Episode 270 Deep Dive: Richard Seiersen | How to Measure and Communicate What Matters in Cybersecurity Risk

[00:00:00] Speaker A: Vulnerability is just not a risk. It doesn't start becoming a risk until it's associated with some plausible loss associated with your value at risk. Again, what the business stanza would just want to be clear. One of the reasons that security operations has such a difficult time is because they're looking at tactical things that are disconnected from value and then going to people, going to engineers, going to your CTO, whatever, and say, hey, you can thank me later. Here's 100,000 vulnerabilities, go fix them. But listen, their job is to go generate value for the business, to release products. So the platform is resilient and you're coming with what you know without any context, without tied to the business is just a distraction. It's no wonder why we don't see the sorts of actions that we would expect. [00:00:47] Speaker B: This is KBCs as a primary target for ransomware campaigns, security and testing and. [00:00:54] Speaker A: Performance and scalability, risk and compliance. And we can actually automate, take that data and use it. [00:01:01] Speaker C: Joining me today is Richard Siasson, chief risk technology officer from Qolys. And today we're discussing how to measure and communicate what matters in cybersecurity risk. So Richard, thanks for joining and welcome. [00:01:12] Speaker A: My pleasure. I'm just glad to be here and really enjoying my time down under. [00:01:17] Speaker C: Let's start right there. So what do you mean by what does matter in cybersecurity risk? Because I think the reason why I asked that question is, as I mentioned to you before, before we started, close to 300 interviews, and every person that I interview, what they sort of say matters. So what's sort of standing out for you when I ask you that question? [00:01:37] Speaker A: I think a lot of people well intentioned will have an objective of trying to secure all the things. So what I mean by that is, for example, if you were to talk to your board, or if your e team or your risk committee, again, I'm thinking about a security leader here. They would say things like, we don't want to be hacked. We have zero risk tolerance. We want you to be ready and defend us against all possible nation state and other pedestrian sorts of attacks. And while that's well intentioned, that's not practical. And so what I'm recommending, what qualis is recommending, and I think other people who I suppose or have similar backgrounds to myself, what we're saying is let's focus on those risks that would prevent the business from achieving their objective. What are those things that would get in the way of a business fulfilling its obligation to its stakeholders, to its shareholders, to its customers. That's what we mean. [00:02:35] Speaker C: Yeah, you raised a great point on. People want to say, I don't have any risks, but I think with anything in life or businesses, there's always going to be some element of risk. So what do you sort of respond when someone says, oh, well, Richard, I don't want any risk? How do you sort of, how do you approach that? [00:02:49] Speaker A: Well, you may not want any risk, but if you're in business, you are taking a risk. Right. A successful business, let's talk about what that is. Successful business is exposing more value to more people through more channels at higher velocity. I'll say that again. A successful business is in the business of exposing more value to more people through more channels of higher velocities with the hopes of more revenue and more profits, that you could perhaps call that exposure digital transformation, or actually the cool kids today would call that digital and AI transformation. You're taking a risk, you're exposing value with the hopes that you're going to transact. Right. But when you expose, you're also exposing yourselves to the bad guy. So by your very nature of successful business, you're really a risk creating machine. So the question then becomes, how can we, in a capitally efficient and operationally efficient manner, protect that exposure so that you can do transactions, so you can make money and not lose your shorts to the bad guy? [00:03:51] Speaker C: Okay. You raised a couple of things there in terms of, you know, the capital side of it. So I was in a discussion on the weekend, actually a couple of friends of mine post what's happened recently in the news. And apparently I know I didn't see the interview. Apparently someone in Australia got on like, you know, the news or something, was giving this interview around. Yeah, okay, we have to have contingencies, which absolutely makes sense. Like, you know, option a or maybe option b. But apparently this person was going like option C, D and E. And then, you know, my friends who are in this space were like, you know, that's just not practical. Or us companies would literally go broke if we thought about option a all the way to e. Thought through. So do you think sometimes when people are thinking about risk, like, do you think that they over engineer it? Do you think they undercook things? What are your sort of thoughts on that? [00:04:35] Speaker A: So just, by the way, a little extra background on myself. I've been a serial recovering CISo now for a number of years, but also along the way I've been doing quite a bit of consulting. So I've worked with, gosh for maybe 500, 600 cisos, largely across the Fortune 1000. Focusing on risk, focusing on risk quantification, strategy, board presentation and what I see honestly, by and large in terms of approaches, while they are intending and wanting to focus on business risk, theyre typically focusing on securing all the things. Theres not really a thought given to, again, where is the business really transacting value? For example, where could there be business disruption? You think about what happened with Proudstrike. In fact, I was trying to fly over here from the US and I couldnt get my ticket. I got here last minute. I was able to get my ticket, but the airline, which will not be named, was disrupted. And I could, you know, I wasn't sure if I was going to be able to make it to Australia. So business disruption, where do you have, where could you experience outsized business disruption? What about breach? Are you persisting and transacting on a lot of regulated data, perhaps wire fraud? Right. What about extortion relative to revenue? Right. So again, let's focus