Cyber Risk Insurance

a new litmus test for board directorships
  • Axio

A New Litmus Test for Board Directorships
A New Litmus Test for Board Directorships 1200 628 Axio

A New Litmus Test for Board Directorships

by Michael O’Halleran, Experienced Public Company Director

February 21, 2019

Over the course of my career I’ve had the privilege to serve on numerous Boards of Directors of both public and private organizations. It’s a great honor to have the shareholders and stakeholders of an organization put trust in you, and fellow board members, to watch out for their interests as the highest stewards of that organization. It’s also an honor that comes with great responsibility because if the Board fails, individual board members can be held personally liable.

That’s why deciding to accept a directorship requires meaningful thought.  There’s no failsafe playbook for this decisioning process but elements certainly need to include an evaluation of what the business does and what markets it operates in, whether the management team has shown itself to be competent and trustworthy, and at a practical level, if the company maintains the right type of D&O insurance.  Some of these elements might be personal in nature such as whether you support the nature of the business itself, and some are very practical like confidence in management.

I’ve used my own decisioning framework consistently for many years until very recently when it became necessary to add a new and very practical element: the need to understand how the organization understands and manages its cyber risk.  It’s an issue that has become too important, and too relevant to the Board, to simply trust as a byproduct of trusting management and believing that the organization probably spends a lot of money and has smart cybersecurity folks.

That’s because events of the last few years have shown that spending a lot of money and having smart cybersecurity folks does not solve the problem.  Companies like Maersk, Merck, FedEx, Marriott and others all presumably had seasoned cyber leaders, spent extraordinary amounts of money and thought that their insurance programs were sound, only to look back on major events that cost hundreds of millions of dollars and wonder how they could have gotten everything so wrong.  That coupled with the SEC’s 2018 new guidance on how companies should achieve a proactive understanding of their cyber risk, Moody’s announcement that it will start considering cybersecurity in financial ratings, and the recent D&O settlement related to Yahoo’s security breach all combine to definitely embed cybersecurity as a Board of Directors concern.

Therefore as a Board concern and one that speaks specifically to a Board’s fiduciary responsibility, prospective Board members ought to evaluate cybersecurity specifically.  But how, given the deeply technical nature of the concern and language that is foreign to most people outside of the cybersecurity discipline?

My advice is to use the following four-part evaluation framework:

ONE

Understand the cyber risk of the organization in business terms.

Meaning what type of cyber events could the organization suffer, and what costs and losses would result from those variety of events?  Not only does this approach make cyber risk comprehensible to you, but whether the organization can articulate their risk this way is a great initial litmus test on how well they understand it.  If the question can’t be answered, that’s a red flag.

TWO

Understand how the organization manages its cyber risk.

With the most important component being an understanding of the methodologies or frameworks used to guide the strategy. Does the organization do an annual assessment, fulfill the recommendations and call it a day until the next time around? Or does it use a maturity-based methodology that drives continual understanding, road-mapping, and evolving?

THREE

Understand the organization’s recovery ability.

Is the organization prepared to respond to and recover from the variety of events described in step one?  Can it pay for the anticipated costs and losses?  Is the right insurance portfolio in place, recognizing that for many organizations, insurance for cyber risks requires a combination of insurance types and not just a single “cyber insurance” policy?

FOUR

Gain confidence with the data behind these components and what drives decision making.

Ideally, you want to gain confidence that the organization has aligned its controls and processes to its greatest areas of risk and is not just plugging holes. That’s the difference between a risk-based approach and compliance approach, the latter being a vastly inferior way to manage the problem (despite necessity in some industries).

A good way to contextualize this all is to imagine yourself at the emergency board meeting called when the organization suffers a major security event and is on the cusp of having to announce it.  Do you want the board briefing to sound something along the lines of “We’ve suffered a serious cyber event that we had no idea was possible.  We thought we had the right controls in place and we spent a lot of money on a lot of different things but it looks like we missed something obvious.  We’re scrambling to find folks that can help and we think we bought the right insurance.  We’ll figure all of that out over the next days and weeks.”

Alternately, “We’ve suffered a serious cyber event but one that we’re prepared for because we understood our risk and we can prove that our cybersecurity strategy was operating a very mature level.  The damage is far less than it would have been and we’ve now activating the recovery plan designed for this situation.  Further, we should have sufficient insurance proceeds to cover the majority of losses.  We’re going to be ok.”

