Risk Journeys is our new interview series showcasing the minds behind Axio and their perspectives on risk in the cybersecurity world. As the C-Suite strategizes how to make the most of their cybersecurity investment, our team shares how understanding the corporate risk journey can create measurable value and lead to tangible action.
We inaugurate the weekly series by interviewing Axio’s CEO, Scott Kannry.
Risk management views have changed from medieval to measurable
How about we break the ice by asking about your experiences in the cybersecurity world before Dave and you started Axio?
We know you led a successful cybersecurity practice at one of the world’s largest insurance companies. This was in the days before exploding data and hyper connectivity. What was that like?
In the late nineties to the early aughts, the notion of digital transformation was a luxury rather than a necessity. Communicating cyber risk to the C-Suite in a meaningful way wasn’t a top priority. And preventing cyber-attacks was treated with a medieval attitude.
Back then, success was measured and rewarded through a very simple yardstick: the best built fort wins. In essence, whoever had the biggest and baddest system of protection won the battle against the cybercriminals, fraudsters, and others with malicious intent. And no news was considered good news.
Things have changed so rapidly these past few years. And the state of cybersecurity has shifted. It seems that even before this global pandemic, threats have started to morph into unpredictable shapes and sizes. What are you seeing at Axio currently?
Axio is now witnessing a global transition in how organizations are thinking about cybersecurity investment. Many of the leading industry analysts we talk to tend to agree. For instance, recent Gartner research has highlighted how cybersecurity should be reframed as a business problem rather than simply a technological one.
Cyber Risk Management is all about context.
It’s interesting to see how we’ve grown since 2013, from a group of some of the world’s leading experts on cyber risk management (some who built the risk frameworks critical infrastructure organizations depend on) to a fully integrated risk management and planning experience Axio360.
It must be exciting to see how Axio is perfectly positioned to really help and support this shift in risk attitude.
Yes, there is a shift in risk attitude. And long before cybersecurity leaders can build a fort, they must look at many other considerations such as resources, location, and the likelihood of events that may not always be under their technological control.
In the simplest sense, a fort can be classified as nothing more than a binary mechanism to separate attacker and defender. You need to do a lot more to ensure long-term security of your environment than just build a wall, regardless of its complexity.
The fort analogy makes a lot of sense. These days, it seems we are battling an amorphous and highly educated enemy. It has advantages on many fronts: from technology, information, economics, and education. Simply protecting against threats seems to be an exercise in futility, that no longer results in obtaining a confidently quantifiable security outlook.
You often emphasize the word context in your conversations with clients, how come?
Context is exactly what’s missing from the cyber question. It’s truly the overarching theme of the conversations I have with many executive leaders in the critical infrastructure space. One of the biggest challenges businesses face from a C-suite and board of directors level is to ask the question: What does cyber risk mean to us as a business?
We end on this important question of context.
Tune in tomorrow for the next episode, as Scott shares some cyber risk stories and dives deeper into the issue of context, like a $20 Billion-dollar event that slipped the insurance radar of a petrochemical refinery and a potential blood testing crisis that was averted with some good thinking.
Thanks for reading Risk Journeys! Every week we highlight a different Axio team member, sharing their story and viewpoints on cyber risk.