Transcript
Opening
Mike Krass
Hello, everybody and welcome to What's the problem the podcast where we dive into the most pressing issues facing cyber or data security leaders in today's world. In each episode, we're joined by expert guests who share their insights and their experiences on the challenges and other issues that they're seeing in the world of cyber data security. So whether you're a seasoned veteran or a new leader to the field, this podcast provides valuable information and strategies to get your organization moving to the next level. Join us as we explore the evolving landscape of security and discover new ways to tackle these issues that are facing us. This is what's the problem. I am your host, Mike Krass. Let's get started. Today we are joined by Jen Moll. Jen, say hello to our listeners.
Jen Moll
Thanks so much for having me, Mike. Hey, listeners, hope you're having a good day.
Conversation
Mike Krass
And, Jen, let's get started here. Why are you qualified to discuss security?
Jen Moll
Well, I have a non traditional cyber background. It's it's no secret. I have been at Axio for about a year and a half now. Axio global is a company that aspires to be a cyber risk decisioning platform, and I am joined there by some really phenomenal product innovators, and cybersecurity practitioners. Before that I was at PricewaterhouseCoopers in the US and in the UK, where I was able to learn from some really gifted cyber practitioners and incident response pentesting identity controls. And I was really fortunate to be able to learn from so many great people across the industry, and across some really fantastic clients who are always willing to share.
Mike Krass
Now, you just mentioned something that uses word cyber risk. So in the world of cyber risk, there's some discussion going on about the difference that a single word makes. What words are we talking about? And what difference do you see it making?
Jen Moll
Yeah, there's a lot of confusion right now around the term cyber risk quantification. The term has been out there for quite a few years now. And frankly, I think people have had a lot of questions about it. There are a few different approaches. And I think where we've evolved to in the cyber industry is all around transparency and defensibility. And when you hear a word like cyber risk quantification, you're not really sure what you're going to get and what you're signing up to. And I think that's really why people are starting to move to this concept of cyber risk economics. Cyber Risk economics, I think conveys more of that real world, real time focus, that we need to align cybersecurity to the business value. For a number of years, Mike, we've been talking about resilience being the key in cybersecurity. Without the idea of value and bringing value across the cyber functions. It's really hard to see how we can be resilient. What is it that we're protecting?
Mike Krass
Now, let's come back to this word before I move to my next question. Quantification versus economics. So quantification, what, what do people think about that one word today? Like if we could do like a verbal word cloud, right? You remember word clouds? You know, all those years ago? Like, what are the thoughts that come to mind with the word quantification? Just to kind of cue our listeners in a little bit more?
Jen Moll
Yeah, I firstly, I think cyber risk quantification is intimidating for a lot of cybersecurity practitioners. We, as a group are comfortable with technical information work, we're comfortable with assessments, we're not necessarily comfortable putting dollars to those risks. And so I think the first thing that you get when you talk about cyber risk quantification is a lot of fear and intimidation. Cyber Risk economics is really, I think, more useful because when you think about the study of scarcity, the study of the use of resources, how to incentivize people to make good choices and how to reward decision making. That's really the study of economics. And so even though many of us in cyber are more comfortable talking in bits and bytes, we can use economics to understand the trends of cybersecurity, interpret the way that cybersecurity is evolving today, and make predictions that we need in order to help you know run the business and drive value in the organization in the year to come. In short, economics can be the basis for discussing cyber risk in a way that quantification kind of falls flat because it has this feeling of confusion, intimidation, and even like a point in time, effort where obviously we want something to be dynamic, because the cyber risk environment itself is so dynamic.
Mike Krass
Paraphrasing what I'm hearing you say here, we're talking about this need for a shared language. And we're really talking about the Language of Business. And that is a language that can help to communicate across a number of stakeholders, am I am I hearing this correctly, and then paraphrasing it back to for the listeners?