on, and even, by the way, espionage, depending on the nature of your business, where do you have what I'd call risk classes or large loss classes? Where do those exist then? Let's think about where there are plausible threats to that. It's not everything. We want to focus on those things that really matter most. Otherwise, you're left to what you just said. If someone's going contingency a, B, c, D through z, et cetera, or z, as you might say, they're really, again, thinking about securing all the things and they're not prioritizing based on the business. And that's where my advocacy comes in. Let's focus on what the business stands or lose. Let's think about what the plausible threats are and then let's go ahead and build towards, again, mitigating those risks and, or transferring them away where possible. [00:06:45] Speaker C: A couple of interesting things there. And you're right. So it's like, you know, from a cybersecurity perspective, in a perfect world, we went zero risk, all this type of thing. But like you said, we're in business. That's the game, right? So do you think sometimes, I mean, I'm a cyber security person by trade and so are you. So it's like, well, you think we set a credit and rod for our back, right? Because this person giving this interview was a cybersecurity person, but that, you know, what this person was saying just isn't practical. Companies would go bankrupt. So it's like we cannot think all the way to a, to z. Right. In terms of contingencies and plans and what are we going to do if this fails? And then that happens. I get it. You need to have some, you know, contingency, but not to the level where it's like, oh, my gosh, we've just blown our entire budget on this because it needs to be thought through. So sometimes it sort of just alludes to me that we've created a little bit of this problem there as well. [00:07:34] Speaker A: Yes. So the point where I think you're going with this is how do we maximize, really our return on control? That's kind of how we think about it. And the way, you know, whether you're spending enough, whether you're being capitally and operationally efficient, I its again going back to relative to what you stand to lose both the likelihood and impact. So I want to invest in such a way where I can buy down risk. And again, there will always be some amount of residual risk. And in that case, for that residual risk, then I have to think about, okay, how can I maybe transfer that away? Again, buying controls, investing in security technology, if youre a practitioner, right, people, process technology, et cetera. It is very expensive. And again, if you overinvest there, you're going to take money away again from that value generation, exposing more value to more people, et cetera. And so the job of the CISO is to look at how they can be capitally efficient relative to what the business stands to lose. And again, it includes really two main moves, buying down risk through investments in people, process technology, and additionally transferring risk away through insurance. [00:08:44] Speaker C: Okay, so, Richard, now I've got a question around, whilst you were talking, what was coming in my mind is, in my previous life, you'll appreciate this. I used to collect pen testing reports, look at all the vulnerabilities, take it to the business with tech risk, you know, business risk, all of that, you know, roll out the five by five risk matrix, et cetera. But the interesting thing was, when getting to these meetings, Washington, as you would understand this a lot more me, was tech risk coming up from one angle and then business risk come at it from a completely different angle. So when you're looking at vulnerabilities, it's like, okay, tech risk, what do you rate it versus, I mean, this is going back a decade, right? What do you would rate this? And then business risk. Very rarely was there alignment at all. And then it became quite contentious. There was sort of arguments that started to happen because people didn't agree or why would you think that's you know, that severe, et cetera. So what would be your thoughts on getting some alignment from people at the end of the day trying to protect the business, but coming at it from very different perspectives? [00:09:46] Speaker A: Well, if you don't mind, I'd like to tell you a real story about how to do that. I think that's kind of better than me maybe just philosophizing. So one of the various CISO gigs, this is a cloud native company, they had just gone public and they needed a global dso, global experience with public experience, particularly software experience. And when I showed up, one of the questions based on the nature of the business, one of the questions I asked is well, how much regulated data? And this is a cloud native company. So in the cloud, how much regulated data are they persisting? So in this case, I went to the, first of all, I went to the chief privacy officer who was a peer, I said hey, given the nature of this business and the type of data we're persisting, this is, by the way, this is largely SMS data or phone calls, whatnot. And, and I said hey, is the data that we're actually retaining for billing purposes, is that personal, personally identifiable information? So pii for the US designation, but globally is it regulated? She said absolutely. Okay, great. So she had identified, you know, she owned that designation. I then went to the CTO or went to the data management folks. I said hey, how much? You can give me a range if you like. How much of this data are we persistent? They said we can tell you give or take a few billion. It's 2 trillion records. I was like, oh my, okay, wow, now I'm starting to get the McBurts. I then went to the GC and I said hey, I want to review our cyber insurance policy. I reviewed the policy, we had a limit of roughly 20 million. So, and by the way, this is a company that only had 250 million in revenue. So at that point, so I had some data and I was kind of feeling a little nervous. I went to the CFO and GC and said hey, did you know we were persisting 2 trillion records and theyve been here for five years? They said actually no, we didnt know that. No to Salvi, probably should, but okay, thats fine. So I then said well, 250 million revenue, 2 trillion. Im like, im a little nervous here, I think our limits a little light. Do you agree? They said yes. I said okay, well lets meet with our brokers. Hey brokers, why did you give us 20 million in limit? Well we did a benchmark