Episode 270 Deep Dive: Richard Seiersen | How to Measure and Communicate What Matters in Cybersecurity Risk

The Voice of Cyber®

KBKAST

Cyber Resilience | Risk Management

First Aired: July 31, 2024

Click Here

In this episode, Richard Seiersen, Chief Risk Technology Officer from Qualys, joins us to talk about the critical topic of third-party risks in business operations. Richard emphasizes the need for risk management professionals to measure and mitigate these risks, as well as understand the necessity of business resilience through risk transfer and capital reserves, particularly in the context of increasing third-party usage. He advocates for a shift in the security industry towards a more business-aligned approach, stressing the need for better measurement practices and the integration of concepts such as understanding the impact of breaches on customer attrition and brand trust.

Richard is focused on cybersecurity risk management – as a modern enterprise practice and leadership skill. His books, speaking, and work support security leaders who need to align security practice with business goals. That alignment is at the heart of cybersecurity risk management.

As the Chief Risk Technology Officer at Qualys, Richard helps customers and the broader security community measure, communicate, and eliminate risk. With over 10 years of experience as a CISO, he has led and supported security strategy, operations, and governance across various industries and orgs, including Twilio, GE, and LendingClub.

He is also a published author and a faculty member at IANS, where he share his insights and knowledge on security metrics and risk management. His books, “How To Measure Anything In Cybersecurity Risk” and “The Metrics Manifesto: Confronting Security With Data”, provide practical and innovative approaches to quantifying and reducing security risk.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Rate KBKast

Other Recent Podcasts

Episode 276 Deep Dive: Mahesh Thiagarajan | Oracle’s Approach to the Cloud

September 11, 2024 | Cloud Security

Listen now

KBI.Media Update | Gabie Boko: NetApp INSIGHT 2024

September 6, 2024 | Data Management

Listen now

Episode 275 Deep Dive: Shannon Sedgwick | Geopolitics and Cyber Risk

September 4, 2024 | Geo-Political & Military

Listen now

Episode 274 Deep Dive: Josh Goldfarb | Visibility and Blindness in Complex Environments

August 30, 2024 | Application Security

Listen now

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Richard Seiersen [00:00:00]:
Vulnerability is just not a risk. It doesn’t start becoming a risk till it’s associated with some plausible loss associated with your value at risk, again, with the business stand in the woods. Just wanna be clear. One of the reasons that security operations has such a difficult time is because they’re looking at tactical things that are disconnected from value. And then going to people, going to engineers, going to your CTO, whatever, and say, hey. You can thank me later. Here’s a 100,000 vulnerabilities. Go fix them.

Richard Seiersen [00:00:25]:
But listen, their job is to go generate value for the business, to release product, to the platform is resilient. And you’re coming with what, you know, without any context, without tied to the business is just a distraction. It’s no wonder why we don’t see the sorts of actions that we would expect.

Karissa Breen [00:00:57]:
Joining me today is Richard Seiersen, Chief Risk Technology Officer from Qualys. And today, we’re discussing how to measure and communicate what matters in cybersecurity risk. So, Richard, thanks for joining and welcome.

Richard Seiersen [00:01:12]:
My pleasure. I’m just glad to be here and really enjoying my time down under.

Karissa Breen [00:01:17]:
Let’s start right there. So what do you mean by what does matter in cybersecurity risk? Because I think the reason why I asked that question is, you know, when I as I mentioned to you before before we started, then close to 3rd interviews. And every person that I interview, what they sort of say matters. So, you know, what’s sort of standing out for you when I ask you that question?

Richard Seiersen [00:01:37]:
I think a lot of people, well intentioned, will have an objective of trying to secure all the things. So what I mean by that is, for example, if you were to talk to your board or your E team or your risk committee, again, I’m thinking about a security leader here, they would say things like, We don’t want to be hacked. We have 0 risk tolerance. We want you to be ready and defend us against all possible nation state and other pedestrian sorts of attack. And while that’s well intentioned, that’s not practical. And so what I’m recommending, what Wallace is recommending, and I think other people who, I suppose, or have similar backgrounds to myself, what we’re saying is let’s focus on those risks that would prevent the business from achieving their objective. What are those things that would get in the way of a business fulfilling its obligation to its stakeholders, to its shareholder, to its customer. So that’s what we mean.

Karissa Breen [00:02:35]:
Yeah. You raise a great point on, you know, people wanna say I don’t have any risks, but I think with anything in life or businesses, there’s always gonna be some element of risk. So what do you sort of respond when someone says, oh, well, Richard, you know, I don’t want any risk. How how do you sort of how do you approach that?

Richard Seiersen [00:02:49]:
Well, you may not want any risk, but if you’re in business, you are you are taking a risk. Right? A successful business, let’s talk about what that is. Successful business is exposing more value to more people through more channels at higher velocity. I’ll say that again. A successful business is in the business of exposing more value to more people, to more channels at higher velocities with the hopes of more revenue and more profits, that you could perhaps call that exposure digital transformation, or actually the cool kids today would call that digital and AI transformation. You’re taking a risk. You’re exposing value with the hopes that you’re gonna transact. Right? But when you expose, you’re also exposing yourselves to the bad guy.

Richard Seiersen [00:03:30]:
So by very your very nature of successful business, you’re really a risk creating machine. So the question then becomes, how can we, in a capitally efficient, in an operationally efficient manner, protect that exposure so that you can do transactions, so you can make money, and not lose your shorts to the bad guy.

Karissa Breen [00:03:51]:
Okay. You raised a couple of things there in terms of, you know, the capital side of it. So I was in a discussion on the weekend, actually, a couple of friends of mine post what’s happened recently in the news. And, apparently, I know I I didn’t see the interview. Apparently, someone in Australia got on, like, you know, the news or something was giving this interview around. Yeah. Okay. We have to have contingencies, which absolutely make sense, like, you know, option a or maybe option b.