Jen Moll
I believe so Mike, I think one of the things that we as a cyber set of practitioners have really struggled with is conveying why cybersecurity matters. Even within my own family, there's not a lot of people who really understand what it is that I do in great detail. I think people hear terms that are a little bit technical, like cyber, and their eyes glaze over. And they think about how many times they've been breached because of any number of breaches in the last few years. What we're really thinking about, and what we're really hoping to convey is, how all of those variables come together, and how difficult it is for any given cyber team to protect their organization. The only way of doing that is by kind of crossing that bridge, crossing the technical bridge into the language of business, and really sharing a perspective that everybody can appreciate. C suite and boards of directors appreciate the language of business, they appreciate the language of dollars and cents. And I think cyber risk economics is an easy way of bridging that divide, and helping to convey just how valuable some of these cybersecurity efforts are across organizations.
Mike Krass
With a shared language, let's talk about consequences. Right? So what could be a consequence or consequences plural of not having shared language like what can go wrong here? I think
Jen Moll
I think in this particular economic environment, there's quite a bit that can go wrong. If you can't convey the value of your efforts, and align stakeholders up and down the structure with what you're doing, it would be really easy to have key budget items cut or never funded to begin with, you think about, you know, the breaches that have made the headlines. So often, after those breaches make those headlines, you see the SISO being fired. And we're I think one of the things that we've we've gone wrong in is really this idea that the SISO alone is on an island and responsible for security. Cyber Risk economics helps broaden out that island, I like to talk about cyber as a team sport, we've been doing a really bad job of making an entire team. We've had the back office staff focused on cybersecurity. But we haven't gotten, you know, the kicker on the team or the quarterback out on the field aligned with what we're trying to achieve. And so it's very difficult for that back office team to win a Super Bowl if the players on the field aren't aligned. And so what we're really talking about is making cybersecurity a team sport across the organization, aligning the C suite, aligning the board of directors, so that there is no periphery, there is no firing line. It's not I have a guy who does cybersecurity, the entire organization is engaged in cybersecurity can explain their cyber posture, why they do some things and other things, and how cybersecurity actually contributes to the business. And I think that's really the consequence of not having a shared language you have these periphery figures you have, and a lack of understanding about why the cyber team is so important, and how they're actually there to protect and build the organization up and not just be a cost center. I've been a cost center several times in my life, Mike, and it's always a challenge to convey just how you're actually enabling other people to go out and and be successful and continue to build the business. And I think that's where cyber can get to is providing that enabling function for everyone to get on board.
Mike Krass
We mentioned that after a breach oftentimes you see a chief information security officer being fired and let go. That's a pretty terminal consequence for that individual within your within the company. Who else suffers, like a SISO might suffer? Who's suffering from these consequences?
Jen Moll
I think a lot of cyber practitioners are exhausted. They have been dealing With lots of competing requests and priorities for years, and when you look at the level of exhaustion of so many of our friends and colleagues and you combine that with, you know how difficult we know it is to continue to recruit people into cybersecurity, I think you'll see a recipe for continuing hard times ahead. We don't want to get into a position where the baseline across the industry is exhaustion. And so it's not just the SISO, right? He or she might be fired after the incident. But think about, you know, with these headline level events, the ramifications on the team, even if the team stays in that organization. These are long, hard hours of remediating identifying, investigating, why, why continue down a path that we know isn't working. We know that there are plenty of orgs out there who have been struggling. And let's try something different. Let's try to convey cybers value in a way that more people are going to appreciate and understand and maybe use that as a way of harnessing where we should be focusing. It's, it's easy to get lost in the volume of alerts, I, myself, am very guilty of being overwhelmed by a heavy inbox, I think it's much more important to think about the risks that truly matter, and how we can tackle those risks in a way that makes business sense. I remember a story from one of my PwC partners from a few years ago, who said that when he was talking to a board, one of the board members came to him and said, I'm happy to spend whatever it takes on cybersecurity. Cyber is critically important for our business going forward. But I don't want to spend a penny more. And right now we've been unable to describe what that penny more is. And when you think about risk in its entirety. You also want to think about risk transfer, what can you possibly use cyber insurance for for instance? And where is that going to be relative to your organization? That penny more idea needs to encompass that business ramification risk, which cyber risk economics can really speak to, it's not worth talking about assets to the board, it's worth talking about the business ramification of a cyber incident that is far more meaningful, and I think helps you prioritize how to spend your time, much more efficiently.