and given the firmographics revenue, $20 million was the central value, mean value. You guys said, okay. I said, but did anyone tell you we would persist 2 trillion records of Pii? And they said no. And they got really excited and we ended up immediately binding more insurance. And I used that to build out my whole budget. But the point here is that I'm starting out by already engaging my stakeholders and I'm getting them involved in the process. And indeed they're owning, in many cases, the assessment right. When I come to them with just vague vulnerability counts and things that have absolutely no meaning to the business, there's no wonder we'll get contentious results. So I want to start with where there again, where is the value at risk? And then when I can get agreement with my stakeholders across the aisle with technology, in this case legal and finance, then I can go about starting a budget, and then we can have some context, right? So when we start seeing misconfiguration, right, when we see a lack of control particularly related around this data, we have vulnerabilities. Now we have context that go about talking about how we go about prioritizing, remediation, whatnot. But I just want to say that really the most important thing is how you actually work with your stakeholders, get them involved in the process early. What doesn't work is dumping a laundry list of vulnerabilities in someone's backlog without any business contacts whatsoever. I think that's failure. Hopefully that made sense. [00:13:24] Speaker C: Well, it does, because, I mean, when you're running, like, depending on the size of the company, when you're running thousands and thousands of risks that haven't been looked at and gosh knows how long, years, it's hard. And then it's like, okay, to your vernacular, before a laundry list of things, you just got to keep adding on there. I've just seen that people started to get checked out, not really involved as much. [00:13:44] Speaker A: Vulnerability is not a risk, by the way, for a large, I was pretty ge globally. I have an employee lending club. I ran straight operations across the United States for the largest health maintenance organization in that country. And a vulnerability is just not a risk. It doesn't start becoming a risk until it's associated with some plausible loss associated with your value at risk. Again, what the business stands to lose. Just want to be clear. One of the reasons that security operations has such a difficult time is because they're looking at tactical things that are disconnected from value. And then going to people, going to engineers, going to your CTO, whatever, and say, hey, you can thank me later. Here's 100,000 vulnerabilities. Go fix them. But listen, their job is to go generate value for the business, to release products, make sure the platform is resilient. And you're coming with what, without any context, without tied to the business is just a distraction. It's no wonder why we don't see the sorts of actions that we would expect. I just want to make clear, vulnerability is not a risk. [00:14:47] Speaker C: Yeah. So this is the part that gets interesting, right? So you're, you know, I've worked in these teams before, it's like, you know, hundreds of thousands of all these things, but you know, some of these things, like, it's okay, we don't need to really worry about it, but depends on who you're talking to. And you mentioned before, an engineer I know, they think they're like, oh, we have to eliminate all these things, which some of these things are just not practical. So it's going to make sense. We don't need to do it. And like obviously, you know, obviously you need to prioritize all these risks, etcetera. But to your point, the context, do you think that's the part that perhaps people aren't connecting the dots on? Because if I just say, hey Richard, here's 100,000 different things, you're going to be like, well, where do we start? What's the context? Would you say that's probably the gap in the market at the moment? [00:15:24] Speaker A: Well, I'm biased, right? I wrote the book on, co authored the book on this stuff. I actually think the biggest patch for security is really our concept of risk. Actually I'd say our concept of measurement and risk. I think it's the fundamental problem that we're investing in a lot of solutions that are generating a lot of telemetry, but we are not contextualizing that in a way that makes, again, sense to the business. Right. So again, do you have vulnerabilities that are associated with, you know, again with something that's persisting regulated data or with a, you know, with a system that, you know, if it were to be disrupted for even an hour, it could have millions of dollars of impact, right? Do those vulnerabilities have anything to do with, again, data exfiltration or business disruption? Are they exposed? Are there threats that are correlated? Do you have inline controls or post based controls that mitigate that? Are you taking all that context into consideration? Again, if you don't have the operational context and the business context, you're just going to be claiming bad things, fix them I just think it's going to be really hard to compete with value creation. Well, I mean, your CFO, for example, I'm going to tell you, most CFO's, the money they give the security is out of a vague sense of moral obligation. I'll say it again, most CFO's, when they're signing off on a budget for security, I'd say even CEO's, typically, I mean, they'll sing a good song, right? They'll say, oh, security is the most important thing. Typically, though, they don't understand it. It's not their fault. It's our fault, because we are not bringing in the business context. We're not showing operationally how vulnerability, how threats, how it relates to some plausibly material loss for the business. Right. And actually, I'd argue you look at any, the SEC purity exchange commission, you look at the, gosh, even what's emerging in Dora, even regulations here, I think this is what the regulators are saying. Look, do you have a cybersecurity risk management program for critical infrastructure? Do you have a program that's focused on those sorts of losses? That would be material. That means you have to understand the infrastructure, you have to understand the business so that you can then correlate, again threats and vulnerabilities to that business and then be able to prioritize and take actions. Because back to your point, you don't have this