Karissa Breen [00:04:12]:
But apparently, this person was going, like, option c, d, and e. And then, you know, my friends who are in this space were, like, you know, that’s just not practical. Or as companies would literally go broke if we thought about option a all the way to e thought through. So do you think sometimes when people are thinking about risk, like, do you think that they over engineer it? Do you think they undercook things? What what are your sort of thoughts on that?

Richard Seiersen [00:04:35]:
So just, by the way, a little extra background on myself. I’ve, you know, been a serial recovering CISO now for a number of years, but also along the way, I’ve been doing quite a bit of consulting. So I’ve worked with, gosh, maybe 500, 600 CISOs, largely across the Fortune 1000, focusing on risk, focusing on risk quantification, strategy, board presentation. And what I see honestly, by and large in terms of approaches, while they are intending and wanting to focus on business risk, they’re typically focusing on secure again, securing all the things. Right? So there’s not really a thought given to, again, where is the business really transacting value? For example, where could there be business disruption? Thinking about what happened with CrowdStrike. Right? Like, I was trying to fly over here from the US, and I couldn’t get my ticket. I I got here last minute. I was able to get my ticket, but the airline, which will not be named, was disrupted.

Richard Seiersen [00:05:35]:
And I could you know, I wasn’t sure if I was gonna be able to make it to Australia. So business disruption, where do you have where could you experience outsized business disruption? What about breach? Are you persisting and transacting on a lot of regulated data? Perhaps wire fraud. Right? What about extortion relative to revenue? Right? So again, let’s focus on and even, by the way, espionage, depending on the nature of your business. Where are where do you have what I’d call risk classes or large, you know, loss classes? Where do those exist? And then let’s think about where there are plausible threats to them. So it’s not everything. We want to focus on those things that really matter most. Otherwise, you’re left to what you just said, where if someone’s, you know, they’re going contingency a, b, c, d through z, etcetera, or zed as you might say, They’re really, again, thinking about securing all the thing, and they’re not prioritizing based on the business. And that’s where my advocacy comes in.

Richard Seiersen [00:06:32]:
Let’s focus on what the business stands or lose. Let’s think of what the plausible threats are, and then let’s go ahead and build towards, again, mitigating those risks and or transferring them away where possible.

Karissa Breen [00:06:46]:
Couple of interesting things there, and you’re right. So it’s like, you know, from a cybersecurity perspective, in a perfect world, we want 0 risk, all this type of thing. But like you said, we’re in business. That’s that’s the game. Right? So do you sometime, I mean, I’m a cybersecurity person by trade and so are you. So it’s like, well, you think we set a crater and rod for our back. Right? Because this person giving this interview was a cybersecurity person, but that, you know, what this person was saying just isn’t practical. Companies would go bankrupt.

Karissa Breen [00:07:10]:
So it’s like we cannot think all the way to a to z, right, in terms of contingencies and plans, and what are you gonna do if this fails and then that happens? I get it. You need to have some, you know, contingency, but not to the level where it’s like, oh my gosh, we’ve just blown our entire budget on this because that needs to be thought through. So sometimes it sort of just alludes to me that, you know, we’ve we’ve created a little bit of this problem there as well.

Richard Seiersen [00:07:34]:
Yes. So the point I where I think you’re going with this is, you know, how do we maximize, really, our return on control? That’s kinda how we’re thinking about it. And the way you know if whether you’re spending enough, whether you’re being capitally and operationally efficient, it’s again going back to relative to what you, Dan, dilute, right, both the likelihood and impact. So I wanna invest in such a way where I can buy down risk. And again, there will always be some amount of risk residual risk. And in that case, for that residual risk, then I have to think about, okay, how can I maybe transfer that away? Again, buying controls, destiny, and security technology, you’re a practitioner, right? People process technology, etcetera. It is very expensive. Right? And, again, if you overinvest there, you’re gonna take money away again from that value generation, you know, exposing more value to more people, etcetera.

Richard Seiersen [00:08:25]:
And so the job of the CISO is to look how look at how they can be capital efficient relative to what the business stands to lose. And again, in it includes really two main moves, buying down risk through investments and people process technology, and additionally, transferring risk away through insurance.

Karissa Breen [00:08:44]:
Okay. So, Richard, now I’ve got a question around whilst you were talking, what was coming in my mind is in my previous life, You’ll appreciate this. I used to, collect pen testing reports, look at all the vulnerabilities, take it to the business with tech risk, you know, business risk, all of that, you know, roll out the 5 by 5 risk matrix, etcetera. The interesting thought one thing was when getting to these meetings was, as you would, you know, understand this, you know, a lot more me was, you know, tech risk coming up from one angle and then business risk come at it from a completely different angle. When you’re looking at vulnerabilities. It’s like, okay. Tech risk, what do you rate it versus I mean, this is going back a decade. Right? You know, what do you would rate this and then, you know, business risk.

Karissa Breen [00:09:27]:
Very rarely was there alignment at all. And then it became quite contentious. There was sort of arguments decided to happen because people didn’t agree or why would you think that’s, you know, that severe, etcetera? So what would be your thoughts on getting some alignment from, you know, people at the end of the day trying to take the business, but coming at it from very different perspectives?

Richard Seiersen [00:09:46]:
Well, you know, if you don’t mind, Ed, I’d like to tell you a real story about how to do that. I think that’s kind of better than me maybe just, you know, philosophizing. So one of the various CISO gigs this is a cloud native company. They had just gone public, and they needed a global CISO global experience with public experience, particularly software experience. And, you know, when I showed up, one of the questions based on the nature of the business, one of the questions I asked is, well, how much regulated data and this is a cloud native company, so in the cloud, how much regulated data are they persisting? So in this case, I went to the first of all, I went to the chief privacy officer, who was a peer. I said, hey, given the nature of this business and the type of data we’re we’re persisting, this is, by the way, this is largely SMS data for phone calls or not, and I said, Hey, is the data that we’re actually retaining for billing purposes, is that personal personally identifiable information? So PII from the US designation. But globally, is it regulated? And she said, absolutely. Okay.