The first briefing sadly happens time and time again.  The latter is from the type of organization that I’d be proud to serve on the Board of, and that’s why it’s important to consider cybersecurity when evaluating a Board opportunity.

Contact Axio today to learn more about how your organization can better manage cyber risk.

Contact Us
agenda item number one
  • Scott Kannry

Agenda Item #1 for the Next Board of Directors Meeting
Agenda Item #1 for the Next Board of Directors Meeting 1200 628 Scott Kannry
Agenda Item 1 for the next board of directors meeting

Agenda Item #1 For The Next Board Of Directors Meeting

By Scott Kannry, CEO

October 26, 2018

A Duty of Care for Cybersecurity

This past summer we witnessed various blue-chip firms like Maersk, Merck, FedEx and Mondelez, none of whom likely anticipated the reality of a major cyber event, all declare major impacts on operations and in some cases a resulting impact of hundreds of millions of dollars in losses.  The leaves are now falling and so are the executives as Equifax, with more almost certainly on the way, compensation clawbacks being discussed, and years of litigation ahead.  Most recently we’ve seen Deloitte suffer the exact fate that it proudly attempts to help thousands of clients avoid.  While all of these companies are different, they likely share a common thread of investing an incredible amount of money in security technology, employing many capable security professionals, and thinking that their losses would be insured.  Does anybody still believe that the current cybersecurity paradigm is working?

Cybersecurity should be at the top of every upcoming executive and board of directors meeting.  Rather it must be: the reality is that serious cyber events are inevitable, because technology is not failsafe, humans are fallible, and a host of other reasons in between.  But the appropriate discussions and retrospectives on these events should not be entirely focused on patching every single vulnerability and demanding at all costs that “something similar must never happen to us.” That is futile.

The right way to look ahead is to consider an alternative world for a company, where a serious event still occurs, but where management can explain to the board, shareholders, and customers that:

“We’re unfortunately announcing that we have suffered a major cyber event. Surely some painful days lie ahead for our business, but we’ll get through this. Please let me explain.

The event that we’re experiencing is one that we knew was possible. Our reliance on technology runs so deep that eliminating this type of scenario could only have been accomplished by shutting down the business. So we built a cybersecurity strategy around the very possibility that this type of loss scenario could materialize. We’re happy to show you how we executed that strategy, why we invested is certain capabilities versus others, and why, despite having suffered this event, we were confident in the maturity of our cybersecurity program.

Most importantly, because we knew that this scenario, and the magnitude of it, was possible, we’ve constantly been evolving and testing a response plan that you will now see in action, backed by a comprehensive and large dollar limit insurance program that we anticipate will pay for most, if not nearly all, of the costs and liabilities that result. We’re not naïve to know that there are not painful days ahead and that this will cost a lot of money, but we are confident that we will weather the storm.”

None of the aforementioned companies have taken such a position.  If any had, it would have been less likely for individuals to lose jobs, long term liabilities to materialize, trust could more quickly be regained, and executives, directors, and officers would be able to evidence an approach that should meet a ‘duty of care’ test.

Sadly, most companies can’t come anywhere close to meeting that test.  Why?  Because the current approach to cybersecurity is fatally flawed.  Companies blindly rely on assessments and let their guard down until next year after all of the recommendations have been implemented.  Those very recommendations are based almost entirely on threats and vulnerabilities ranked “high” because what consultant is willing to rank something low and risk that they are wrong? Insurance is bought typically not by attempting to understand actual exposure in dollars and cents, but by asking what your frenemies are buying.  Security folks speak an entirely different language than risk management folks than do executives and Boards of Directors.  When that’s the current reality the Tower of Babel stands no chance of even being started.