checkbook where you can just write endless, you know, endless checks and whatnot to all these vendors whatnot. You have to pick and choose and have to focus on those things. So I'm kind of going along here. Hopefully some of that makes sense. [00:18:09] Speaker C: Okay, so there's a couple of things that you said, which was interesting. So contextualizing, I agree. I was a reporting analyst before, and that was my whole job, basically looking at facts and figures, telemetry, and saying, like, why should people care about this? Right? But then you said, you know, people don't have a concept of measurement and risk. So what do you mean by that? Talk to me a little bit more about that. [00:18:29] Speaker A: So the concept of measurement. So when you're measuring something, you're trying to measure risk. Right. If you're taking in telemetry, oftentimes we, in security particular, will confuse telemetry with actual measurement. So there's kind of two things that we need to do in period that are, that I consider to be table stick. This is beyond just the telemetry. So, for example, from an asset perspective, when I say asset, I'm being very open ended like a business unit can be an asset. In fact, a whole business can be asset. Or you could be talking about a server. But typically I'm talking it's something a little larger, at least a crown jewel, if not a business. So I need to understand value and exposure is a. Does it have some sort of business value and is it exposed? So I bring in telemetry, I measure it to determine is there value and exposure that's on the asset and then on the fret site. I need to understand intent and capability. Clementry in to understand intent and capability. So if I understand intent, capability, value, and exposure for a security professional, that's now table stake. Now I know whether or not I have something at risk. And now my job is to measure whether or not I'm eliminating risk in a capitally and operationally efficient manner. So it's from telemetry to measurement in terms of value and exposure. From an asset perspective, then intent and capability. And from asset exposure, I mean, I'm talking about understanding your vulnerabilities, state of identity. Right. Again, business values are persisting, regulated data. What does it mean in terms of business disruption, blah, blah, blah, and bringing those things together. Now I'm in a place to start investing in controls and then measuring whether or not I'm capitally and operationally efficient in reducing that risk, buying it down and. Or transferring it away. That is the business security that right there. Right. And so it is a measurement game. It is a data game, the business game. Listen, the language of business is counting things up. The business of science is counting things up. And the business of security is counting things up as well. There's no difference. [00:20:40] Speaker C: So I want to know why, historically, cybersecurity people or risk managers or, you know, anyone in that space, why haven't we, as an industry, done a good job at contextualizing what this means for people in a way that makes sense? And I know it's like a broader conversation, but I'm curious to hear, from your perspective, with your experience. [00:20:59] Speaker A: Well, I think it's still a nascent feel. It's still relatively nascent. Right. But the first CISO emerged maybe 25 years ago, maybe now you're starting to see college degrees and whatnot. You're getting an undergraduate and graduate degrees in cybersecurity, which whole nother conversation. But I think it's a function of it being early, not a lot of principled scholarship involved yet. I think that's starting to change. So the. The practice of what cybersecurity is, there's just not a lot of grounded principles. So when I say principals, for example, if someone's. I guess I will talk about school, I feel sorry for people who are going and getting their undergraduate or graduate degree in cybersecurity. I mean, the skills you learn are immediately potentially irrelevant because it's such a dynamic environment where if you're studying a true engineering or STEM discipline, you have a lot of principled practices, be it from mathematics and otherwise, that will apply for the whole of your career. And by the way, when I say secure, I'm putting encryption aside. Like that whole field that's definitely very established, a little different, but I just think there's a. So you have people who, you know, they were. Maybe they're it folks. This is going back years, or maybe they were, you know, they were network engineers. What? And, you know, someone looked at them and said, oh, you know, you have a beard and some tattoos and you have some metal in your face. Hey, you're probably a security person. Good. Now you're the sucky. But you don't. You don't have a, you know, a disciplined set of practices that, you know, for managing this kind of risk. And I think that has a lot to do with it. It's a new field. We. We haven't established what the curriculum is not principled. And I think, you know, maybe it's a function of newness, or maybe it's, again, a function of. Maybe it's a function of rock of education, but that creates a real insular sort of discipline. When I say insular, you know, you'll hear this from security folks. Oh, there's nothing else like security. Like, you know, we have chaotic actors and dynamic systems, and no one else has that. I'm like, what on earth are you? I mean, this body is a dynamic, adversarial system, and just from a biological perspective, look at warfare. I mean, we need to look outside of ourselves to other people who are confronting some amount of irreducible uncertainty, where the stakes are high. And even if you don't have all the information, you still need to make a bet. And there's just innumerable fields out there that we need to be looking, and we need to be adopting their practices as appropriate and bringing them into security. That's, by the way, that's innovation, and we just haven't done that. I mean, security, in many ways is. I don't know, it's like this. We're like a tribe in the Amazon that's somehow avoided the gaze of modernity for a couple of decades now that has to change. Stakes are too high. Right. And so again, I just think we need to really up level the practice and really adopt the practice of measurement from natural sciences. I mean, gosh, there's just so many interesting fields, evolutionary biology. Like, there's just, again, where you have small, messy