Continuing on our Risk Journeys, this week we sat down to talk with Axio’s founder, David White. We covered key points in Axio’s provenance as well as stories of empowering security leaders to take charge of their cybersecurity program.
It all started at the birthplace of cybersecurity
So many things to talk about! How about we start with your background in cyber risk before Axio was born?
Before starting Axio, I was at the Software Engineering Institute CERT program, which is part of Carnegie Mellon University. As a federally funded research and development center, we had the mission to provide resources to the government and private sector that were not available elsewhere. Our work was forward-thinking. Building cybersecurity guidance and models was one of the many projects I got to work on.
Many people call CERT the birthplace of cybersecurity. Did you have any interactions advising on executives in the private sector on cyber risk as they dealt with issues affecting their enterprises?
At the Institute, I co-authored a model and book called the CERT-RMM for Resilience Management Model — that work treats operational risk management as the umbrella for cybersecurity. Around that time, I also served as the chief architect for the Smart Grid Maturity Model — a collaboration with IBM and the US Department of Energy. We did a lot of piloting and development not only with federal agencies but also with private sector entities like Lockheed Martin and numerous electric utilities. It was through the work with Lockheed Martin that I met Nader Mehravari and Bill David – both of whom now work for Axio.
Helping Security Leaders Think in Dollars and Sense
So it seems you’ve been involved with creating cyber risk frameworks for a very long time. Tell us a bit about the transition of leaving the Institute to create Axio?
It’s a long story; I’ll just cover a few memorable points. In 2012, I was asked by the Department of Energy to serve as the chief architect for the development of the Cybersecurity Capability Maturity Model or C2M2 — a cybersecurity and cyber risk management model that is widely used in the energy and other critical infrastructure sectors. The C2M2 is based on the same ideas we had developed for the Resilience Management Model and a lot of great input and insights from the utilities that volunteered to participate in the C2M2 development. The C2M2 was built to be an easy-to-use instrument for driving cybersecurity improvement in organizations of all sizes.
A core tenet of both C2M2 and RMM is that organizations should build a cybersecurity program based on their unique cyber risk exposure and tolerance. I learned so much from collaborating with organizations of all sizes on both projects. One common denominator was the challenge to really understand your risk so that you could make smart plans and wise investments to address it. Organizations needed a straightforward way to understand and be proactive about their cyber risk.
When you say proactive, Quantification comes to mind almost immediately. Considering we just released our white paper on Quantification it’s on everyone’s mind these days! . And we joke a bit that this can be coined (no pun intended) dollars and sense.
Back then (in 2012) do you think security leaders were struggling to understand their biggest potential risks? And more specifically how these various risks could be communicated in a financial way rather than some kind of technology view?
Struggling is too strong an adjective. Cyber risk management was, and often still is one of the less mature aspects of many cybersecurity programs. It’s something that often gets unfairly short-shrifted.
From all my interactions with CISOs and other security leaders while at CERT, I saw how valuable it could be for them to take a risk-based approach in building their cybersecurity program. So, Scott and I started developing a fast and transparent risk quantification method as a way to allow security professionals to quickly identify and analyze risks in a business context.
Now we see analysts like Gartner saying security leaders really need to frame cyber risk in business terms and to provide a business case for cybersecurity. And now with budgets decreasing and cyber threats continuing to rise, making wise decisions about cybersecurity investment is ever more important.
Scott and I had a good instinct back in 2014. We built something that empowers cybersecurity and risk leaders with a clearer view of risk—one that enables them to build a risk-based program. Thanks to the work we started and its evolution with the great team we’ve built at Axio, it has become a lot easier for cybersecurity and risk leaders to build risk-based program.
This concludes episode 1 of Risk Journeys with David White. Stay tuned for the next episode as Dave discusses encounters with security leaders and the Axio workshop experience.