The good news is that entirely changing the paradigm is not that difficult and only requires three and half components:

  1. Understand your exposure, in financial terms.  Start by asking one question: “If a cyber event happens to us, what might it look like?”  Generate some scenarios based on what you do, how you use technology and what the impact of that technology failing might be.  Could there be a data breach? Could there be an interruption in systems? Could somebody dupe one of our treasury folks into wiring money to a fraudulent account? Could a hack into our process control technology cause tangible damage and bodily injury?  Now take a sampling of scenarios, get various operational and functional folks around a table and use their collective knowledge to estimate the cost of those events materializing.  It might lack engineering precision but it’s an important start. The exercise is successful 99% of the time, with the 1% attributable to the company who believes the guy or gal that stonewalls the process with the inevitable “That is totally impossible.”
  2. Utilize a maturity based cyber evaluation framework and align it with the scenarios that you’ve quantified in step one.  Why maturity based?  Because that approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor.  Compliance frameworks and standards on the other hand, won’t ever go away, but all too often produce a fall sense of confidence once the checklist is complete and compliance framework met.  And why align the methodology with the scenarios?  Because that is the only way to prioritize the universe of tens of thousands of technologies and controls that all claim to be the silver bullet and solve the latest vulnerability.  The current paradigm ranks everything “high” and “critical;” the new paradigm says to focus first on the high cost scenarios that would be the most impactful, and work down from there.
  3. Maintain the resources and financial ability to recover from a meaningful event.  At the end of the day, everything translates into financial terms. Strive to maintain the right balance of financial reserves and insurance to pay for as much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others.  How do you get there?  See Step One.
  4. (3.5) Benchmark against peers when possible.  Cyber risk management is a shared responsibility and in a world where standards and certifications can only provide a floor, the rising tide dynamic is the only means to stay as close to, or as ahead of the curve as possible.  All of the aforementioned components contribute to that dynamic: Are you as good as, or ideally better than, the median marker for the maturity of your cyber program, what’s at risk from an exposure standpoint, and if you have appropriate abilities and financial resources to recover from an event.

Put it all together and you can confidently and continuously validate that you are meeting your duty of care for managing cyber risk: “We understand our exposure, we’re managing the risk as effectively as possible, we have the ability and financial resources to recover from an unfortunate event.”

Summary

This past summer we witnessed various blue-chip firms like Maersk, Merck, FedEx and Mondelez, none of whom likely anticipated the reality of a major cyber event, all declare major impacts on operations and in some cases a resulting impact of hundreds of millions of dollars in losses.  The leaves are now falling and so are the executives as Equifax, with more almost certainly on the way, compensation clawbacks being discussed, and years of litigation ahead.  Most recently we’ve seen Deloitte suffer the exact fate that it proudly attempts to help thousands of clients avoid.  While all of these companies are different, they likely share a common thread of investing an incredible amount of money in security technology, employing many capable security professionals, and thinking that their losses would be insured.  Does anybody still believe that the current cybersecurity paradigm is working?

6 cyber risk insights from aig axio executive risk summit

Six Cyber Risk Insights From AIG and Axio’s Executive Risk Summit
Six Cyber Risk Insights From AIG and Axio’s Executive Risk Summit 1200 628 Axio Global
Six Cyber Risk Insights From AIG and Axio’s Executive Risk Summit

Six Cyber Risk Insights from AIG and Axio’s Executive Risk Summit

by Hanno Ekdahl And Jeff Luther

March 15, 2018

Idenhaus recently attended AIG and Axio’s Executive Risk Summit, which brought together a panel of insurance experts to discuss Cyber Risk management. Cyber exposures are expanding rapidly as businesses move their IT systems to the cloud and adopt the Internet of Things (IoT) and Bring Your Own Device (BYOD). These changes introduce fundamental new threats to businesses of all sizes and shapes. This half-day conference cited recent examples to identify these threats and shared how businesses can mitigate risk with technology, insurance, and training.

Broader questions that were discussed included:

  • How is the insurance market responding?
  • Are current policies providing adequate coverage? If not, where are the gaps?
  • Have businesses considered the impact of a breach that causes significant business interruption?
  • Have they considered the need to more closely evaluate their partners and vendors to ensure they are compliant with best practices?

The panel was moderated by Forrest Pace and featured the expertise of David White , Founder and Chief Operating Officer of Axio; Guenter Kryszon , Head of Large Limits & Terrorism Property, AIG; and Garin Pace , Cyber Product Leader – Financial Lines & Property, AIG.

Here are 6 insights from the Cyber Risk discussion at the Executive Risk Summit at TechSquare Labs in Atlanta, GA:

1. The number of cybersecurity intrusions and breaches has grown exponentially in the past year.

Equifax  is a case in point. The breach affected at least 143 million consumers and is still making headlines with the former CIO being charged with selling $1 million in company stock  prior to the breach announcement in September 2017.

