Risk Journeys with Lisa Young | Part 2

Published by Axio

In our previous episode of Risk Journeys with Lisa Young,  Axio’s VP of Cyber Risk Engineering, we discussed Lisa’s background in cybersecurity and ended the conversation by discussing how she transitioned to the world of  risk management. We continue the conversation with part 2 just where we left off, on Lisa’s approach to cybersecurity mental models…


Axio

What does that change in cybersecurity mental models mean? What were you thinking?

Lisa Young

So, instead of spending my time focusing on threats over which I had little control, I began thinking about what actions to take that really matter. For starters, we can plan and direct our cyber programs, understand control initiatives, and quantify our risk in dollars and cents. This gives senior leaders the ability to make informed decisions to apply resources to the risks that would have the greatest impact to the enterprise should they actually materialize.  Impact analysis of events, incidents, risks, on our environment is the real value a cybersecurity leader can show to their management, because the decisions about how to respond to those scenarios are something they have total control over. Some of these important elements include planning for the right resources, properly managing suppliers, and making sure the best people on our teams are working on the highest impact risks.

Axio

You’ve been with Axio from almost the very beginning, long before the launch of the Axio360 platform.  What else was the team focusing on back then?

Lisa Young

We were providing consulting services for some of the world’s systemically important financial services firms, largest energy and critical infrastructure providers, and federal government services. The important concept we helped bring front and center was cyber resilience.

Axio

What do you mean when you say cyber resilience?

Lisa Young

This stems from my time at the Software Engineering Institute at Carnegie Mellon and he development of a body of work called the CERT Resilience Management Model. We were looking beyond what an organization needs to do to be best in class at securing their infrastructure, their information, their people, their systems. We understood that as one starts looking at those components, whether they’re technology, people, or processes, it wasn’t enough. We needed to help people have a resilience mindset, to have a completely different mental model towards being agile and flexible.

The work that we that we did at Carnegie Mellon strongly carried over to Axio, in the domain of understanding what does it truly take to make this kind of informed decision: it takes preparation, planning, managing resources, and the right feedback loop.

One of the key differentiators from Axio’s perspective, is this notion of a strong feedback loop. It’s not enough to understand where your cyber program maturity or risk management process gaps are. You have to understand the gaps in the context of what’s important to the business.

Axio

How does that relate to a cyber maturity assessment?

Lisa Young

So, let’s say I find a gap after completing a cyber maturity assessment. The reality is that it may or may not be important for me to address. Why should I apply resources to a gap based on the results of assessment? What I really want to understand what risk that poses to the mission to the business.

Axio

So how do you understand that cyber risk better?

Lisa Young

You have to understand what your risk is in financial terms and the impact to the business if the risk were realized. Sometimes the impact is so small that it’s not worth the application of scarce resources. Other times, a risk scenario requires immediate attention to reduce the financial or reputational impact should the risk materialize.

Axio

What’s your take on the recent chatter about risk quantification? Why is there so much debate around that word these days?

 Lisa

There’s a lot of myths surrounding the ability to quantify risk in general.  I think it starts with explaining the why and then the how, to the very top of the organization: the CEO.

Axio

So why should a CEO care about quantifying their cyber risk?

Lisa

I’ll frame it this way,  why wouldn’t a CEO want to know how much a cyber event could cost them? It’s the number one risk on senior leaders and boards of directors’ minds. And it’s often presented in a very technical package, wrapped around specific vulnerabilities and technology jargon more suited for IT professionals.  Imagine if you could envision the financial impact of your most likely cyber risk scenarios to be better prepared if something does materialize.

Axio

How would that cyber risk conversation look like when you approach a CEO?

 

Lisa Young

I would ask a hypothetical CEO, “What if I could build estimates to help you understand the impact on your ability to continue to deliver your products and services? Wouldn’t you want to know that?”

Axio

That makes sense, what are people currently doing?

Lisa Young

Many (not all) are doing qualitative reviews in business or operational silos, using different measurement scales, and not making an apples-to-apples comparison of all risk types. They need to start thinking much more holistically and take an integrated approach.

Risk identification is an area of weakness in many organizations. Boards and senior leaders often receive risk reports from the audit committee which are generally comprised of general risk themes or control deficiencies, rather than risks.  The board and senior leaders need to ask hard questions to really understand the risk exposure that the enterprise faces.

Cyber events happen. If and when they do, one may be forced to operate in a degraded state for some period of time. There will be business continuity and cleanup costs, potential fines and penalties, and other unforeseen costs.  An organization can perform an impact analysis to really understand what certain types of events would cost and plan for the very worst-case scenario. This way, they can know if they are financially prepared for any scenario that may materialize. If a scenario is out of tolerance to their risk appetite, they can apply resources to implement new control initiatives, prepare and practice incident response plans, and purchase insurance.

Axio

Touching on insurance, it’s important to note that Axio360 is the world’s only cyber risk platform that offers an analysis of an enterprise insurance portfolio against specific operational or cyber risk scenarios. Can you touch up on how that came to fruition?

Lisa Young

Many organizations today are buying cyber insurance, and I’m putting cyber in quotes. They’re buying a cyber insurance policy, often without doing the financial analysis of the risk exposure to gain a clear understanding of where and how the policies would apply. The value is in the analysis of the entire insurance portfolio, not just stand-alone cyber policies, and whether or not the loss event and the policy coverages are optimized for cost-effective risk reduction.

 And I think that’s what separates Axio from any other organization trying to solve cyber risk. We care about the financial, human, and programmatic elements that make up the problem space. It isn’t just technology. If we could solve the cyber risk problem with technology, we would have solved it already.


This concludes part 2 of our Risk Journeys interview with Lisa Young. Stay tuned for Part 3, where we dive into how to simplify the complex issues pertaining to solving cyber risk.