data. You like to think our problem's a big data problem. I actually think it's a small data problem. We just, we need to humble ourselves and start reading broadly, educating ourselves and bringing more business analytical discipline to our field and to our management practices. [00:24:18] Speaker C: So do you think that, you know, over time is going to get better? Because, I mean, like some of the stuff that you're saying when I was doing, you know, the reporting function was like, I don't know, ten years ago and change this, these problems that you're raising now, they were problems back then. So I'm like, well, has the, you know, I guess the needle conceptually is changing and, you know, it's getting better, but hasn't got that much better. And this is a decade on now. So like, is this going to accelerate from your hypothesis or do you think it's still going to take a fair bit of time to get to that euphoric sort of state? [00:24:49] Speaker A: Well, I don't know if it's a euphoric state. I think the work is still hard. I think it might get better. So good news, right? So the book I co authored, it's, you know, it's graduate school curriculum, Harvard, Brown, Berkeley, MIT, blah, blah, blah, the main curriculum for the Department of Defense CISO program here in the United States. You know, the only security book that's been required reading by the Society of Actuaries exam. So tens of thousands of people have purchased it. So I'd like to think that other people like you, not just you and me, but thousands and thousands of other professionals. Theyre seeing that theres a problem. There needs to be a change. In fact, Im here in Australia, Im on a tour. Im doing two workshops a day plus things like this. And Im having c shows from your largest companies showing up to get trained. So those folks are seeing it. So I like to think that other folks are going to be, I like to think ten years from now we're going to see better measurement practices. We're going to see a whole cadre of professionals who in terms of the art and science of cybersecurity risk management are fully trained, quantitatively savvy and business savvy and taken seriously. Again, there's a lot of language we take really, seriously? Well, what I mean is where the CFO and the CISO and the GC chief risk officer, they're all speaking the language of Ruth and, you know, quantitatively and qualitatively. And I think. I like to think we're gonna see that change. I'm trying to. I'm trying to make that change, and I think. I think it's happening. It's just a little slow, I'll admit. [00:26:23] Speaker C: So what I meant before by euphoric state is more a better state than currently what's happening. So how would you sort of measure, then? I mean, okay, just say in a year's time, you come back on the show, and I'm like, so, hey, Richard, I've had things improved since the last time we chatted. How would you sort of measure that? Like, was there any sort of markers or indicators that would sort of say, hey, we're definitely moving in the right direction? [00:26:44] Speaker A: Well, that's a great question. It's the question I would ask, and let me ask this to both of us, what would I see occurring empirically, mathematically, unambiguously? It would let me know that the culture of security is improving from a measurement perspective. Right. Quantitatively, I'm presupposing. I'm saying that, in part, that's a problem. Well, I would see from a board perspective, that it would be accepted and expected practice to talk about impact as dollars. Exclusively. Exclusively. Impact is dollars, by the way. That's how business runs. That's how you don't go to CFO and saying, go to CFO. What kind of budget you want? I'd like a high budget, please. Or how about your paycheck? I'd like that to be medium high. Red. No, that's not the language of business. So we would be speaking the language of business. Impact would be exclusively understand monetarily. And when we say the word likelihood, that would be a true likelihood. It would be a probability. It wouldn't be some term like likely high, medium, or low. So again, we'd be using the language, by the way, people say, well, you can't do that. Security is too uncertainty. Again, this goes to the confusion of measurement. We measure when we are uncertain and the stakes are high. We measure when we don't have all the information. But we need to make a bet. That's, by the way, that's called science. That's how we measure. That's how we do things. We hold to accuracy over precision when we still need to make a bet and we have a lot of uncertainty. And in fact, we might have so much uncertainty and we may be lacking in telemetry, we need to rely wholly on our expertise. We don't just throw our hands up and say, I give up fighting. No, no. So I would expect if I, in a year's time, if I start seeing more and more boards that would reject wholly, like, the heat map, it would reject it. And by the way, I think that might be happening if you look at the National association of Corporate Directors, their 2023 cyber handbook. So NACD is the, you know, if you're a board member in the United States, you're part of the NACD. You're reading the material. So their handbook, the last 120 23, it was an ode to cybersecurity, risk management, quantitative. My book was one of the main references for that. In fact, I was shipped out then to the UK. I did a keynote at Lloyd's of London. This is the IOD. The IOD is the sister organization, the NACD, to talk about quantification. I would love to see board members that they would just hands down reject the heat map, get it out of here. Where there's business risk, we're talking about protecting the business. We're going to talk about impact in dollars. And why wouldn't we? We're going to talk about likelihood as a probability. That's what I'd want to. There you go. I'm not going to. We're not going to see that in a year, but I think we'll start seeing that more and more. We have to. I don't know how we can continue making it up. [00:29:41] Speaker C: Okay. You said something that's really interesting and I've spoken about, and I've asked people like yourself on the show before, so maybe you can shed a bit more light on this. So you said impact as dollars. So I want to give you an example and then talk me through your thinking. So in recent times, let's go with. There was a, you know, healthcare provider that got breached, for example. The part that was interesting is, yes, that happened in that time and