Richard Seiersen [00:10:42]:
Great. So she she had identified you know, she owned that designation. I then went to the CTO or went to the data management folks. I said, hey. How much you can give me a range if you like. How much of this data are we persisting? I said, we can tell you, give or take a few 1000000000, it’s 2,000,000,000 records. I was like, oh my. Okay.

Richard Seiersen [00:11:03]:
Wow. Now I’m starting to get the McBirx. I then went to the GC, and I said, hey, I wanna review our cyber insurance policy. I reviewed the policy. We had a limit of roughly, 20,000,000. So and by the way, this is a company that only had 250,000,000 in revenue. So at that point so I I had some data, and I was kinda feeling a little nervous. I went to the CFO and GC and said, hey.

Richard Seiersen [00:11:20]:
Did you know we’re persisting 2,000,000,000,000 of records? And they’ve been here for 5 years. They said, actually, no. We didn’t know that. Note to tell you. Probably should, but okay. That’s fine. So I then said, well, you know, I you know, 250,000,000 revenue, 2,000,000,000,000, and I’m I’m like, I’m a little nervous here. I think our limit’s a little light.

Richard Seiersen [00:11:38]:
Do you agree? And they said, yes. And I said, okay. Well, let’s meet with our brokers. Our brokers. Hey, brokers. Why did you give us 20,000,000 in limit? Well, we did a benchmark, and given the firmographics, revenue, 20,000,000 was kind of the, you know, central value, mean value. You guys said, okay. I said, but did anyone tell you we would persist 2,000,000,000,000 records of PII? And they said no, and they got really excited.

Richard Seiersen [00:12:02]:
And we ended up immediately binding more insurance, and I used that to build out my whole budget. But the point here is that I’m starting out by already engaging my stakeholders, and I’m getting them involved in the process. And indeed, they’re owning, in many cases, the assessment. Right? When I come to them with just vague, you know, vulnerability counts and things that have absolutely no meaning to the business, there’s, you know, no wonder we’ll get, you know, contentious results. So I wanna start with where again, where is the value at risk? And then when I can get agreement with my stakeholders across the aisle, with technology in this case, legal, and finance, then I can go about starting a budget, and then we can have some context, right? So when we start seeing you know, misconfiguration, right, when we see, you know, a lack of control, particularly related around this data, We have vulnerabilities. Now we have context to go about talking about how we go about prioritizing remediation and whatnot. But I just wanted to say that the really, the most important thing is how you actually work with your stakeholders. Get them involved in the process early.

Richard Seiersen [00:13:12]:
What doesn’t work is dumping, you know, a laundry list of vulnerabilities in someone’s backlog without any business context whatsoever. That’s I think that’s failure. Hopefully, that made sense.

Karissa Breen [00:13:24]:
Well, it does. Because, I mean, when you’re running, like, depending on the size of the company, when you’re running thousands and thousands of risks that haven’t been looked at, and gosh knows how long years, It’s hard. And then it’s like, okay. Like, you you know, to your vernacular before, a laundry list of things, you just gotta keep adding on there. Like, people have just seen that people started to get kicked out, not really involved as much.

Richard Seiersen [00:13:44]:
Vulnerability is not a risk, by the way. For a large and I was pretty GE globally, I’m in a Twilio Lending Club. I ran street operations across the United States for the largest health maintenance organization in in that country. And a vulnerability is just not a risk. It doesn’t start becoming a risk until there’s some until it’s associated with some plausible loss associated with your value at risk, again, what the business stands to lose. Just wanna be clear. One of the reasons that security operations has such a difficult time is because they’re looking at tactical things that are disconnected from value. And then going to people, going to engineers, going to your CTO or whatever and say, hey, here.

Richard Seiersen [00:14:20]:
You can thank me later. Here’s a 100,000 vulnerabilities. Go fix them. But their listen, their job is to go generate value for the business, to release product, make sure the platform is resilient. And you’re coming with what you know, without any context, without tied to the business is just a distraction. It’s no wonder why we don’t see the sorts of sorts of actions that we would expect. But I just wanna make clear, vulnerability is not a risk.

Karissa Breen [00:14:47]:
Yeah. So this is the part that gets interesting. Right? So you’re you know, I’ve worked in these teams before. It’s like, you know, 100 of thousands of all these things, but, you know, some of these things, like, it’s okay. We don’t need to really worry about it, but Ben’s, what are you talking to? And you mentioned before, an engineer. I know they think they’re gonna be like, oh, we have to eliminate all these things, which some of these things are just not practical, so it’s gonna make sense. We don’t need to do it. And, like, obviously, you know, obviously, you need to prioritize all these risks, etcetera.

Karissa Breen [00:15:09]:
But to your point, the context, do you think that’s the part that perhaps people aren’t connecting the dots on? Because if I were to say, hey, Richard. Here’s a 100000 different things. You’re gonna be like, well, where do we start? What’s the context? Would you say that’s probably the gap in the market at the moment?

Richard Seiersen [00:15:24]:
Well, you know, I’m biased. Right? I’m I wrote the book on well, coauthored the book on this stuff. I I actually think the biggest patch for security is really our concept of risk. I actually would say our concept of measurement and risk. I think it’s the I think it’s the fundamental problem that we have. You know, we’re investing in a lot of solutions that are generating a lot of telemetry, but we are not vulnerabilities that are associated with, you know, again, with something that’s persisting regulated data or with a, you know, with a system that, you know, if it were to be disrupted for even an hour, it could have 1,000,000 of dollars of impact. Right? Do those vulnerabilities have anything to do with, again, data exfiltration or business disruption? Are they exposed? Are there threats that are correlated? Do you have inline controls or, you know, host based controls that mitigate that? You know, are you taking all that context into consideration? If you again, if you don’t have the operational context and the business context, you’re just gonna be claiming bad things, fix them. I just think it’s gonna be really hard to compete with, you know, value creation.

