Risk Quantification: Demonstrating business value for your security program

And so we’re really excited to have Peter joining us today. Wanted to kind of talk through just some of the notions of the current state of cybersecurity in terms of, like, some of the challenges. I go way back. I mean, you know, in cyber, I’ve been in it almost 20 years now. And when we were getting going, you know, at the beginning of my career, it was very much trying to convince people to invest in cyber. Right. At the time, we didn’t call it that. Right. But, like, in infosec and security. And then a lot of these bigger breaches happened. And so then the notion came, like, okay, people recognize there’s a need for investment.

There’s still a lot of discussion around how much to invest and things like that. But what have you seen work in kind of the current state of people being able to justify some of that investment still in cyber? What are some of the techniques that people are using as they’re trying to grow their programs and basically justify not only what they’re spending now but what they should be investing in in the future? What’s been your general experience in some of that stuff?

Well, let’s point out that this is, we were recording this on 11 April 2024, and it’s a wild market. I read a lot of history, and I think a lot about what’s getting recorded currently. I have for a long time, and, like, how people are going look back at this time. And what they’re going to see is this radical pivot. Late Q3 last year, Q4 for sure. We saw a downturn in cybersecurity in the United States, a pretty serious downturn and we’re still in it and it’s anybody’s guess why it’s happening, how long it’s going to last, what’s going to pull us out.

But there are a couple of things that are fairly obvious. One is that the past 15 years were like the salad days of cyber in terms of the industry, the benefits we’ve conferred on our customers — not so good. Enormous sums of money were spent and people have been talking about it the whole time. I remember I was lucky to wind up at a bar at RSA about like six years ago sitting next to one of the original investors in one of the big security companies. I won’t mention which one because I want to out this guy, but its one of the big ones. And I said, well, what do you make of this market? And he said there’s way too much money, which coming from a really successful VC guy was striking. He said there’s so much money in this thing nobody knows how to spend it. And it has attracted predators, charlatans, and carpetbaggers.

We had this situation where like in the early days of security, you had people who like didn’t fit anywhere, but could be trusted to like solve complex problems involving intelligent adversaries. In other words, the infosec people, the graybeards, the people nobody wanted to deal with. But they knew how DNS worked and they knew how Linux worked and it was fine. And those people started to acquire power. But then this industry formed around them, sold what were supposed to be solutions, what were solutions. Over time we told stories to the economic buyers, to the CFO, the CEO, the compliance people, and they trusted us and now they don’t anymore. And so the means by which we convince people to make investments, securities change radically because we ourselves on a business level or we, the funding doesn’t happen.

There are other complications, like the promise or threat of AI, depending on how you look at it. Interest rates, interest rates are still relatively high. VCs haven’t come back. So there are a lot of economic dynamics. By the way, there are two wars going on right now and maybe another one or two on the way.

No, I think that’s, I think that’s fascinating. Yeah, because I think I’ve experienced, I mean I would relate exactly to that as well. And you know, Haroun Meerr has some good articles and stuff and commentary in the past. Founder of Thinks Canary. Just super sharp insight on, like, you know, the misnomer that investment in cyber — like, you go to the floor at RSA and you see the rotating vendors. They got a lot of money, and then they kind of fizzled out because they really weren’t, you know, providing a lot of solutions. And I think that, that, that has been detrimental to the industry, you know, in the past. And I think. I think my opinion is that organizations are now kind of recognizing, like, hey, we actually have to, like, hone in on, like, what actually provides value and, like, what. It’s not that we shouldn’t be, you know, doing cyber in securing our infrastructure and organization, but it’s like, what are the things that actually have the most impact? Right? So, from my perspective, it’s, you know, and I, and I led a security team. So it’s like, hey, how do we determine if we’re working on the right things? Like, how do we prioritize this risk? And so, you know, we’ve seen, we’ve seen the risk quantification kind of companies and things like that. To me, to me, there’s promise in that kind of notion.

I think some of the ways that people have gone about it are kind of wrong, personally. But, you know, I’d be curious to your thoughts on, like, you know, kind of that approach and what you’ve seen people do, if anything’s worked, right?