TRITON/TRISIS  represents the first-ever malware to infect safety-instrumented systems (SIS) equipment. Industrial sites such as oil, gas, and water utilities typically run multiple SISes to independently monitor critical systems to ensure they are operating within acceptable safety thresholds, and when they are not, the SIS automatically shuts them down. This malware was clearly designed to harm people and property and was not about making money, representing a new rationale for creating malware that raises the risk profile. Weaponized malware has created a new set of threats that organizations are just beginning to understand.

Losses like these may not be covered under traditional insurance programs because they may be classified as an act of terrorism, or fall under property coverage. Panelists discussed current ambiguity over property coverage for cyber-related risks and ways to find solutions that clarify appropriate coverage for buyers.

  • Property programs are complementing cyber policies and are part of managing the business’ cyber exposure.
  • GOAL: Stability in the insurance program so that rates do not fluctuate wildly and coverage is adequate.
  • Look at 2017 from a threat perspective, particularly events such as Reaper Petya  (Eternal Blue), and WannaCry.
  • How can companies quantify the risk?
This is not an IT problem, it’s an enterprise problem.

Garin Pace

2. This is an enterprise issue, not just an IT concern, and insurance underwriting must take this into consideration.

The enterprise needs to understand the impact as it is incorporated into the insurance underwriting for the business. This is best considered based on scenarios the enterprise faces. This includes concerns with:

  • Business continuity
  • Availability
  • Confidentiality
  • Integrity
  • Possible financial loss to the enterprise

 3. The more connected we become, the more risk we introduce.

  • Electronic Medical Records are now being attacked.
  • The Internet of Things was not designed with a security-first mentality .
  • There are chips in everything.
  • What is the cost and time to restore business when continuity is interrupted?

4. We lack clarity on the long-term effects of business interruption.

What happens when just-in-time manufacturing and supply chain is interrupted? In particular, just-in-time manufacturing has significant financial penalties for late/missed deliveries. What is the restoration process? How can the recovery be faster? We need to understand the entire process by reviewing various scenarios and utilize stress tests to understand the bottom-line impact to the balance sheet.

5. Risk managers need to make new friends in the business.

Risk management has a broader scope than just physical and cyber security.

6. The scope of cyber risk insurance must plan for attacks of never-before-seen magnitude.

  • An area-wide event is possible, especially given the fragile US infrastructure, e.g. the power grid. This overwhelms insurers due to the scope and impact of the attack.
  • Terrorism will touch cybersecurity and must be accounted for in insurance programs.
  • 60 nations are actively creating cyber weapons. Once these weapons are released they cannot be controlled and, once on the grid, they are there for anyone. What happens if they fall into the wrong hands?
  • Sophisticated malware released into the wild is now available for the average hacker to use for nefarious purposes. What happens when an irrational actor gains control of a cyber weapon , or when you pair a sophisticated tool with an irrational actor?
This is a manageable risk with proper oversight and governance.

Forrest Pace, Moderator

We continue to see major cybersecurity breaches impacting a wide variety of industries. When addressing cybersecurity in your organization, here are three items to consider.

  1. This is an enterprise-wide problem and cannot be addressed in isolation by a standard risk approach. These risks go far beyond data breaches, where records are compromised or credit card information is stolen. Risks today include company safety systems, networks, supply chains, and business continuity. This is not limited to your organization but the organizations with which you do business, especially if you provide just-in-time materials or services.
  2. The best way to address risk today is with a holistic approach. Bring together the principal stakeholders and/or functions within your organization, such as Human Resources, Security, IT, Facilities, and Treasury. Consider bringing in your insurance broker or provider to conduct industry analysis and offer guidance on change risk issues. You may also want to include parts of your supply chain in this group.
  3. Scenario testing is the best way to understand the risk impact. Outline and define the different business scenarios that could compromise your organization and test them from end-to-end. This would include people, process, and systems .

To summarize, organizations must stress test their insurance portfolios, think holistically across cyber and physical security, look at the whole supply chain, and understand that cyber is now a critical component of the business.