Richard Seiersen [00:16:38]:
And, like, well, you know I mean, your CFO, for example. I’m gonna tell you, most CFOs, the money they give in security is out of a out of a vague sense of moral obligation. I’ll say it again. Most CFOs, when they’re signing off on a budget for security, I’d say even CEOs, typically, I mean, they’ll they’ll sing a good song. Right? They’ll they’ll say, oh, security is my most important thing. Typically though, they don’t they don’t understand. It’s not their fault, it’s our fault because we are not bringing in the business context. We’re not showing operationally how vulnerability, how threats, how it relates to some mater plausibly material loss for the business.

Richard Seiersen [00:17:18]:
Right? And actually, I’d argue with you like you look at the any, the SEC, your exchange commission, if you look at the, gosh, even what’s emerging, ADORA, even regulations here, I think this is what the regulators are saying. Look, do you have a cybersecurity risk management program for, like, for critical infrastructure? Do you do you have a program that’s focused on those sorts of losses that would be material? That means you have to understand the infrastructure. You have to understand the business so that you can then correlate, again, threats and vulnerabilities to that business, and then be able to prioritize and take actions. Because back to your point, you don’t have you don’t have this checkbook where you can just write endless, you know, endless checks and whatnot to all these vendors and whatnot. You have to pick and choose and have to focus on those things that matter. So I’m kinda going along here. Hopefully, some of that makes sense.

Karissa Breen [00:18:09]:
Okay. So there’s a couple of things that you said which was interesting. So contextualizing, I agree. I was a reporting analyst before, and that was my whole job, basically, looking at facts and figures, telemetry, and saying, like, why why should people care about this? Right? But then you said, you know, people don’t have a concept of measurement and risk. So what do you mean by that? Talk to me a little bit more about that.

Richard Seiersen [00:18:29]:
So the concept of measurement. So when you’re measuring something, you’re trying to measure risk. Right? You’re taking in telemetry. Oftentimes, we, in security in particular, will confuse telemetry with actual measurement. So there’s, like, kind of 2 things that we need to do in period that are that I consider to be table stakes. This is beyond just the telemetry. So for example, from an asset perspective, when I say asset, I’m being very open ended, like a business unit can be an asset. In fact, a whole business can be an asset.

Richard Seiersen [00:18:55]:
Or you could be talking about a server, but typically, I’m talking at something, you know, a little larger, at least a crown jewel if not a business. So I need to understand value and exposure. Is a, does it have some sort of business value, and is it exposed? So inflammatory I could bring in telemetry. I measure it to determine is there value in exposure. That’s on the asset. And then on the Fred side, I need to understand intent and capability. Telemetry end is to understand intent and capability. So if I understand intent, capability, right, value and exposure, for a security professional, that’s now table stake.

Richard Seiersen [00:19:32]:
Right? Now I know whether or not I have something at risk. And now my job is to measure whether or not I’m eliminating risk in a capitally and operationally efficient manner. So it’s from telemetry, right, to measurement, right, in terms of in value and exposure from an asset perspective, then intent and capability. And from an asset exposure, I mean, I’m talking about understanding your vulnerabilities, state of identity. Right? Again, business values are persisting regulated data. What does it mean in terms of business disruption, blah, blah, blah. And bringing those things together, now I’m in a place to start investing in controls and then measuring whether or not I’m capitally and operate operationally efficient in reducing that risk, buying it down and or transferring it away. That is the business security.

Richard Seiersen [00:20:23]:
That right there, right? And so it is a measurement game. It is a data game. The business game. Listen, the language of business is counting things up. The business of science is counting things up, and the business of security is counting things up as well. There’s no difference.

Karissa Breen [00:20:40]:
So I wanna know why, historically, cybersecurity people or risk managers or, you know, anyone in that space, why haven’t we as an industry done a good job at contextualizing, like, what this means for people in a way that makes sense? And I know it’s like a broader conversation, but I’m just I’m curious to hear from your perspective if you’re with your experience.

Richard Seiersen [00:20:59]:
Well, it’s I think it’s still a nascent feel. It’s still relatively nascent. Right? But the first CISO emerged maybe 25 years ago, maybe. Now you’re starting to see college degrees and whatnot. You’re getting undergraduate and graduate degrees in cybersecurity, which whole another conversation. But I think it’s a function of it being early. Not a lot of principled scholarship involved yet. I think that’s starting to change.

Richard Seiersen [00:21:23]:
So the the practice of what cybersecurity is, there’s just not a lot of grounded principles. So when I say principles, for example, if someone’s I guess I will talk about school, I got you a start for people who are going and getting their undergraduate or graduate degree in cybersecurity. I mean, the scales you learn are immediately potentially irrelevant because it’s such a dynamic environment. Where if you’re studying a true engineering or STEM discipline, you have a lot of principal practices, be it from mathematics or otherwise, that will apply for the whole of your career. And by the way, when I say secure, I’m I’m putting the encryption aside, like that whole field that’s definitely very established, a little different. But I just think there’s a so you have people who, you know, they were maybe maybe they’re IT folks. This is going back years. Or maybe they were, you know, they were network engineer.

Richard Seiersen [00:22:13]:
What and and, you know, someone looked at them and said, oh, you, you know, you have a beard and some tattoos, and you have some metal in your face. Hey, you’re probably a security person. Good. Now you’re the sucky. But you you don’t you don’t have a, you know, a disciplined set of practices that, you know, for managing this kind of risk. And I think that has a lot to do with it. It’s a new field, the way we we haven’t established what the curriculum is, principled. And and I think, you know, maybe it’s a function of newness or maybe it’s a, again, a function of, you know, maybe it’s a function of Rock of Education, but that creates a real insular sort of, discipline.

Richard Seiersen [00:22:49]:
When I say insular, you know, you’ll hear this from security folks. Oh, there’s nothing else like security, like, you know, we have chaotic actors and dynamic systems, and no one else has that. I’m like, what on earth are you about? I mean, this this body is a dynamic adversarial system, and just, you know, from a biological logical perspective. Look at warfare. I mean, we need to look outside of ourselves to other people who are confronting some amount of irreducible uncertainty where the stakes are high. And even if you don’t have all the information, you still need to make a bet. And there’s just in numerous fields out there that we need to be looking, And we need to be adopting their practices as appropriate and bringing them into security. That’s by the way, that’s innovation.

