Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode #49 - Translating Cyber Risk to Dollars and Cents

Are your executives and board members struggling to understand cyber risk?  This week, the guys are joined by David Moon of Arx Nimbus, a company that turns cyber risk into the language that all business leaders understand. David shares how they translate cybersecurity into financial metrics that allow organizations to make better risk management decisions. The guys discuss how companies can create tremendous clarity around cyber risk, resulting in better support and resource allocation.

For more information on Arx Nimbus, visit

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!


Mike's Headlines

Insurers Tap Cyber “Opportunity” as Rates Continue to Rise

The Cyber Insurance Dilemma: The Risks of a Safety Net

New Android Malware Targets Netflix, Instagram, and Twitter Users
Cybersecurity: This Prolific Hacker-for-Hire Operation Has Targeted Thousands of Victims Around the World
US Sanctions Chatex Cryptoexchange Used by Ransomware Gangs


welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly embellished truths
about corporate cyber security programs we're ranting we're raving and we're
telling you the stuff that nobody talks about on their fancy website and trade show giveaways all to protect you from
cyber criminals and now here's your hosts mike rotondo zach fuller and lauro
chavez hello and welcome to the cyber ants podcast this is your co-host zach fuller
joined by mike rotondo and laura chavez and today we have a guest uh guest with
us david moon who we've worked with on a handful of projects and he does some really cool stuff so we're going to dive
into that i'm talking about translating cyber risk into a language that everybody understands so we'll get into
that shortly but before we do mike why don't you kick us off with the news we got some interesting news on tap and i
just forewarn you if you go and look at the urls for this first story there's actually two stories that combined into
one to make them more readable so that's why you'll look at it and go what and this is about insurance insurers taps
cyber opportunities as rates continue to rise and the cyber insurance dilemma the risk of safety net
the original purpose of cyber insurance is to cover the extortion losses of a business if a successful ransomware
attack happens and the business has no other options what to pay premiums have been soaring across the u.s and europe
in response to mounting ransomware tax which we're all aware of ransomware responsible for the biggest volume of insurance claims in the first half of
2020 according to a provider coalition last month the u.s cyber market outlook report from wholesale insurance broker
risk placement services warned that providers have been battered by high higher than anticipated losses and are
now charging far more for less coverage in june 2021 the average global cyber insurance premium rate has increased by
32 percent year over year every company owner should be really aware of what's in the cyber insurance policy read the
fine print because cyber insurance typically does not cover three types of losses potential future
profit loss of value due to theft and betterment which is basically the replace replacement of your hardware so
be very aware of what's in your policies there's new android malware out there that targets netflix instagram and
twitter users i'm okay with it targeting twitter and instagram frankly that they can go away a new android malware known
as master fred uses a fake login overlays to steal the credit card information of netflix instagram and
twitter users the new android banking trojan also targets bank customers with custom fake login overlays in multiple
languages so if you're using an android be careful cybersecurity the prolific hacker for higher operation has targeted
thousands of victims around the world apparently there's a hacker for higher operation offered by cyber mercenaries
has targeted thousands of individuals and organizations around the world in a prolific campaign of financially
different attacks that have been ongoing since 2015. uh the cyber merchandise group has been
advertising services on russian language forums since 2018 big surprise key services offered are breaking into email
and social media accounts as well as stealing and selling sensitive personal and financial information so to add your
list of warriors there you go on the law enforcement front a u.s sanctions chadix
crypto exchange used by ransomware gangs uh the u.s treasury department announced
today's sanctions against chaddix cryptocurrency exchange for helping ransomware gangs evade sanctions and
facilitating ransom transactions the treasury also sanctioned the russian linked suex
crypto exchange in september for helping at least eight ransomware groups with over 40 of its known transactions linked
to illicit actors and in additional news apparently there were no microsoft
vulnerabilities today to report so with that laura i always like when you lead into my part
with that no microsoft voter abilities yeah none that have been discovered yet anyways this week so yeah
so at the dovetail on the um the hackers for hire i did a double check and the latest version of the hidden wiki does
include six known hacker for hire places to go on the onions if you're layered in there um
you you can certainly find um that news article holds some mustard uh where it
meets the bread on the hidden wiki so exploits this week i got a few things to talk about um you know there's certain
things we don't talk about anymore so don't ask me but if you are interested or using go programming language today
and you've implemented the z-log logging piece for that go code you want to make sure that you are off 1.2.15