Mike Krass
So we're getting into our last question, I think this is the money question everyone's been waiting for. We've discussed in a cyber risk quantification versus economics. We've introduced the the need the real need for a shared language, and speaking in the language of business, to communicate with all the different stakeholders across the organization. We've talked about the consequences of not having a shared language, and who bears the brunt of those consequences more often than not, I think it's time to grade us out here. So we're talking about cyber risk economics. So Jen, if you were to give the industry a grade, that will say A is the best, and F is not good at all. Where do you think most United States based companies grade out in aggregate? If you were just to take a big wide brush and paint with it? How would they grade out?
Jen Moll
In aggregate,I am going to give us a C. I personally believe that there is a lot more that we can do to make cybersecurity accessible and intelligible. And I think we have a long way to go in terms of educating and bringing people on board and really crossing that bridge to making cyber something of business value. I would personally like to see more information sharing like we talked about and you hear a lot about how the cyber bad guys are willing to work together and how their market share where people are sharing information. But we really don't do a great job of sharing information amongst the good guys. And I think in order to try to get ahead, let alone keep pace with this crazy world that we're living in. We really need to going back to my analogy earlier of cyber as a team sport we really need It all be working together. And the more information that we can share, the easier it is for us to work together, the more we're able to share scenarios, for instance, that have been successful in major attacks across industries, the more we'll be able to plan those out and think about what that means not only within the same industry, but across industries. When you think about the manufacturing sector, for instance, there is a lot that various industries can offer each other, even if they aren't, strictly speaking within that same industry. So I think, from my perspective, right now we're at a C, we need to do a better job of communicating. And we certainly need to do a better job of teaming together without arrogance. Really enforcing the idea that we are going to be easier to work with easier to share with an easier to communicate with.
Mike Krass
So we're going to communicate, and we're not going to be arrogant. And we're going to share scenarios like you just mentioned. We're a see today, we're recording this episode in the year of 2023. Let's fast forward 10 years. So it's 2033. We all have microchips, instead of cell phones. Let's just accept that that's going to happen. The iPhone will cease to be a phone you purchase at the store. All conspiracies aside, or C today. 10 years from today, if we take some of the steps that you just discussed with our listeners, what do you think is realistic grade for 10 years from now?
Jen Moll
That's a tough question. I think the the cyber risk landscape is so quickly changing new attackers, new vulnerabilities, new exploits, changing regulatory environments, changing regulatory requirements, you know, changing a rapidly changing insurance market, I would hope that in 10 years time, we will be more of a rapid response team, more of a tiger team, where we're able to share where we're able to jump on things far more effectively, and in a much more teaming way. I've been speaking with one of our prospects, who has almost created a collective where they're sharing information, they're sharing resources when necessary. And I really hope that that's the future of cybersecurity, that it's much more of a collective need a collective response, and a collective in terms of efforts. So maybe we can get to that.
Mike Krass
If there was a grade, like a letter that was associated with that collective, what might it be? A B, B minus A B plus, what do you think?
Jen Moll
I'm gonna go for a B? I think the devil is always in the details, right. And I'm sure that there are going to be some laggards. And some leaders as there always are. I think in the aggregate, if we got to a B, that would be a huge leap forward in terms of how people view cybersecurity, and how we're able to respond and triage cyber incidents.
Outro
Mike Krass
Well, Jen, thank you so much for joining us today to talk about cyber risk economics, we're not going to use that word anymore, cyber risk economics and to our listeners. I just wanted to say that is a wrap for this episode of What's the problem. We hope you found our conversation with Jen to be insightful to be informative. And remember to tune in next time for more discussions on the latest challenges and issues and happenings in the world of security. I also want to give a quick shout out to our hosts and MKG Marketing. MKG is focused on health focused on helping cybersecurity companies get found, get leads and close deals. So if you're a cyber business is struggling to do any of those things. Let us help you. To learn more, you can visit our website at MKG Marketing Inc. like charlie.com Thank you again for listening. Don't forget to subscribe and leave a rating for this podcast. Jen personally told me she only likes five star ratings so we're not gonna let Jen down. Five stars please. We appreciate your support. Until next time listeners!
Jen Moll
Jen Moll is the Vice President of Strategy & Alliances at Axio.