Richard Seiersen [00:23:30]:
And we just haven’t done that. And we’re I mean, security in many ways is I don’t know. It’s like this We’re like a tribe in the Amazon that’s somehow avoided the gaze of modernity for a couple decades now. That has to change. Fakes are too high. Right? And so, again, I just think we need to really up level the practice and really adopt the practice of measurement, you know, natural sciences, you know, I mean, gosh, there’s just so many interesting fields. Evolutionary biology, like, there’s just and again, where you have small, messy data. We like to think our problem is a big data problem.

Richard Seiersen [00:24:03]:
I actually think it’s a small data problem. We just we need to humble ourselves and start reading broadly, educating ourselves, and bringing more business analytical discipline to our field, and to our management practices.

Karissa Breen [00:24:18]:
So do you think that, you know, over time, it’s gonna get better? Because, I mean, like, some of the stuff that you’re saying, when I was doing, you know, the reporting function was, like, I don’t know, 10 years ago and change. This these problems that you’re raising now, they were problems back then. So I’m like, well, has you know, I guess the needle conceptually is changing and, you know, it’s getting better. But it hasn’t gotten that much better, and this is a decade on now. So, like, is this going to accelerate from your hypothesis, or do you think it’s still gonna take a fair bit of time to get to that euphoric sort of state?

Richard Seiersen [00:24:49]:
Well, I don’t know. It’s a euphoric state. I think the the work is still hard. I think it might get better. So I’m getting with good news. Right? So my the book I coauthored, it’s, you know, it’s graduate school curriculum, Harvard, Brown, Berkeley, MIT, blah blah blah. It’s the main curriculum for the Department of Defense CSO Program here in the United States. You know? The only security belt that’s been required reading by the Society of Actuaries exams.

Richard Seiersen [00:25:09]:
So tens of thousands of people have purchased it. So I’d like to think that other people like you, not just you and me, but thousands and thousands of other professionals are they’re seeing that there’s a problem. There needs to be a change. Right? When I’m talking I’m here in Australia. I’m on a tour. I’m doing 2 workshops a day plus and plus things like this. And I’m having CISOs from your largest your largest companies showing up to get trained. So those folks are seeing it.

Richard Seiersen [00:25:36]:
So I like to think that other folks are are gonna be, you know, you know, I like to think 10 years from now, we’re gonna see better measurement practices, we’re gonna see a whole cadre of professionals who, know, in terms of the art and science of cybersecurity risk management are fully trained, quantitatively savvy, and, you know, business savvy and taken seriously. You know, again, I know there’s a lot of language. Well, we take seriously. Well, what I mean is where, you know, the CFO and the CISO and the GC, chief risk officer, they’re all speaking the language of Rust and, you know, quantitatively and qualitatively. And I I think I’d like to think we’re gonna see that change. I’m trying to I’m trying to make that change, and I think I think it’s happening. It’s just a little slow, I’ll admit.

Karissa Breen [00:26:23]:
So what I meant before by euphoric state is more a better state than currently what’s happening. So how how would you sort of measure then? I mean, okay. Just say in a year’s time, you come back on the show, and I’m like, so, hey, Richard. I’ve had things improved since the last time we chatted. How would you sort of measure that? Like, was there any sort of markers or indicators that would sort of say, hey, like, we’re definitely moving in the right direction?

Richard Seiersen [00:26:44]:
Well, that’s a great question. It’s the question I I would ask. And I ask let’s let me ask this to both of us. What do I see what would I see occurring empirically, mathematically, unambiguously, it would let me know that the culture of security is improving from a measurement perspective, right, quantitatively. I’m presupposing, I’m saying that in part that’s a problem. Well, I would see from a board perspective, that the the it would be accepted and expected practice to talk about impact as dollars exclusively. Exclusively. Impact as dollars.

Richard Seiersen [00:27:22]:
By the way, that’s how business runs. That’s how you know, you you know, you don’t go to CFO and say, go to CFO. Hey, what kind of budget do you want? I’d like a high budget, please. Or how about your paycheck? I’d like that to be medium high, red. No. That’s not the language of business. So we would be speaking the language of business. Impact would be exclusively understand monetarily.

Richard Seiersen [00:27:43]:
And when we say the the word likelihood, that would be a true likelihood. It would be a probability. It wouldn’t be some term like likely high, meaning low. So again, we would we’d be using the language

Karissa Breen [00:27:57]:
by the

Richard Seiersen [00:27:57]:
way, people say, well, you can’t do that. Security is too uncertain. Again, this goes to the confusion of measurement. We measure when we are uncertain and the stakes are high. We measure when we don’t have all the information, but we need to make a bet. That’s by the way, that’s called science. That’s how we measure. That’s how we do things.

Richard Seiersen [00:28:18]:
We hold to accuracy over precision when we still need to make a bet, and we have a lot of uncertainty. And in fact, we might have so much uncertainty, and we may be lacking in telemetry. We need to rely wholly on our expertise. We don’t just throw our hands up and say I give up fighting. No. No. So I would expect if I in a year’s time, if I start seeing more and more boards that would reject fully, like, the heat map, they reject it. You know? And by the way, I think that might be happening.

Richard Seiersen [00:28:46]:
If you look at the National Association of Corporate Directors, their 2023 cyber handbook, so NACD is the you know, if you’re a board member in the United States, you’re caught at the NACD, you’re reading the materials. So their handbook, the last one, 2023, it was an ode to cybersecurity risk management quantitate my book was one of the was one of the main references for that. In fact, I was shipped out then to the UK. I did a keynote at Lloyd’s of London with the IOD. The IOD is the sister organization, the NACD, to talk about quantification. I would love to see board members that that they would just, hands down, reject the heat map. Get it out of here. We’re it’s business risk.