because we've got multiple buffer overflows for z log the z logger function used in the go and other
programming language but but most popularly in go as oblate um if you are
using uh the software mamara classic it is an email backbone like software so if you're if
you're doing email services or automated email and you're using mara make sure that you are off version 293
uh because we've got an authenticated sql injection using the license update php fun stuff i validated this this is
actually working so make sure you are off version 2.9.3 you can do all sorts
of random stuff using that update php integer there and uh an interesting
thing uh because you led into the conversation with there's no microsoft vulnerabilities this is in poc so this
exploit is in poc right now it doesn't work yet but it it focuses
on windows multi-point 2011 service pack one there is local privilege escalations
okay so you've got to be locally logged on as a user and you can use the dns shade in 7601 to
essentially escalate up to you know system level permissions admin aka so get past 60
7601 build if you still have windows multi-point for uh 2011 sp1 installed
and that that concludes that concludes exploit this week uh zach we have a guest i'm excited we do we do and we're
gonna dive right into this but first quick commercial break want even more cyber ants be sure to subscribe to the
cyber rants podcast get your copy of our best-selling book cyber rants on amazon
today this podcast is brought to you by silent sector the firm dedicated to building
world-class cyber security programs for mid-market and emerging companies across the u.s silent sector also provides
industry-leading penetration tests and cyber risk assessments visit and contact us today
all right we are back special guest with us today david moon david thank you for joining us
thank you zach it's great to be here and be able to highlight some of the aspects
of this topic surrounding risk yeah you know it's it's an interesting time because more and more organizations
they know they need to do something about cyber security and and they're making efforts but they have a very hard
time translating that to the rest of the organization
doesn't have technical background right and so i'd love to dive into that a little bit um but i mean you you have a
deep deep background um as cio see so all kinds of different different roles
um do you mind sharing first a little bit about your background and then lead into
what brought you to start arcs nimbus what was the problem there that you were looking to solve um you just give us a
little background to set the stage sure zach i appreciate that and uh you know one of the things that's been most
rewarding for me is as a cio with uh probably about 20 years
experience in both the airline and hotel industries i had gotten involved in the early 90s
in what was commonly called yield management at the time so this is really
kind of a lot like the pattern analysis that many uh cyber security solutions today
do on things like endpoint behavioral analytics etc except for the travel industry it was really on
yield and what flights what hotel rooms are selling at what level at what time
and it's a very complex process now the airline industry believe it or not used to have
massive blackboards excuse me back in the back room they'd have hundreds of people working
back there and and doing their pricing it's just a very complex calculation so
i had been part of kind of a group based out of wake forest university at the time
and where i used to present on a regular basis and uh we really kind of advanced
the notion of at that point applying differential equations to the yield management process so that really was
kind of the crux of my applied quantitative background and i guess like three master's degrees later i found
myself in cyber security after leaving silicon valley in the xml exchange
server business and i worked for both arthur anderson as
well as capgemini and then up through 2016 pwc's cyber security practice
here in the u.s and what really inspired me was
we don't really understand enough about cyber risk fundamentally and uh in talking with the
head of risk management for a money center bank who was himself was a phd
uh learned about some of the models that they're applying to things throughout the financial institution like
counterparty risk credit risk etc and i said well that sounds very sophisticated how do you evaluate cyber security risk
then and he he literally like motioned and threw up his hands and said well well what yet you know that you can't
possibly quantify it's just uh you know we we don't really know much about cyber security risk we don't have the data et
cetera et cetera and he kind of went on so they're very sophisticated approach to
risk stopped right at the door of cyber security and
this is of course a very common thing there was a swiss re survey uh in
2020 that said that 80 percent of enterprises
view cyber security risk as endemic to their earnings and nothing could be more
fundamental to business than earnings of course and yet the same people surveyed 90
percent said they have no visibility into what their cyber security risks are
at the same time so we clearly we clearly have a disconnect here and uh
that will be solved at some level so it's been our firm belief since starting the company in 2016
that there is a gap and it needs to be solved but not only by end enterprises but by
the insurance industry by m a advisors consultants etc it's as well as
financial analysts on wall street and it has to be resolved in a manner that
includes dollars and cents and lets us understand cyber security risk in the language of
business yeah that's that's a a very unique capability and i think you're
you're exactly right i mean so many organizations take a um approach that's
