This week, we continue our Risk Journeys interview series with David White, talking about how skeptical security leaders can have a change in attitude when they have the right tools for empowerment.
If you are new to this series, you can catch up by reading part 1.
What’s your favorite part of the job?
I have two favorite parts of the job. But they might be a continuum. First of all, I love working with Axio clients and thought leaders in cybersecurity, to understand what their challenges are and where they’re trying to go. And then secondly, I love bringing those challenges back to the drawing board and collaborating with Dale, and our product team to figure out how to build solutions that help facilitate the change that we see happening in the security and risk management world.
How have you seen the power of cybersecurity program assessment grow and change since the early days of Axio?
The program planning module is the first module we built; and this is where organizations can do their cybersecurity program assessments. So, as Scott mentioned, Axio has been providing advisory services for cyber risk since 2013. In the early days, we’d go to do an assessment workshop, and then go back to develop a target for improvement. This was two separate sessions.
When we developed the Axio360 platform, Dale and this team had the idea of combining these steps in the program planning module. Something like this was never done before and we had no idea how people would react. Despite it being a relatively simple concept, it resulted in a complete mood shift in assessments.
Changing the mood of security leaders with a new way to do cyber risk assessment
What happened when these two elements were combined for the first time?
Well, Dale [Axio’s Chief Product Officer] and I were in the room with the very first group of security professionals who used the Axio360 platform. In that assessment workshop, we had the participants set both their current implementation level and a target level for each item in the assessment. The entire mood in the room changed.
Often in an assessment, you’re confronted with a steady stream of things you’re not doing or not doing as well as you think you should. It can be depressing.
When we gave people the opportunity to say, “This where I am today and this is where I’m going to be at some certain point in the future,” the entire mood changed. No longer were participants beating themselves up for things they weren’t doing; their attention was focused on figuring out what they needed to add to their program and planning steps to get there. It got us to the primary motive for assessments, which is to identify and plan improvements.
Looking forward is an important aspect of how we are framing cybersecurity risk. Something else we’d like to ask about is the Quantification module in Axio 360. We recently released a white paper about making the business case for cybersecurity investment. What’s your experience working with cybersecurity leaders to quantify risk?
When you can quantify cyber risk, you enable much better collaboration to take action
Quantifying cyber risk is an immensely valuable experience for cybersecurity leaders and risk leaders. It is an opportunity to closely examine cyber events that could happen, and the impact they would have on the organization. Inevitably, this leads to changes in the organization’s control environment, so not only does it provide a better understanding of the risk, it’s a valuable way to identify improvements.
Quantification can also be a confronting experience for a cybersecurity leader. A control would need to be missing or fail for almost any cyber event to occur. So, exploring the susceptibility of the organization to a cyber event type can make the cybersecurity leader feel like they need to defend their current posture.
We once worked with a cybersecurity leader who took a pretty defensive posture in a quantification onboarding workshop. Two years later, we did a second quantification engagement with his company and his attitude had completely changed. He kicked-off the work with a speech to the participants. He basically said, “We had Axio in two years ago, and have spent the last two years working with the output of that quantification workshop. We’ve added controls to manage risks that we couldn’t transfer. We’ve also altered controls for risks that we can transfer. We’re now collaborating with our insurance team to make sure we are prioritizing our investment and controls based on the kinds of impact that we’re unable to transfer through insurance instruments, to make sure that we’ve got the enterprise adequately protected. Our job in this engagement is to explore additional risk exposures so that my team can continue to optimize our posture.”
That was a bold decision, to let him speak before the second workshop considering how skeptical he was the first time around.
We weren’t sure what he was going to say. It was really rewarding to see how his attitude had changed. Considering he was so skeptical during the first engagement; it means a great deal to us that he was now touting Axio’s core value proposition.
This concludes Episode 2 of Risk Journeys. Stay tuned for the next episode, where Dave discusses the feature of Axio360 he is most excited about.