they lost people. But the part that was really interesting to me was, what about the long tail impacts of how to get that trust back? Because this company got breached. Like, is it going to take 20 years for to potentially build back the customer base? How do you measure that? Like, I know you probably need some really smart, like, actuarialist or someone to sort of measure that, but do you have any insight then on that? Because something that, over my experience of running this show of almost 300 episodes I've asked people that question, like, look, it's really hard, KB, so, I mean, do you have any thoughts on that around the long tail impact of, you know, a breach or anything like that? [00:30:39] Speaker A: I have a lot of thoughts. So prior to this current gig, I was a chief risk officer for Velitti and mid markethenne cyber insurance companies. So building models and whatnot. Right? So they insured companies between 100 million and 10 billion in revenue. Upside room, it was. We wrote 20, 20 million. So have a bit of background. But your question is, you're really talking about, like, brand and brand impact, right? To trust, but brand impact. But the question you need to ask yourselves is, what is possible to brand impact? And more importantly, what would I see occurring mathematically and ambiguously, empirically, that would let me know that we've experienced brand impact. So, for example, like the Caesars and MGM breach, by the way, Caesars pay right away and didn't experience the same sorts of losses that MGM had. But people said, yeah, but the big losses were brand. Because did you see what happened in the stock market? Yes. And it was not outside of normal variance at that time. And they recovered fully from their stock. And by the way, people are still showing up and pulling on the one armed bandit at both those places. There is no perceptive brand impact. Well, it probably was for MGM. They had. They were down, what, 14 days or ten days. They lost 100 million deterministically due to business disruption. But the question is, again, when we say so, we use intangible terms. Listen, intangibles make the world go around, love, hate, trust. And again, when someone says brand impact, you want to ask, okay, first of all, what would I see occurring empirically, mathematically and ambiguously that would let me know we had brand impact. And if someone can't articulate that, then you might have, what we call in decision science a useless decomposition. [00:32:20] Speaker C: Right. But that's the part that when I'm asking people, I feel like people just can't. And maybe you've articulated it probably the best, but I've just. I've asked people all over the world and it's hard for them to maybe explain that. And the part that I'm more interested in, okay, go back to your Caesars example. So it's like, okay, are they still going to have the residual impact in terms of dollars 510 years later? Or when does that sort of impact on all that event happened? I'm not using those guys. Again, when does that sort of stop? Or how does that impact start to be you know, not, you know, it doesn't become an impact, you know, over the years, for example. [00:32:56] Speaker A: Well, you're, you're presupposing that that's occurring. I'm saying in that case it didn't. It can happen. It did in that case. But by the way, in, like in cyber insurance or any sort of insurance, you know, claims do have a long tail. Class action lawsuits and other sorts of legal things can go on for years, years and years and years. Those costs may have nothing to do with what you might call brand impact that you can have. Again, you can have long tails on these things. So I wanted to make a distinction here. Again, your focus is on some sort of, you call it customer, you know, lack of trust. Let's talk about that. You're saying that there's a reduction in sale, there's a reduction in the value of the stock or something, and the question then is, okay, if that's happened, let's presuppose that. And by the way, there's no confounding factors. We've determined that the causal factor was because there was a business disruption, there was a data breach, or there was some other, whatever the phenomenon was, there were some losses. And again, we can deterministically show that a portion of the long term tail of losses is directly attributed to customers going to another brand. Right. So we've decided that. So your question actually is, can we forecast if and when that would change? Sure. That's just doing business. Businesses in the business of forecasting sales and other things, and I would just go, all right, well, how do we go? How, I mean, that's what business does. I'm in a business that, by the way, is Republican traded. We're making forecasts about sales. The time you have to be good and relatively conservative. So youre back to just doing business. Weve lost market share for some reason. And how recaptured more, tam, what do we need to do? And so youre back to forecast. But you are making a forecast, again, about some plausible future state of business. There is some amount of uncertainty, but you still have to make sure you're still going to make forecasts. So that's my point. But again, I really want to untangle this idea of brand impact. People say it all the time. That's the biggest thing they're concerned with. And we have, again, this is going back to just principled security. You have to ask people, what the heck are you talking about? Again, a problem well defined is a problem half solved that's catering with to say again, what would I see occurring specifically? Mathematically and ambiguously? They would let me know that we had brand impact. Okay, great. Once we know that, then we can start talking about what's causal to that. And once you understand what's causal that, then we can start talking about what we need to do then to mitigate that or mediate that and move on. I don't think this language that I'm using is taught enough to security folks. And it's day one sort of thinking that should be in school, undergraduate grad school curriculum. I really think this is where we, we as professionals need to be heading. [00:35:43] Speaker C: Well, you're right, and I think that this is the gap. So like, as I mentioned before, like when I was reporting analysts like the stuff you're talking about. We weren't doing this type of stuff. So you make a great point. Like sales forecasts. Absolutely. People do that. I haven't seen people doing enough of what you're