Posts By :


a new litmus test for board directorships

A New Litmus Test for Board Directorships

A New Litmus Test for Board Directorships 1200 628 Axio

A New Litmus Test for Board Directorships

by Michael O’Halleran, Experienced Public Company Director

February 21, 2019

Over the course of my career I’ve had the privilege to serve on numerous Boards of Directors of both public and private organizations. It’s a great honor to have the shareholders and stakeholders of an organization put trust in you, and fellow board members, to watch out for their interests as the highest stewards of that organization. It’s also an honor that comes with great responsibility because if the Board fails, individual board members can be held personally liable.

That’s why deciding to accept a directorship requires meaningful thought.  There’s no failsafe playbook for this decisioning process but elements certainly need to include an evaluation of what the business does and what markets it operates in, whether the management team has shown itself to be competent and trustworthy, and at a practical level, if the company maintains the right type of D&O insurance.  Some of these elements might be personal in nature such as whether you support the nature of the business itself, and some are very practical like confidence in management.

I’ve used my own decisioning framework consistently for many years until very recently when it became necessary to add a new and very practical element: the need to understand how the organization understands and manages its cyber risk.  It’s an issue that has become too important, and too relevant to the Board, to simply trust as a byproduct of trusting management and believing that the organization probably spends a lot of money and has smart cybersecurity folks.

That’s because events of the last few years have shown that spending a lot of money and having smart cybersecurity folks does not solve the problem.  Companies like Maersk, Merck, FedEx, Marriott and others all presumably had seasoned cyber leaders, spent extraordinary amounts of money and thought that their insurance programs were sound, only to look back on major events that cost hundreds of millions of dollars and wonder how they could have gotten everything so wrong.  That coupled with the SEC’s 2018 new guidance on how companies should achieve a proactive understanding of their cyber risk, Moody’s announcement that it will start considering cybersecurity in financial ratings, and the recent D&O settlement related to Yahoo’s security breach all combine to definitely embed cybersecurity as a Board of Directors concern.

Therefore as a Board concern and one that speaks specifically to a Board’s fiduciary responsibility, prospective Board members ought to evaluate cybersecurity specifically.  But how, given the deeply technical nature of the concern and language that is foreign to most people outside of the cybersecurity discipline?

My advice is to use the following four-part evaluation framework:


Understand the cyber risk of the organization in business terms.

Meaning what type of cyber events could the organization suffer, and what costs and losses would result from those variety of events?  Not only does this approach make cyber risk comprehensible to you, but whether the organization can articulate their risk this way is a great initial litmus test on how well they understand it.  If the question can’t be answered, that’s a red flag.


Understand how the organization manages its cyber risk.

With the most important component being an understanding of the methodologies or frameworks used to guide the strategy. Does the organization do an annual assessment, fulfill the recommendations and call it a day until the next time around? Or does it use a maturity-based methodology that drives continual understanding, road-mapping, and evolving?


Understand the organization’s recovery ability.

Is the organization prepared to respond to and recover from the variety of events described in step one?  Can it pay for the anticipated costs and losses?  Is the right insurance portfolio in place, recognizing that for many organizations, insurance for cyber risks requires a combination of insurance types and not just a single “cyber insurance” policy?


Gain confidence with the data behind these components and what drives decision making.

Ideally, you want to gain confidence that the organization has aligned its controls and processes to its greatest areas of risk and is not just plugging holes. That’s the difference between a risk-based approach and compliance approach, the latter being a vastly inferior way to manage the problem (despite necessity in some industries).

A good way to contextualize this all is to imagine yourself at the emergency board meeting called when the organization suffers a major security event and is on the cusp of having to announce it.  Do you want the board briefing to sound something along the lines of “We’ve suffered a serious cyber event that we had no idea was possible.  We thought we had the right controls in place and we spent a lot of money on a lot of different things but it looks like we missed something obvious.  We’re scrambling to find folks that can help and we think we bought the right insurance.  We’ll figure all of that out over the next days and weeks.”

Alternately, “We’ve suffered a serious cyber event but one that we’re prepared for because we understood our risk and we can prove that our cybersecurity strategy was operating a very mature level.  The damage is far less than it would have been and we’ve now activating the recovery plan designed for this situation.  Further, we should have sufficient insurance proceeds to cover the majority of losses.  We’re going to be ok.”