that's not really heavily heavily based on data
right and historical events and things like that and so what i what i love about
what you've built and the platform and for those those people listening um you can go to ark's and check out the website and get some some snapshots of what this looks like
but in essence you can take you can now take a major industry recognized framework like nist
csf or nist 853 and run an assessment on your
organization and translate at every at the individual control level and also roll up those controls into
the actual financial risk that the company is holding and then on top of that
break out what is um covered by insurance potentially and then what would be self-insured or
what you'd have to come out of pocket for um so really it really is a very
cool way of looking at cyber risk in a different language you know one of the things that we've seen
is it really appeals with executive leadership especially cfos and
that now they can understand understand what they're paying for you
know and where that investment is going um do you do you want to share
um david a a bit of a use case or what
can you just take us through the process of a company that doesn't really understand you know their cyber risk management
program or what money is going to and kind of take us through their journey on on identifying what's important sure
sure yeah and and further to uh that comment that you made zach that uh i sat in on a
number of board meetings and including uh one of the top 10 mortgage banks in
the u.s comes to mind where i was asked to present at their board meeting and they said well you know why
after your presentation why don't you stick around our ciso is reporting written next and uh
you know like most public organizations the cso gets maybe an 11 minute slice of a board meeting perhaps once a quarter
maybe maybe once or twice a year in fact and yet here is this risk that warren
buffett and others say is the largest risk-facing business today the cso comes in and they report and
they say well i'm asking for another 30 million dollars next year and the board members naturally as they
should do say well what is this going to give us what what results can we expect from this and he says well look it it
increases our splunk rules from 200 to 320 it gives us better situational awareness
across the domain and it gives us endpoint behavioral analytics please
approve my budget now the board members at this moment turn to each other and say well wait wait what what
what the end point behavior or what i what did he say do you want do you understand
what he said and they kind of turned to each other and discuss it and it's like well no i don't i don't understand what
he said but he seems like a really smart guy and after all he's our guy so let's go ahead
and approve it now of course uh in terms of governance and and all of
the things that boards are focused on uh when the cfo comes to report they
have hard numbers they have specific uh details and contributing factors and
they can drill down there's traceability transparency all of that but somehow that is the contrast in today's world we
haven't gotten to that point in cyber security as yet and let's remind ourselves as cyber security
professionals here that everything that's spent on cyber security the entire cyber security
organization having a cso in the first place and all of the solutions that most companies are
now running in cyber security is only really there to reduce risk so that has
to be the fundamental overarching mission and it's understandable that when
cyber security engineers analysts and others are deep in the weeds there are all those alerts coming in and trying to
sort them out the hundreds of thousands that many enterprises get on a weekly basis
that it's it's easy to kind of forget that big picture but that's really what
it's all about so what we've done is to say well you know how would you solve this problem
and the first thing that really happens is what you you just
you simply have to have the data there's no way around that and like so many things in life you can
sort of uh prognosticate what things might be but unless you have the data you're
really not on solid ground so the data in this case uh we're
blessed with the fact that we're here in 2021 and we have far more data than we
had back in say 2010 or 2015 and now we have as everyone knows and uh
as uh laurel and others cover in the in the news briefs on the podcast here
we have a lot more losses losses are mounting ransomware is is getting out of control
we've got so much more data that's the upside of this story
and so we now have patterns and we have actual patterns and for those who are
familiar with data science a much of data science and for that matter ai is based on patterns
and we now have enough data to run those patterns so one of the things we realized early on
is we have to show up to the dance with lost data in place
and so we take that loss data we aggregate it from what now are 22
different sources updated on a recurring basis and things that probably uh most of us
are familiar with like verizon dbir certain infra guard reports from fbi and
others and you can aggregate those data and we've worked with
particularly university of illinois department of actuarial science where we
have a formal collaboration agreement in place on how to properly cleanse that data normalize it and then aggregate it
to some meaningful what in the insurance industry are called probability density
functions and so we in our solution operate with eight of those
uh those are pii breach sort of the classical big headline breach
uh intellectual property compromise patents and so and other things were were stolen or
uh made visible uh and then ransomware uh hacktivism which is its own kind of
unique threat factor digital vandalism