No, let’s talk about risk. Cyber is. I mean, I’m a small business owner. Small, small. Like, you know, ten people. Cyber is not, like, in this list of risks. The top, the top ten risks. It’s not in the top five. It’s not. It’s like, at the bottom five or bottom half of a bottom five of that top ten, maybe. It doesn’t really get my attention until it pops up to the top, and then I just want to push it back down because I want to sell staffing, recruiting, professional services, stuff like that. That’s what I do for a living. And if, when security intrudes for my business, I got, I need to take care of it quickly. But my top priority, my top risks are I don’t make payroll, I get in trouble with one tax authority or another because I’m in Mexico, in the United States, I lose key employees, somebody gets sick, somebody burns out, I have a customer that’s dissatisfied or if they have a problem and we’re not positioned to deal with it. Like, those are business risks. Cyber, it’s not there.

So, like, when we start talking about, when we’re trying to start making the case for more investment in cyber. Would ask, like, what are your other risks? Where does this stack up? And have you done a risk analysis of your cyber risks? Tell me three things you really care about.
And we. We see the same stuff over and over again. We see compliance. Cyber compliance, which is a cyber risk. Don’t let. Don’t let anybody tell you this. Cyber and compliance are not the same, are not closely related. They are. Another is data exfiltrating, and another really just comes down to reputation risk. Like, just briefly, when we talk about extortion attacks and things that involve encryption, encrypting devices and downing them, is that really that much worse than, say, a weather event? Like a hurricane comes to town or the disruption caused by, uh, gosh, I’ve lived in Mexico so long. What’s. What’s it called when you have a lot of snow? A blizzard. Yeah, like, a blizzard happens. Or like, the other day, we had an eclipse, and nobody was working for about an hour.

Right. So when you take those kinds of non cyber things into account and compare them to cyber, it’s like, well, you know, every. Almost every company of size has gotten hit, and what they found is, well, wasn’t that bad, right? So what do you do? You start analyzing risk. You can use quantitative methods. You can use qualitative methods. You can stack rank. My recommendation is do one.

Right? And then refine and seek out the advice of people who know how to do it. Like, this is the fair institute. There are plenty of people who know how to. Who have one way of quantifying risk or another. There’s simple scale calculations and, like, guesses. Fine, but get really hard-nosed about the risks you’re accepting versus the risks you’re avoiding and that kind of stuff.

Especially if you’re. If you’re a CISO. I’ve had the job a couple of times. I do VCISO now. As a CISO, my main job is to figure out what risks to accept and how to calculate the loss expectation from that, and then make sure that the resources are available and align to the mitigation if that needs to happen. We have to simplify the entire thing. Way too complicated. We can talk about why, but I’ll pause there.

Yeah, no, I think you’re exactly right. I mean, I think I’ve touted for a long time, which is not news. I mean, it’s not novel, but like, you know, we’re all in the business of risk management, right? And so, you know, cyber is another aspect of risk. You know, that could be in stack ranked against all the risks. I was a security director, so CISO equivalent at a company and we worked closely with our legal and finance departments as part of just a general risk council. It wasn’t solely based on cyber, but obviously, that was an important piece. And yeah, so we were thinking, we were evaluating risks around, like, hey, what happens? Like it was a very founder-led company, right? And so, hey, what if they, you know, what’s the impact if they’re no longer here, right? Like if something tragic happens? Like, you know, you think about all these things and war, game it out, but you had to stack those types of risks, you know, other, other business and financial risks, you know, theft, fraud, those kinds of things alongside, you know, the notion of what, what brand reputation will we, you know, take if we’re on the front page of the news or if we get hit by ransomware? So I completely agree with you that it needs to be in the context the entire business.

And that’s where I’ve always impressed on security professionals to be really, really good communicators and not spread the FUD. We can fear the impact that some kind of zero-day exploit with remote code execution, how dangerous that sounds and how severe it could have an impact. But what is that true impact to the business and what other compensating controls do they have in place? So, no, I completely agree that it needs to be in the context of the entire business.

And unfortunately, that may kind of put you in your place a little bit too on certain things. Right? Yeah, but it’s helpful in terms of like, okay, well, now we know where we should invest our resources, right? And what. Not saying do anything, right. But, yeah, so in terms of, in terms of like, you know, your approach on the vCISO side, what have been some impactful ways to demonstrate the value that, like, you provide that type of service? Like, you know, because, that’s your business. How do you promote to your customers? Like, hey, this is the ongoing value that we’re providing from a security investment perspective.