The first briefing sadly happens time and time again.  The latter is from the type of organization that I’d be proud to serve on the Board of, and that’s why it’s important to consider cybersecurity when evaluating a Board opportunity.

Contact Axio today to learn more about how your organization can better manage cyber risk.

using nist csf to overcome hurdles of security maturity reporting

Using NIST CSF to Overcome the 3 Hurdles of Security Maturity Reporting

Using NIST CSF to Overcome the 3 Hurdles of Security Maturity Reporting 1200 628 Axio
Using NIST CSF To Overcome The 3 Hurdles Of Security Maturity Reporting

Using NIST CSF to Overcome the 3 Hurdles of Security Maturity Reporting

by Jason Tugman, V.P. Cyber Risk Engineering

December 18, 2018

A key challenge for cybersecurity professionals is communicating their organization’s cybersecurity successes and challenges to senior leadership, each of whom is likely to have varying degrees of technical understanding. However, finding a shared language—one that strikes a balance between ambiguity and complexity—is critical to an organization’s ability to form a unified understanding of its security maturity. Communicating without a shared language can result in frustration or, worst, a misrepresentation or misunderstanding of a critical cybersecurity challenge.

In this blog post I’ll discuss how the NIST Cybersecurity Framework’s (CSF) Framework Core can help you overcome the three hurdles of security maturity reporting. I’ll also demonstrate how the Axio360 Dashboard leverages the Framework Core to generate board-ready information graphics that enable cyber risk and security professionals to clearly communicate the security maturity of an organization.

Hurdle #1: Building a Shared Language

The first hurdle on our way to effective security maturity reporting is finding a shared language that enables unambiguous communication to technical and non-technical executives and board members. Thankfully, the CSF Framework Core1 offers a solution for framing these nuanced cybersecurity conversations.

According to NIST, “The Framework Core consists of five concurrent and continuous Functions – Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.2

In more detail, these five functions are:

The 5 Functions of the NIST CSF Framework Core


Develop an organizational understanding to manage cybersecurity risk to the systems, people, assets, data, and capabilities.


Develop and implement appropriate safeguards to ensure delivery of critical services.


Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.


Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.


Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.3

As you can see, the CSF Framework Core Functions are commonly understood verbs, and each has a clear call to action associated with it. Thus, the Functions can set the stage for operative-level communications. Security professionals can align the organization’s security maturity roadmaps, metrics, programs, and initiatives with each of the five Functions.

In Hurdle #3 we will discuss how Axio360 natively supports the CSF Functions in both the CSF and C2M2 (DOE Cybersecurity Capability Maturity Model) Dashboards.

Hurdle #2 – Facilitating Complex Cybersecurity Conversations

The second hurdle on our way to effective security maturity reporting is distilling complex, often multi-threaded, cybersecurity projects and initiatives.

Having established the CSF Framework Core as our common language, we can begin to communicate the successes and challenges of our cybersecurity programs through their respective Functions. A sampling of topics by CSF Function can be found in the below table.

As you can see, framing a cybersecurity discussion within the context of the CSF Functions provides context and clarity for every member of the board regardless of their technical knowledge.

Hurdle #3 Mapping Cybersecurity Assessment Findings to Cybersecurity Roadmaps

The third, and probably most important, communication hurdle is having the ability to correlate recent cybersecurity assessment findings to security investment requests. No amount of improvement in the communication of what or how of our cybersecurity program will compensate for our inability to communicate the why:  Why a security investment is needed; why a project is on the roadmap; why one project requires priority over another.

CSF Functions are natively integrated into the Axio360 dashboard, so no matter if you are performing a CSF or C2M2 assessment, you have the ability to talk about the organization’s security maturity directly through the language of CSF.

Axio360 allows you to communicate workstreams, target profiles, mitigation projects, and security investments using the CSF Functions.