This article was co-authored by Hanno Ekdahl  and Jeff Luther .

what do the new cybersecurity risk guidelines mean for you as a board member

What do the SEC’s New Cybersecurity Risk Guidelines Mean for you as a Board Member?
What do the SEC’s New Cybersecurity Risk Guidelines Mean for you as a Board Member? 1200 628 Axio Global
What Do The SEC’s New Cybersecurity Risk Guidelines Mean For You As A Board Member?

What do the SEC’s New Cybersecurity Risk Guidelines Mean for you as a Board Member?

by Chris Amery, VP Professional And Financial Services

February 26, 2018

This week, the Securities and Exchange Commission (SEC) published updated interpretive guidance on cybersecurity disclosure requirements for public companies.

Following significant post-breach reporting delays from SEC-regulated entities, including Yahoo and Equifax, the Commission clearly desires to standardize cyber disclosure practices surrounding impactful cyber events. As noted in the interpretation , “[T]he Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” The investing community and public at large should welcome this standardization as a step in the right direction for fair markets.

The more interesting component of the SEC guidance, however, is the following: “Companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registrations statements under the Securities Act of 1933 … and the Securities Exchange Act of 1934.” Here, the SEC is speaking to general ongoing risk factor identification as opposed to specific post-incident disclosures. The Commission believes that firms must identify and disclose possible risk events even if they haven’t suffered a breach. This is a sea change in the regulatory view of cybersecurity. The SEC is pointing out that it’s no longer good enough to purchase technology controls and meet compliance mandates. By forcing companies to identify and publish their ongoing cyber risks, they are elevating cybersecurity to a risk-based duty of care model, requiring an understanding and articulation of best practices at the Board level. The Commission is pointing squarely at the Board of Directors and elevating cyber program management from the IT department to the highest levels of the corporation.

Axio’s CEO, Scott Kannry, wrote about this just last October:

 

Cybersecurity should be at the top of every upcoming executive and board of directors meeting.  Rather it must be: the reality is that serious cyber events are inevitable, because technology is not failsafe, humans are fallible, and a host of other reasons in between.  But the appropriate discussions and retrospectives on these events should not be entirely focused on patching every single vulnerability and demanding at all costs that “something similar must never happen to us.

Scott Kannry, Axio CEO

What must board members understand about the new disclosure requirements? First, the good news – they are not technology based. This will not require board members to become tech experts in the latest cyber security technology. They are ‘risk-based’, which means that they require a more holistic approach, and that the current paradigm of assessments, technology controls, and compliance frameworks is clearly not enough to satisfy the SEC guidance. Maintaining accurate risk disclosures requires a dynamic cyber risk management program. In our view, the following four components of a cybersecurity program allow companies to meet this hurdle, and Board members to confidently sign off on these disclosures:

  1. Quantify your exposure in financial terms. As the SEC notes , “The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude…[and] also depends on the range of harm that such incidents could cause.”
  2. Evaluate the caliber of your current cyber program within a maturity-based framework. This approach recognizes that cyber risk and maturity is dynamic and allows a company to evolve continually as the cyber landscape changes. Compliance standards can act as a floor, but they do not appear sufficient to meet the SEC guidance that “[w]here a company has become aware of a cybersecurity … risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities.”
  3. Maintain adequate insurance and reserves to recover from a cyber incident. This goes hand in hand with required public disclosures, as firms utilizing this approach will naturally manage their financial risk to appropriate levels on an ongoing basis. Steps one and two inform the proper levels of financial defense on a dynamic basis.
  4. Benchmark your performance against your peers. Cyber risk management is ultimately in the public interest, and the ability to measure your current program against both an internal target state and your peers will be a significant input in determining whether a Board has met it’s duties with respect to cyber risk.

When these four key components of cyber risk management have been employed on an ongoing basis, a Board can confidently say to the public markets, “We know what our risk profile looks like, we have an updated analysis of our program maturity, our financial controls are adequate to survive a cyber incident, and our overall program is in the top 10% of our industry group.”

We applaud the SEC guidance and look forward to a world where Boards, executive teams, risk managers, and technologists embrace this comprehensive risk- and maturity-based approach to cyber program management.

