior roles I think there's a you know strong possibility that many of those roles will end up getting getting automated in terms of where there may not be as much of a demand. I would say that there's pro, you know, one of the and this is a number I'm I'm I'm quoting someone else on, but I was told that there's about 4,700 vendors right now in security and that number might have gone up, you know, since since I last heard that number and and we feel it, right? You know, if you're in a security role, we talked to a lot of vendors and I and and I would love to be able to talk to all the vendors. I just obviously don't have the time and I can fill six months in my calendar with nothing other than vendor meetings. I just don't have that time. But I think there are certain services out there that um you know that may not become as relevant you know as the market changes and and and and AI is actually more utilized. I also wonder to what degree certain business models solutions will be financially sustainable and viable given that you know much can be done in house with with with AI you know going forward I think that's where we're going to see a market change you know in sort of the vendor space believe it or not. Nice. Nice. Well, before we go, any last tips? We have a lot of job seekers, maybe people that are in tech that are looking to switch, going to watch an interview like this and want to hear from someone like yourself. What are tips people looking to get in the security space? Yeah. So, so tips and I can't emphasize this following tip enough, but find a mentor. find someone who inspires you, who you look up to, and just approach them and say, "Look, you know, I I'm interested in, you know, and and this this, by the way, this is not exclusive to security. If you're if you're if you're in healthcare, if you're, you know, if you're in in, you know, car manufacturing or whatnot, right? Find a mentor. Find someone in that industry that you that you appreciate, that you find inspi inspiring, that you would love to learn from, and just approach them and ask them, look, I would, you know, I have an interest in this area, this field. I could I could I could build on your knowledge. I could I could use your input. Would you be willing to to you to help and mentor me? And I've never seen anyone say no. And you know, I've had I've had three or four mentors myself to this day, right? They there I still consider them my mentors. I'll give them a call, get their input. They'll use them as a sounding board. And it's it's just your it's your safe space, right, to to have these these mentors in place to help you build your career. And again, I mean, you know, you you you need these building bricks, you know, in life to, you know, to to build to build your success. And and you can't do it all alone. I mean, try maybe you can, but it's a little bit more challenging that way. you know, find your find your your your partners and and you know, your advocates. Yeah. And then where can people find you? I mean, it looks so you're now going to do some consulting after you know, not being in Mount Sinai anymore. Yeah, I'm doing a little bit of consulting right now, but more likely than not, I might find myself in a in a in a in a new role here before I know it. Hopefully right after the World Cup because I kind of want to watch some of the World Cup games. But yeah, so but if you're, you know, if anyone wants to reach out to me, someone would like to connect, um, you know, I can best on LinkedIn, Ryan Baris, it states right there. And just, you just mention this podcast so that I, uh, I know where it is coming from because also as a security, as a security expert, you sometimes need to, you know, employ a little bit of skepticism in terms of who's reaching out to you and I'm sure they're not, you'll have some Russian agent, oh, they're reaching out to me trying to be a friend. Yeah. Yeah. Yeah. Exactly. Yeah. Hi, I'd like to be your your friend. Click the link. Yeah. So, yeah, but feel free to reach out and uh and and and again, you know, find a mentor, you know, learn, you know, you know, dive into AI, look into certifications. These are all these are all steps that are going to, you know, help you advance in in your career and and in your development. Yeah. Well, we will have Ryan's LinkedIn links in the show notes below and we will also have a link to u Asaka as well if anyone wants to if you're entry level. Listen, he just gave you the playbook how to network and get involved with highlevel security people. So, I would definitely uh take him up on that if you're in South Florida. So, Ryan, hey, thanks again. Yeah. No, thank you for having me. really really enjoyed it and hopefully this is uh you know this is good good information for your listeners and I'm sure we'll bump into each other pretty soon. Chris, absolutely. I want to get up to a an Asaka meeting for sure. Well, thanks again, man.