talking about at all. And in a way that contextualizes, well, what does this mean? And oh, if we do, if he get like I worked in a bank, the data breach, what does that mean? Was it attributed to, oh well, now like 50,000 people cut their mortgage loan because they don't trust us anymore. Whatever the reasoning is, due to this forecast that we have, I haven't seen enough of that. [00:36:15] Speaker A: Yeah, so your question, you correct me if I'm wrong, by the way, but the question is, all right, we can attribute the customer attrition to this breach. We done our work. We know that happened, and it was customer churn. It was significantly outside of normal variance and it started right there with that bad thing. And the question then is, okay, what do we need to do to get those customers back and on call? That's doing business. That is doing that is not just the CISO, that's really the CEO and others. You call it getting back trust. Well, you're going to have to start making some bets about how maybe it's, again, I want to stay in my swim lane, but it's making offers that would, I dont know if its cutting costs and making it, I dont know what it might be, but theres going to have to be something theyre going to do to get business back. Thats just the cost of doing business we dont see yet. It happens. But Equifax would be example. But by and large target, actually the first edition of our book and I think its in the second edition as well, we talk about the target breach. People are saying oh, brand impact. So if you look at their stock price at that time, there was the diphthere, but that, again, it was not outside of normal variance from a time series perspective. It was with fully within variance. So, meaning you couldn't, in a grounded manner, attribute any churn to the breach. In fact, really, no customer trust broken. There's nothing there. It happens, but I think it's rarer than people think. [00:37:52] Speaker C: And that's going back to the target breach. I think it was, what, 2013 or something like that. So, like, more than a decade ago. [00:37:59] Speaker A: Yeah. [00:38:00] Speaker C: The thing that I'm curious about is, like, do you think now someone would be like, well, Richard, I'm not shopping at target because they got breached, like, a decade plus ago. Like, that's the part. Like, are people still saying that? Or. And you made a great point. You know, it dipped in the. In the stock. And we've seen that happen over, you know, recent breaches happen in Australia, even recently, but then it recovers. [00:38:17] Speaker A: I don't think anybody. I don't think anybody said that. I don't think anybody did that. I don't think it had an impact at all in Custer sentiment. There's no evidence. There's no empirical, mathematically unambiguous evidence that that ever occurred at all. I don't think. I don't think they gave a shite. I've been saying it can happen, but. So my. My advocacy here is really, again, I love this quote. I'll just keep using it. Beat a dead horse. It's a problem well defined. Is a problem half solved. Let's be really super clear about what we're talking about and super clear about what the evidence is of that thing. Right. And we have to, you know, we have to decompose our intangibles to tangibles. Right. So this. I mean, that's key for risk management. Well, you know, security's full of. A lot of drama, and we need to, you know, I'm. I'm like the anti drama guy. Let's. Let's get down to what we're. Let's engineer this and talk. What are we really talking about? Where's the accountable stuff? [00:39:09] Speaker C: Well, absolutely. And that going to your point around the drama. That's right. And this is the part that I, you know, I'm trying to, you know, have this discussion, which is important because, you know, even some of the breaches here in Australia, I'm still a customer of these companies. So, you know, like, did it annoy me? Yes, it did annoy me, but it's like, oh, well, you know, I've been using these people for a while so it just makes sense to stay. Right. But going back to the target example, like, I don't think anyone's sort of sort of saying online or anywhere like, oh, well, I'm not going there anymore because of the breach. That was ages ago. So I'm feeling even more so now. And maybe you would understand more about this than me. It's getting to the point where I feel like people are becoming super desensitized. I was like, oh, well, another breach. Like who cares? I've even heard people saying on forums and social media that I look through is, oh, well, my information is already out there anyway. So what do you thinks going to happen? [00:39:57] Speaker A: Well, ive got an example that we could think of that lets see what happens. Time will tell. But crowdstrike, what about them? Theyve got even hammered in stock market. Im curious to see whats, I want to keep observing it, but I think theres an example. My suspicion is that theyre going to have a long tail impact from this breach. Thats an epiphany of the obvious, I suppose. What about lastpass? What about them? By the way, I havent gone and done the analysis in terms of how much customer return theyve had, but I think there are examples there and we should look at that. I think thats potentially interesting as well. And that goes to your use case. Lets presuppose that theres going to be a case of power strike, billions of dollars of impact. How long does that tail, and to your point, again, what do they need to do to win back the markets trust? Again, we need to observe that. We need to see this play out a little bit more. But again, I dont want to say what youre saying is not valid. I think it is valid, but we just need to be super clear about when its actually occurring and how long the tail it is and how much it matters. We might find that the crowdstrike thing, six months from now, they're back on top again, I think, I have a feeling that one's going to be, that one's a little, it was so far reaching. We'll see what happens. I think there's some, there'll probably be some regulatory impact from that and legislation. Who knows? I don't know. We'll keep observing. [00:41:22] Speaker C: Well, I was going to ask, how long do you think that long tail is going to last for? [00:41:27] Speaker A: I don't know. I don't know. I don't have a crystal ball on that. [00:41:30] Speaker C: But if you had to guess though, with your background, like what do you think? Do you think it could be years or do you think like, oh, twelve