External Documents

tips for developing improving metrics
  • Lisa Young

Tips for Developing or Improving Metrics
Tips for Developing or Improving Metrics 1200 628 Lisa Young
Tips for Developing or Improving Metrics

Tips for Developing or Improving Metrics

by Lisa Young, VP of Cyber Risk Engineering

February 6, 2018

Reposted Content from ISACA Newsletter @ISACA Volume 1

Everywhere we turn, vast amounts of facts, figures, numbers, records and files are being processed, interpreted, organized, structured and presented in a way that turns those data bits and bytes into meaningful information. Putting the raw data into context is what makes information useful for business decisions and underlies many dashboards being developed across the enterprise. Data and information are important components for measurement and, if put into a suitable context, may also become meaningful metrics.

Let us begin with a few definitions and examples:

  • Data—Raw, unorganized facts, records, numbers, etc. An example is the number 2 or the letters “e, g, s.” By themselves, it is hard to know what exactly is meant by their use.
  • Information—Data that are structured, organized or presented in context to make them useful. An example is “I had 2 eggs for breakfast.”
  • Measure (or measurement)—Is the value of a specific characteristic of data. An example is “the number of staff that completed information security awareness training.” Without more context, it is hard to know what value is derived from the statement.
  • Metric—The aggregation of one or more measures to create a piece of business intelligence, in context. An example is “percentage of staff trained vs. expected (planned vs. actual numbers)” or “percentage of new users (internal and external) who have satisfactorily completed information security awareness training before being granted network access.” These statements give context for whether or not the information provided is meeting the intended objective. If I have 10 staff members and 9 of them have completed the relevant training, then my percentage of satisfactory completion is 90%. If I have 10,000 staff members and only 900 of them have completed the relevant training, then I know I still have more work to do, especially if the untrained staff have been granted access to the network.

Consistent, timely and accurate metrics are an important feedback mechanism for managing any activity. When seeking to develop or improve metrics, here are some considerations to keep in mind:

  • Establish objectives—What questions are intended to be answered with the metric? Who is the audience for the metric? Which information needs will be satisfied with the metric? Who collects the measurement data? What techniques for analysis and reporting will be used?
  • Prioritize objectives—Data collection and analysis are costly and time consuming. It is important to consider the purpose and intended use of the metrics. What actions or decisions would the metric inform? If no action, decision or behavior change occurs as a result of the metric, then why are you spending resources to collect and analyze the data?
  • Identify candidate metrics—Candidate metrics should be based on documented measurement objectives. Identify existing metrics that may already address the objective. Metrics may already exist to satisfy 1 purpose and may also be used for additional purposes or to answer additional questions.
  • Specify data collection and storage procedures—Procedures should be based on the objective to be satisfied and the capability of the organization for collecting, storing, managing and disposing of data. Remember, data by themselves may not be sensitive or personally identifiable, but when aggregated, there may need to be explicit procedures for protecting and sustaining the information and subsequently developed metrics. Being explicit about data collection and storage may also help with overall data management, maintaining data integrity and governance. Other considerations in this category are frequency of collection and where the source data are created, stored, used, transported, etc. Data flow diagrams are useful for better understanding the data’s unique characteristics and attributes.
  • Update objectives as needed—Do not be afraid to retire a metric if it is not driving decisions, behavior or actions. The most important consideration here is to ask yourself, “What is the value of this metric in comparison to another metric?” If the metric is not meeting the intended objective, then it is no longer useful to collect and maintain. You may need to iterate several times before getting to a small set of meaningful metrics that drive better decisions, actions and behaviors. Often, the best metrics are conveyed by reporting trends over time versus a single point-in-time metric.

Make sure your questions are the ones most important to your target audience (management, operations, strategic) and your assumptions are stated. If there are estimates used in the metric calculations (because you do not have a piece of data or have just started collecting and have no trends in the data), make sure to state that somewhere in your visualization. Good metrics are those that are used often, answer important business questions, cost little to collect in relation to their value, are easily collected and do not require extensive manual intervention or manipulation. There is a difference between metrics and metrics that matter. Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.

Axio

Axio360
NIST CSF
Services

Company

About
Careers
Events
FAQ
Press

Support

Legal Notice
Security Notice
License Agreement
Contact

Copyright 2018 Axio Global, Inc.

Enter your
text here
Axio360 NIST CSF

The time has come for you to take control of your cyber risk.

Watch Axio360 in Action