Richard Seiersen [00:29:25]:
We’re talking about protecting the business. We’re gonna talk about impact in dollars, and why wouldn’t we? We’re gonna talk about likelihood as a probability. That’s what I’d want to see. There you go. I’m not gonna we’re not gonna see that in a year, but I think we’ll start seeing that more and more. We have to. I don’t know how we can continue making it

Karissa Breen [00:29:41]:
up. Okay. You said something that’s really interesting, and I’ve spoken about and I’ve asked people like yourself on the show before, so so maybe you can shed a bit more light on this. So you said impact as dollars. So I wanna give you an example and then talk me through your thinking. So in in recent times, let’s go with there was a, you know, health care provider that got breached, for example. The part that was interesting is, yes, that happened in that time, and they lost people. The part that was really interesting to me was what about the long tail impacts of how to get that trust back because this company got breached? Like, is it gonna take 20 years to to potentially build back the customer base? How do you measure that? Like, I know you probably need some, you know, really smart, like, actuarialist or someone to sort of measure that.

Karissa Breen [00:30:24]:
But do you have any insight then on that? Because it’s something that over my experience of running this show of almost 300 episodes, I’ve asked you that question. Like, look, it’s really hard, KB. So, I mean, do you have any thoughts on that around the long tail impact of, you know, a breed training like that?

Richard Seiersen [00:30:39]:
I have a a lot of thoughts. So prior to this current gig, I was a chief assist officer for the leading mid market cyber insurance company, so building models and whatnot. Right? So they they insured companies between 100,000,000 and 10,000,000,000 in revenue. Upside remit was we wrote 20,000,000. So, have a bit of background. But your question is, you’re really talking about like brand impact, right, the trust, but brand impact. But the question we need to ask ourselves is what is causal to brand impact? And more importantly, what would I see occurring mathematically and ambiguously, empirically that would let me know that we’ve experienced brand impact? So for example, like, you can make the the, Caesars and MGM breach. By the way, Caesars paid right away, given experience, the same sorts of losses that MGM had.

Richard Seiersen [00:31:26]:
But people said, yeah, but the big losses were brand because did you see what happened in the stock market? Yes. And it was not outside of normal variance at that time, and they recovered fully from their stock. And by the way, people are still showing up and, you know, pulling on the one arm bandit at both those places. No. There is no perceptive brand impact. Well, it probably was for MGM. They hit they were down with 14 days, 10 days, etcetera. Yeah.

Richard Seiersen [00:31:49]:
Almost a 100,000,000 deterministically, right, due to business disruption. But the question is, again, when we say so we use intangible terms. Listen, intangibles make the world go around. Love, hate, us. And again, when someone says brand impact, I will you wanna ask, okay. First of all, what would I see occurring empirically, mathematically, ambiguously that would let me know we had brand impact. And if someone can’t articulate that, then you may you might have what we call in decision of science a useless decomposition.

Karissa Breen [00:32:20]:
Right. But that’s the part that when I’m asking people, I feel like people just can’t and maybe you’ve articulated it probably the best, but I’ve just I’ve asked people all over the world, and it it it’s hard for them to maybe explain that. And the part I’m even more interested in okay. Go to back to your Caesars example. So it’s like, okay. Are they still gonna have the residual impact in terms of dollars 5, 10 years later? Or when does that sort of impact on, oh, that event happened. I’m not using those guys again. When does that sort of stop or how does that impact start to be, you know, not you know, it doesn’t become an impact of, you know, over the years, for example?

Richard Seiersen [00:32:56]:
Well, you’re you’re presupposing that that’s occurring. I’m saying in that case, it didn’t. It can happen. It didn’t in that case. But, by the way, in, like, in cyber insurance or any sort of, you know, insurance, you know, claims do have a long tail. Past action lawsuits and other sorts of legal things can go on for years years years years. Those costs may have nothing to do with what you might call brand impact. That you can have a again, you can have long tails on these things.

Richard Seiersen [00:33:21]:
So I wanted to make a distinction here. Again, your focus is on some sort of you call it customer, you know, lack of trust. Let’s talk about that. You’re saying that there was a there’s a reduction in sale. Right? There’s a reduction in the value of the, you know, the stock or something. And the question then is, okay, if that’s happened, let’s presuppose that. And and by the way, there’s no confounding factors. We’ve determined that the the causal factor was because there was a business disruption, there was a data breach, or there was some other whatever the phenomenon was.

Richard Seiersen [00:33:50]:
There was some loss. And, again, we we can deterministry show that a portion of the long term tail of losses is directly attributable to customers going to another brand. Right? So we’ve decided that. So your question actually is, can we forecast if and when that would change? Sure. That’s just doing business. Business isn’t a business of forecasting sales and other things. I would just go, alright. Well, how do we go I mean, that’s what business does.

Richard Seiersen [00:34:16]:
I’m in a business that, by the way, is republically traded. We’re making forecast about sales all the time. You have to be good and relatively, you know, conservative. So you’re back to just doing business. Alright? We’ve lost market share, you know, for some reason, and how are we captured more TAM? What do we need to do? And so you’re back to forecast. But you’re making you are making a forecast, again, about some plausible future state of business. There is some amount of uncertainty and so you but you still have to make you’re still going to make forecasts. So that’s my point.

Richard Seiersen [00:34:51]:
But again, I I really wanna untangle this idea of brand impact. People say it all the time. That’s the biggest thing they’re concerned with, and we have, again, this is the going back to just principled security, you have to ask people, what the heck are you talking about? Again, a problem well defined is a problem we have solved. That’s Kettering. You have to say, you know, what again, what would I say at Current specifically, mathematically and ambiguously, that would let me know that we had brand impact? Okay. Great. Once we know that, then we can start talking about what’s causal to that. And once you understand what’s causal to that, then we can start talking about what we need to do then to mitigate that or remediate that and move on.

Richard Seiersen [00:35:29]:
I I I don’t think this language that I’m using is taught enough to security folks, and it’s day 1 sort of thinking that should be in school, in undergraduate, grad school curriculum. I really think this is where we, we as professionals, need to be heading.

