In our final episode of Risk Journeys with Axio’s CEO, Scott Kannry, we discuss what it takes to bring the power of risk assessment to proactive decision-making.
Mastering Current State for Future Betterment
Many of us in the technology world have done our fair share of roadmap building, one of the critical elements of project management. Cyber is a different animal though. How can one properly define a current state of risk? It often seems with the amorphous environment it’s rather hard to have a starting point.
The current state of a cybersecurity program is more than just a technology inventory or gap analysis. It really ought to be defined quantitatively as far as spending an appropriate amount to maintain the requisite technical maturity that is needed to protect against risk that an organization would otherwise face. An interesting question to ask is, “If I did nothing or did less than what I’m doing now (from a controls and a capability standpoint), what do I stand to lose?”
For example, not all risk scenarios are created equally. Why should one spend $1 million dollars to only marginally decrease the probability that they would get hit with a $10 million-dollar event when concurrently one could spend the same $1 million dollars to more greatly reduce the risk of a $50 million event. In essence it’s having complete visibility of your current state in regards to spending capabilities. Because at the end of the day, breaches will happen, but some will cause a lot more damage than others.
How come security professionals don’t always think of current state this way?
Security people just don’t speak in this financial language. For the tech folks, it’s going to take them a while to come around. But if you’ve got a CFO driving the CISO’s budget you need to know the decision has more meaning if it comes from a ROI standpoint.
The technical professionals often consider the current state of their cybersecurity program, relative to what it ought to be. This is a dangerous black hole that sheds absolutely no light on the financial impact of consequences. They may say they benchmark themselves against their three closest peers and come to the conclusion that they are in the 80th percentile relative to what they are. And they may unwittingly lean too much on that one data point for support.”
Framing the solution to a cyber problem in business rather than technological benchmarks can change the cyber calculus entirely and we’ve seen it when our Axio360 users take full advantage of our assessment and quantification modules.
And finally to switch gears completely, what’s your most rewarding part of the job?
My risk journey is one that is filled with new characters, scenarios and an ongoing adventure bringing shape to the unknown. As we continue to grow in these unprecedented times, I get to directly witness how the cyber conversation is shifting and I’m proud to be part of facilitating not only a stronger risk vocabulary but risk empowerment with the tools we are building. Put more simplistically, when Dave and I set out on this journey we had a goal of solving a really challenging problem that had no defined path or expertise that could build a solution in a week. We’re a few years in now, with more to go, and I think we’re doing a really good job at solving that challenge.
Thank you for reading Risk Journeys. Speaking of Dave, next week we will be featuring Axio’s President and co-founder David White!