Oh, lean. When, when I started, I started doing vc, so because I, we did an incident response where we walked CISO out and top of the list for recommendations was get a new one. And they’re like, what about you? My response was, I’m busy but I wanted to help them. And so I went looking around, and I found a GRC tool. And this isn’t a commercial for them, but there’s a new generation of no code, really, integration GRC products, or a bunch of them out there. And they’re very popular at the moment. We found one and got it in there and turned out we could do 40 hours a week.
What would have taken 40 hours a week and 10 hours a week, and it included, like, getting a SOC2 type one done, and PCI, which actually, we wound up getting them out of it because they really didn’t need one, which was great because we save them, like, $20,000. But pacing is important, concentrating on actual business needs. Like the actual business would need was, you got to have a SOC2 report. Okay, let’s do that. The CEO was concerned about a data breach that got public because it was losing business because their clients were interested in that stuff. So we concentrated on that. Did we worry about extortion attacks that did not involve disclosure of data? Not really. Everybody’s remote, right. Did we worry about DDoS? Definitely not. Didn’t matter. So we didn’t invest in it. Are those risks still out there? Sure.

But you touched on something really earlier that I think is important, which is that. Was it, like, taking us down a notch or, like, sort of. I think it’s used, like, putting you in your place a little bit. Yeah. I didn’t get into security because I thought it was smarter than anybody else. I got into security because it gave me a window into the world that would allow me. It would give me the opportunity to learn how businesses worked in ways that other people couldn’t see it.

Like, I’m a business hacker. We’re kind of a dying breed. Like the original hackers were crowded out by technologists and fools. Those of us who stuck with this are obsessed with, how does the world work? Like, outside the computers, how does it work? And that turns out that’s really. That’s really effective if you want to learn how to protect a company, because you have to know what you’re protecting, and it’s not computers. Right. You know, you have to understand what the business needs. And it’s not just, we make money. Yeah, there’s money involved. You have to make money. But what kind of money? Where, how, when, what gets done with that money? Is this company going to exit? Is it going to be doing acquisitions? What kind of stakeholders does it have? What kind of work? That kind of stuff comes into play.

And if. If we come at this from the perspective of, like, oh, we’re security. We know everything. Like, we’re the experts in risk. Well, we’re experts in our kind of risk. We better be. I’m not an expert in what the general counsel thinks of this significant risk, or the chief marketing officer has a completely different view of risk, and we get the opportunity to explore those and become partners with them.

Yeah, no, and I agree. I think that it’s easy. This is kind of my. I don’t know if a soapbox is the right term, but, like, we get so caught up as technologists in, like, the coolness of, like, the things, like, and lose sight of, like, what. What is the true impact that this has? And where, you know, where does this truly fit in an attack kill chain? And so you’re right in that the business hackers, so to speak of, like, you know, kind of. It’s gone by the wayside for sure. Right.

And. And I. But I do think. I think that from the perspective of CISOs these days and boards, it’s like, hey, we recognize the value of cyber investment, but you got to keep. You got to keep showing that, right? You got to keep showing, like, what is the impact? Because, like, otherwise we can insure against it or, you know, something like that. And so, you know, where. Where we.
Where we kind of land is. Well, let’s at least put these risks in the context of our business. If this were to happen, what is the impact to our business? And somewhat coming up with a ranking or a risk rating mechanism within the context of our business. That way you’re not necessarily comparing. You’re comparing yourself to others in different ways. Right. I guess is what I’m trying to say.

Yeah. Risk metrics are like, you know, favorite exercises at a trainer. I was like, so what’s the best exercise for me is, like, the one you’ll do. That’s it. The one you. You know, what’s best? What’s the most important musical instrument? I don’t know. The one you play. It’s just like, use one, stick with it, maintain consistency. If you’ve ever done, like, archery or shooting sports, you know, it’s like. It’s all about consistency because then you can make minor adjustments and you’re.
You can hit it. Right? Same thing.