Karissa Breen [00:35:43]:
Well, you’re right. And I think that this is the gap. So, like, as I mentioned before, like, when I was reporting analysts, like, the stuff you’re talking about, we weren’t doing this type of stuff. So you made a great point, like, sales forecast. Absolutely. People do that. I haven’t seen people doing enough of what you’re talking about at all. And in a way that contextualizes, well, what does this mean? And, oh, if we do if he get like, I worked in a bank with data breach, what does that mean? Was it attributed to, oh, well, now, like, 50,000 people cut their mortgage loan because they don’t trust us anymore.

Karissa Breen [00:36:10]:
Whatever the reasoning is due to this forecast that we have, I haven’t seen enough of that.

Richard Seiersen [00:36:15]:
Yeah. So the so your question you correct me if I’m wrong, by the way. But the question is, alright, we can attribute the customer attrition to this breach. We’ve done our work. We we know we know that happened And it was it was, like, it was a it was customer churn that was significantly outside of normal variable. And we can and it started right there with that that bad thing. And the question then is, okay, what do we need to do to get those customers back? And I’d call back to doing business. That that is doing that is that is not just the CISO.

Richard Seiersen [00:36:49]:
That’s really the CEO and others you call it getting back trust. Well, you’re gonna have to start making some bets about how, you know, maybe it’s, you know, maybe it’s again, I wanna stay in my swim lane, but it’s making offers that would I don’t know if it’s cutting costs, you know, and making it you know, I don’t know what it might be, but there’s gonna have to be something they’re gonna do to get business back. That’s just the cost of doing doing business. We don’t see again, it happens, but we don’t Equifax would be an example. But by and large, like Target, you know, we didn’t they’re actually, in the 1st edition of our book, and I think it’s in the 2nd edition as well, we talk about the Target bridge. People are saying, oh, brand impact. So if you look at their stock price at a time, there was the dip, But that, again, it was not outside of normal variance from a time series perspective. Right? It was with wholly than variance.

Richard Seiersen [00:37:38]:
So meaning you couldn’t, in a grounded manner, attribute any churn to the breach. In fact, really no customer Customer trust broken. No. There’s nothing there. It happens, but I think it’s rarer than people people think. And that’s

Karissa Breen [00:37:53]:
a you know, going back to Target, Rich, I think it was, what, 2013 or something like that. So, like, you know, more than a decade ago.

Richard Seiersen [00:37:59]:
Yeah. The The

Karissa Breen [00:38:00]:
thing that I’m curious about is, like, do you think now starting to be like, well, Richard, I’m not shopping at Target because they they got breached, like, a decade plus ago. Like, that’s the part like, are people still saying that or you made a great point. You know, the it dipped in the in the stock, and we’ve seen that happen over you know, recent breaches happened in Australia even recently, but then it recovers.

Richard Seiersen [00:38:17]:
I don’t think anybody’s I I don’t think anybody done that. I don’t think anybody did that. I don’t think it had an impact at all on customer sentiment. There’s no there’s no empirical, mathematically unambiguous evidence that that ever occurred at all. I don’t think I don’t think they gave a shite. I’m saying it can happen, but so my advocacy here is really, again, I love this quote, I’ll just keep using it, eat a dead horse. It’s a problem well defined is a problem half solved. Let’s be really super clear about what we’re talking about and super clear about what the evidence is of that thing.

Richard Seiersen [00:38:50]:
Right? And we have to, you know, we have to decompose our intangibles to tangible. Right? And so this I mean, that’s key for risk management. Well, you know, security is full of a lot of drama, and we need to, you know, I’m I’m like the antidrama guy. Let’s let’s get down to what we’re let’s engineer this and talk what are we really talking about? Where’s the cannibal stuff?

Karissa Breen [00:39:09]:
Well, absolutely. And I and and that going to your point around the drama, that’s right. And this is the part that I, you know, I’m trying you know, I had this discussion, which is which is important because, you know, even some of the breaches here in Australia, I’m still a customer of these companies. Right. So, you know, like, did it annoy me? Yes. It did annoy me. But it’s like, oh, well, you know, I’ve been using these people for a while, so it just makes sense to stay. Right? But going back to the Target example, like, I don’t think anyone sort of sort of saying online or anywhere, like, oh, well, I’m not going there anymore because of the breach that was ages ago.

Karissa Breen [00:39:37]:
So I’m feeling even more so now, and maybe you would understand more about this than me. It’s getting to the point where I feel like people are becoming super desensitized. I was like, oh, well, another breach. Like, who cares? I’ve even heard people saying on forums and social media that I look through is, oh, well, my information’s already out there anyway. So what do you think is gonna happen?

Richard Seiersen [00:39:57]:
Well, I’ve got an example that

Voice Over [00:39:58]:
we could think of, but we that, you know, let’s

Richard Seiersen [00:40:00]:
see what happens. Time will tell, but CrowdStrike, what about them? They got they’ve been hammered in the stock market. Right? I’m I’m curious to see what’s you know, that’s I wanna keep observing it. Right? But I think there is an exam I I my suspicion is that they’re gonna have a long tail impact from this breach. Right? Maybe they you know, look at, that’s kind of an epiphany of the obvious, I suppose. What about LastPass? What about them? I mean, I, by the way, I just have, I haven’t gone and done the analysis by in terms of how much customer churn they’ve had. Right? But I I think there are examples there, and we should look at that. And I think that’s potentially interesting as well.

Richard Seiersen [00:40:38]:
And that goes to your use case. Okay. Let’s presuppose that there’s going to be a case of PowerStrike, 1,000,000,000 of dollars of impact. How long does that entail? And to your point again, what do they need to do to win back the market’s trust? Again, we need to observe that. We need to see this play out a little bit more. But there are, again, I don’t wanna say that what you’re saying is not valid. I think it is valid, but you just need to be super clear about when it’s actually occurring and how long of a tail it is and how much it matters. We might find that the CrowdStrike thing, 6 months from now, they’re back on top again.