Bringing it all together: Connecting Security Maturity Reporting/Metrics and Cybersecurity Initiatives

Framing a conversation through the CSF Functions allows for easy correlations to be drawn, and understood, between the Functions. For example, it allows you to say, “We lack a capability to Identify all of our assets (ID.AM). While, we have robust applications and processes in place to Protect Access (PR.AC), those protections are only effective for our known assets. We are seeking a security investment to improve our ability to Identify organizational assets. Doing so will allow us to ensure that all assets are not only inventoried, but they have the appropriate controls in place to Protect access to them.”

Even better: The Axio360 platform does the work for you—correlating your organization’s security maturity roadmaps, metrics, programs, and initiatives, with each of the five Functions. This has the power to transform how you communicate to senior leadership. Using Axio360’s native integration with the CSF Functions, you now communicate a unified understanding of your organization’s cybersecurity posture.



(NIST, pp. 6-8)
2 (NIST, p. 3)
(NIST, 2018, pp. 9-8)

Works Cited

NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity Ver.1.1. National Institute of Standards and Technology.

Axio North Highland

Axio Brings Cyber Resilience Expertise to North Highland’s Energy & Utilities Clients

Axio Brings Cyber Resilience Expertise to North Highland’s Energy & Utilities Clients 1200 1200 Axio

Axio's solutions empower security and risk leaders to achieve and sustain optimal cyber resilience

NEW YORK – March 19, 2018

Axio, a cyber resilience company that helps clients optimize their portfolio of security controls and insurance to make cyber risk manageable, today announces its strategic partnership with North Highland , a global management consulting firm. As part of North Highland’s partner program, North Highland clients, with a focus on those in the energy and utilities sectors, now have access to Axio’s technology and services as part of ongoing programs to address and protect against cyber security events. The partnership brings Axio into the partner sphere with Cordence Worldwide, a global management consulting alliance of which North Highland is a member.

Axio’s comprehensive solutions help companies quantify the impact of potential cyber events in financial terms, expose gaps in security controls and insurance programs, and determine where to invest to effectively reduce cyber risk. The Axio partnership with North Highland focuses on delivering:

  • Exposure Quantification. Understanding the types and scale of financial impacts that could arise from a complex cyber event.
  • Cyber Program Evaluation. Measuring the current maturity of the cyber security program, establishing a targeting profile, and building the plan to achieve higher maturity.
  • Insurance Analysis & Stress Test. Understanding the organization’s ability to recover from a complex and costly cyber event, and how the insurance portfolio will respond.

“All of our partners are strategically selected to provide bold, best-in-class service with a unique and compelling perspective. Axio is well-versed in the cyber security challenges that modern businesses in the energy and utilities sectors face and brings the right combination of expertise, experience, and capability to support our clients end-to-end, from strategy through delivery.  This partnership gives our clients a greater opportunity to move beyond compliance and truly solve their cyber risk challenges,” says Teri Mendelovitz, global energy and utilities lead and vice president at North Highland.

“The landscape of cybersecurity is changing at an exponential pace, and companies that utilize a risk based approach to continually optimize their portfolio of security technologies and controls are far better positioned to stand the test of time. We are pleased to be working with a firm as well regarded as North Highland to deliver our unique, proven methodology around cyber program evaluation and risk quantification to their clients,” says Scott Kannry, CEO, Axio.

About Axio

Axio knows impenetrability is impossible – but cyber resilience is within reach. Our technology and services help clients ensure that they understand their exposure, manage it effectively, and are equipped to financially recover. Axio delivers the industry’s only true cyber resilience optimization solution that looks at IT security and financial controls / insurance to create an integrated, holistic technology and financial risk solution that can evolve with each client as the risk landscape shifts. For more information visit and join the conversation on LinkedIn and Twitter .

About North Highland

North Highland is a global management consulting firm known for helping clients solve their most complex challenges related to customer experience, performance improvement, technology and digital, and transformation. We add value and support our clients across the full spectrum of consulting, from strategy through delivery. We bring the big ideas, then we make them real. North Highland is an employee-owned firm, headquartered in Atlanta, Ga., with more than 3,000 consultants worldwide and 60+ offices around the globe. The firm is a member of Cordence Worldwide , a global management consulting alliance. For more information, visit and connect with us on LinkedIn Twitter and Facebook .




Copyright 2018 Axio Global, Inc.

Axio360 NIST CSF

The time has come for you to take control of your cyber risk.