Yeah, yeah, yeah. That same notion of, like, wife always tells me about exercise is like, just doing something is better than nothing, right? Yeah, yeah. By the way, I haven’t been to the gym in, like, a week, so I’m not. I’m all hypocrite. Right now.

You’re better than me.

I have a little workout thing at home, but. But it’s still hit or miss. We’ll just say that much.
Yeah. No, I think this is fascinating. I mean, I think it’s always a good topic in terms of kind of recognizing where risk. Where risk and cyber truly, you know, are extremely similar. I think there’s a lot of. There’s. There’s always that ongoing conversation around, like, you know, the security and the risk and the compliance, how they’re all kind of, you know, in their separate buckets, and they’re really. They’re one in the same. Right. It’s just coming at it from different angles. And I think that that’s, you know, what’s most important is, like, how does it fit into the context of the business? And what are they. What should they be most concerned about from a holistic perspective?

Yeah, well, this idea of the risks of the business is a little bit misleading, because the business is, like, the company never has an opinion. The company cannot want anything. Companies don’t want the people who in those companies want things. And hopefully, they’re not too badly misaligned. Back when. Back in the day. Days when I was. Before I was thrown out of college, I learned this thing in economics class called the agency problem, which. Do you remember this one? Did you go to college?

I did. I did. Yep. I did.

I mean, I got thrown out some excellent schools. But the agency problem says, like, there’s this.
This contradiction in business, and that the people who are supposed to be working for it don’t really work for it. They don’t often have even know what the aims of the company are. Certainly a lot of the time, the people who are at the top are not really out for the interest of the business as stated. Right. They’re out for their paycheck. And, like, what do I want? Is, like, an it manager is like, I want to leave at 5:30 on Friday, so I get my kids soccer game. As, like, somebody who’s in procurement, I want to get promoted. Right. So you have to figure out what the interests are of the people and see if you can align them around, like, the stated aims of the company. If you can’t, then you’re in this, like, kind of, like, Mogadishu situation. There was a war at this place called Mogadishu a long time ago.

Yeah, yeah, yeah.

Right. Where everybody’s out for themselves. Yeah. But cyber has to be. We have to be kind of like the grownups in the room and be responsible and say, like, this is what it seems to be the stated goals of the organization. The shuttle line, are we hitting that? And if it doesn’t, we also need to have the professional responsibility and the integrity to walk away. Right. This is what all the SEC stuff is about. It’s not about lying. It’s not, not about like bad controls or whatever. So you light on the paperwork, right?

Yeah, yeah. I mean, just, yeah. Like what’s the, what’s the diligent and responsible thing to do? Yeah. Like you said, you said it right. The adults in the room. Well, not to say that the others aren’t. Right, but we have to do our part because I don’t want to disparage business leaders.

Yeah. Everybody’s, everybody’s trying really hard these days. Everybody. Right.

We just have to do our part. Yeah. Yeah. No, I think that’s fascinating. That’s fascinating. Well, I don’t have, I mean, this is, this has been a great topic. I mean, I think it’s been, hopefully it’s been engaging for the audience. But, you know, if you’re, if you’re listening, if you have any comments, feel free to leave them in the, in the, you know, in the, in the comments below. We’re happy to get back to you and, you know, really appreciate, you know, Peter and your insight. Any, any closing thoughts that you want to leave for the audience or final, final things to say.

Just this. It was really, it was a pleasure being invited to this. It was fun. I wish we had. Maybe we’ll do it again. No one’s listening. No one will listen except, like people’s moms. So. But if any such people want to reach out, yeah, you can find me on LinkedIn. We also a little commercial. We operate a lot of free training and community events, including CISSP study groups in English and in Spanish, different nights and instant response. Tabletops is games and mentoring and all that stuff. So if you are interested in being part of a real community, it’s all free. You can find me on LinkedIn. I’ll hook you up.

Great, great. Yeah, thanks for that. And thanks for, thanks for your contributions to the community. That’s really important and always appreciate it. So well, with that, we wish everybody a happy Friday, as you’ll be listening to this on a Friday. So enjoy the rest of your day and the rest of your weekend. And thanks again, Peter, for joining us. We’ll definitely look to have you back. Thank you. Great pleasure.