Richard Seiersen [00:41:10]:
I I think I I have a feeling that one’s gonna be that one’s a little it was so far reaching. We’ll see what happens. I think there’ll be some there’ll probably be some regulatory impacts from that and legislation, whatnot. Who knows? I don’t know. We’ll keep observing.

Karissa Breen [00:41:22]:
Well, how I was gonna ask, how long do you think that long tail is gonna last for?

Richard Seiersen [00:41:26]:
I I I don’t know. I don’t know. I don’t have a crystal ball on that.

Karissa Breen [00:41:30]:
But if you had to guess, though, with your background, like, what do you think? Do you think it’d be years? Or do you think, like, oh, 12 months? Like, you know, I’m I know it’s not like fact. It’s just more, like, giving an indicator with with all the work you’re doing.

Richard Seiersen [00:41:40]:
So from a claims experience in my previous place, one of the thing after I just started, one of the things that was happening is we were seeing claims for business disruption caused by outages of SaaS third party. In fact, we’re we were seeing like an exponential increase in claims that was surprising to the underwriters. They’re like, oh my gosh, we didn’t account for that. Our models, obviously, they changed that. By the way, my previous resilience, you know, loss ratios are the lowest in the industry. They’re they’re great at them. But it was early on that was kind of surprising. So the question I have for folks who are doing 3rd party risk management, big, huge topic I get it get asked about all the time.

Richard Seiersen [00:42:14]:
When you start looking at the 3rd parties that you’re that you’re using, I think it is your job to start thinking about, okay, when we’re thinking when you’re thinking about taking on a a new third party, one of the questions you need to ask yourself is, okay, will could we become dependent on this customer, or this to me, the 3rd party, where it could cause, if it stops operating, it could cause business disruption for us? I mean, these are some of the things that we need to start thinking about, and we do need to start measuring and looking at, okay, what might that impact be? Again, we have to do that in such a way that’s appropriately conservative, thoughtful, and not irrational. Right? Because the reality is your business, again, is in the business with business, they’re gonna wanna adopt a lot of third parties, like a whole AI thing, being that as well. People are gonna like, look, we’re gonna we’re gonna digitally AI transform, we’re gonna adopt these services, but you as a risk management professional, your job is to start understanding, okay, cumulatively, are we getting ourselves in a situation where we could, you know, have business disruption? And oftentimes, question then is, alright, if there’s not anything we can do to truly mitigate those losses, then we’re starting to talk about transfer, risk transfer. Are we in a situation where we are going to significantly and I think more and more CISOs need to think about this from a third party risk management perspective, and are we getting to a situation where I need to increase my limits? Or are we in a situation where my capital going beyond my limits, my capital reserves? Right? Am I in a position, a cash position and a mitigation position where given our expansive use of 3rd parties and get what parties, not a 3rd party, but am I in a position where I’ve helped my business be resilient to plausible future loss, where I might have a third party outage or something similar to CrowdStrike or maybe have all these agents deployed, something bad has happened, who knows what? But am I in a position where if I had even concurrent losses like this from both my risk transfer and even my capital reserves, am I in a place where I can hopefully be resilient and continue to meet my obligations and my stakeholders and my shareholders and my customers. So I think, you know, I’m just kind of flipping the conversation. This is the type of thinking that I think we as the as the defenders have as increasingly the modern cybersecurity risk management experts, we need to be thinking about. And by the way, I’ll just say this fortunate position where I regularly, this week alone, I’ve been in front of a good 50 or so CISOs, do this all the time, and I’m asking this question, how many of you are now involved in cyber insurance, not just doing those nasty spreadsheets you get from brokers that are coming through from the underwriters, but where you are actually the one who is defining the limit, right, where you’re the one who’s going to go out and get the contract, Meaning, giving your residual risk, given or after you’ve spent on controls, where you’re the one who’s expected to go and determine what’s what’s the type of limits you need to protect the business, right? But I just think that’s where, when it comes to understanding you know, what does CrowdStrike mean? What whatever third party I think where the rubber meets the road is where we as defenders need to start looking at our 3rd party risks and starting to understand that we’re listen. There’s just stuff that we’re gonna have to do because of the cost of doing business.

Richard Seiersen [00:45:43]:
I mean, you’re gonna need EDR. You’re gonna continue to you’re gonna listen, you need in line and host based protection. So you just have to do it, regulatory perspective, but just from a business perspective. And so then we need to start understanding, okay, while it might be quote unquote black swan, don’t really like that term, but really low likelihood with potentially high impact. Alright. Assuming that that could happen, have I put myself in a position for a resilience perspective, and I’m using resilience in the bigger term here, business term terms, from both, again, a transfer and a, you know, both risk transfer to your insurance, a risk transfer to your capital reserves. Am I in a position to continue to deliver business value to my stakeholders, to my shareholders? And this is where I wanna see CSOs going. I’m seeing some indication of that.

Karissa Breen [00:46:30]:
So Richard, really appreciate your time. Just quickly, do you have any closing comments or final thoughts you’d like to leave our audience with today?

Richard Seiersen [00:46:36]:
I think I might love Australia. I’ve really enjoyed the small amount of time I’ve had here. I’m in Melbourne. I’m about to head to. I’m going to Sydney and Brisbane. I’ll just share with you that the appetite for learning, you know, your security leaders are coming out for this content, and they’re really coming out. They’re really engaged. I I think actually the u I’ve done this a lot in the UK.

Richard Seiersen [00:46:58]:
I think they might be second to you guys in terms of, like, really wanting to engage in deep intellectual conversations about risk. I I yes, my country is coming out as well, but I don’t see I don’t know. There’s something in the water here with the the Aussies. You guys are engaged, so I’m really hopeful based on what I’m seeing here. I’d say keep up the, keep up the good work. I’ve loved the conversations that I’ve had, and I’m just so glad to be here and thankful that I’ve had the chance to talk to you.