months? Like, you know, I know it's not like fact, it's just more so giving an indicator with, with all the work you're doing. [00:41:40] Speaker A: So from a claims experience in my previous place after I just started, one of the things that was happening is we were seeing claims for business disruption caused by outages of SaaS third party. In fact, we were seeing like an exponential increase in claims that was surprising to the underwriters. They're like, oh my gosh, we didn't account for that in our models. Obviously they changed that. By the way, my previous resilience loss ratios are the lowest in the industry. They're great at this. But it was early on that was kind of surprising. So the question I have for folks who are doing third party risk management, big, huge topic I get asked about all the time. When you start looking at the third parties that you are using, I think it is your job to start thinking about, okay, when you're thinking about taking on a new third party, one of the questions you need to ask yourself is, okay, could we become dependent on this customer or, excuse me, this third party where it could cause, if it stopped operating, it could cause business disruption for us? I mean, these are some of the things that we need to start thinking about and we do need to start measuring and looking at, okay, what might that impact be? Again, we have to do that in such a way that's appropriately conservative, thoughtful and not irrational. Right. Because the reality is your business, again, is in the business of business. They're going to want to adopt a lot of third parties, like the whole AI thing, seeing that as well. People are going to be like, look, we're going to digitally AI transform, we're going to adopt these services, but you as a risk management professional, your job is to start understanding, okay, cumulatively, are we getting ourselves in a situation where we could have business disruption? And oftentimes question then is, all right, if there's not anything we can do to truly mitigate those losses, then were starting to talk about transfer, risk transfer. Are we in a situation where we are going to significantly, I think more and more cisos need to think about this from a third party risk management perspective and are we getting into a situation where I need to increase my limits or are we in a situation where my capital going beyond my limits, my capital reserves, am I in a position, a cash position and a mitigation position where given our expansive use of third parties, what parties? Not a third party. But am I in a position where I've helped my business be resilient to plausible future loss, where I might have a third party outage or something similar to Crowdstrike, where maybe have all these agents deployed, something bad's happened, who knows what. But am I in a position where if I had even concurrent losses like this from both my risk transfer and even my capital reserves, am I in a place where I can hopefully be resilient and continue to meet my obligations to my stakeholders and my shareholders, my customers? So I think im just flipping the conversation. This is the type of thinking that I think we as the defenders, as increasingly the modern cybersecurity risk management experts we need to be thinking about. And by the way, ill just say this fortunate position where im regularly this week alone I've been in front of a good 50 or so cisos do this all the time. And I'm asking this question. How many of you are now involved in cyber insurance, not just doing those nasty spreadsheets you get from brokers that are coming through from the underwriters, but where you are actually the one who's defining the limits, where you're the one who's going to go out and get the contract, meaning giving your residual risk given if you've spent on controls, where you're the one who's expected to go and determine what site type of limits you need to protect the business. Right. But I just think that's where, when it comes to understanding, what does Crowdstrike mean? Whatever third party, I think where the rubber meets the road is where we as defenders need to start looking at our third party risks and starting to understand that listen, there's just stuff that we're going to have to do because of doing business. You're going to need EDR, you're going to continue to, you're going to listen, you need inline and host based protection, so you just have to do it regulatory perspective, but just from a business perspective. And so then we need to start understanding. Okay, well it might be quote, quote Black Swan don't really like that term, but really low likelihood with potentially high impact. All right, assuming that that could happen, have I put myself in a position from a resilience perspective and im using resilience in the bigger term here, business terms from both. Again, a transfer and both risk transfer to your insurance, but risk transfer to your capital reserves. Am I in a position to continue to deliver business value to my stakeholders to my shareholders and this is where I want to see cisos going. Im seeing some indication of that. [00:46:30] Speaker C: Richard, really appreciate your time. Just quickly, do you have any closal comments or final thoughts you'd like to leave our audience with today? [00:46:35] Speaker A: I think I might love Australia. I really enjoyed the small amount of time I've had here. I'm in Melbourne, about to head to. I'm going to Sydney and Brisbane. I just share with you that the appetite for learning your security leaders are coming out for this content and they're really coming out. They're really engaged. I think actually I've done this a lot in the UK. I think they might be second to you guys in terms of like really wanting to engage in deep intellectual conversations about risk. Yes, my country is coming out as well, but I don't see, I don't know, there's something in the water here with the Aussies. You guys are engaged. So I'm really hopeful. Based on what I'm seeing here, I'd say keep up the, keep up the good work. I've loved the conversations I've had and I'm just so glad to be here and thankful that I've had the chance to talk to you. [00:47:31] Speaker B: This is KBcast, the voice of cyber. [00:47:35] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:47:43] Speaker B: This episode is brought to you by Mercset, your smarter route to security. Talented Mercsecs executive Search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out [email protected] today.