which is closely aligned with activism but it's fundamentally different and then
denial of service etc so we track those in terms of their
frequency in the overall landscape across all industries and part of what's happened here that probably most of us
are familiar with is that cyber security threat actors do not necessarily obey industry boundaries so
someone who's attacking a health care organization may be attacking a financial institution next week
and a lot of what had been the common practice prior to this time prior to our
arrival on the scene was you know trying to track within your industry how many
losses have actually happened and we found that that's a that's a very loose correlation and really doesn't stand up
to some sound quantitative statistical tests so what we do then is we take that we
take the company's own financials which are known data of course especially with public companies
and we plot that against the other losses that have happened elsewhere in other industries and then
we normalize that and essentially think of it as sort of the loss per billion dollars of
customer value or company value from there we play all of that back
against nist based on their actual controls and in our case we work with nist 800-53
we also work with nist csf and we work with iso 27001 which probably most
people are familiar with so that allows us to say here are the origins of these risks
and here are the financial consequences of them that's about 48 000 variables it
turns out that have to interact to achieve that in sql terms it's obviously
a big many-to-many structure and from that which we have spent a lot
of time with nist working out those various mappings and how we properly apply their
standards they turned to us and said well that's actually a very savvy approach and we we
got that from matt barrett who was the head of the csf framework at the time
so from all of that what we're able to do is actually say you know where are the origins of these risks what are the
things that really need to be addressed and think of it sort of a triage effort
if you will where do i need to concentrate my efforts first and the interesting thing that comes out
of that is if i solve this particular problem and it may be patch management it may be a
training gap or issue even cyber security awareness training on the part
of the overall staff enterprise-wide etc if i'm able to solve that particular
issue how much does that reduce my risk and so essentially it's it's effectively a cost
recovery process which is rewarding monetarily to the
enterprise driving down the cost of these risks that they're carrying that allows the cyber security function to
track their progress in terms of we recovered this much cost on the part
of the enterprise which really kind of opens up in a new additional conversation
between cyber security not just being a cost center anymore but being an
effective means of cost recovery and while protecting the enterprise at
the same time and that's what's really a very exciting aspect of this for us
yeah i love love the new the the capability that this brings um again
just translating translating the value of what security professionals are doing
into a language that everybody understands um how have you seen this affecting
management decisions with the companies that you serve and the companies that are doing these
assessments regularly yeah so it's very interesting because uh of course
there was a time when in other corporate processes companies didn't have uh the visibility they
needed so think of something like the supply chain inventory management
maybe uh yield optimization we talked about earlier and one of the things that happens with
these is that once they go to a quantitative basis they really never go back
so you could think of in the securities industry those high frequency trading models that
goldman sachs or someone would use just the way that accountants work with
uh matters of gap etc in an erp system once these things go quantitative and
they're made manageable that way they really never go back nobody goes back to saying we want to go back to guessing or
using pencil and paper or something like that or just spreadsheets in in this case
so that's kind of the first effect the second effect is that now we can really say
how do we go about uh really getting the solutions in place that will target
the origins of these risks and so rather than kind of you know uh going after a
variety of things thinking that we're going to make some progress we can actually target the areas where the risk
is originating in its greatest form the second thing that happens is that
very interesting if you track the court cases
and we now have a lot of public records around uh after post breach
litigation for example so everyone may recall that when the equifax breach happened there were about
26 class action lawsuits filed within a day or two
after it was disclosed now when those end up in a courtroom
it's very typical for opposing counsel to challenge cyber security leadership
and maybe board members or cfo etc on well how did you as a company formulate
the proper protections on behalf of the shareholders and quite often
uh the answer is well you know a friend of mine recommended this
we we saw this at a trade show and liked it we you know it's it's a non-quantitative i used this in my last
job and it was effective there it's kind of there's not a lot to back it up
and with us what companies are finding is that they've got traceability
from the actions that they took the strategies uh the technologies that they put in
place back to this was based on what nist says this was based on the adverse risk that we
had in this particular area documented and traceable throughout
and again that plays off of the 48 000 variables that we work with so literally
uh mountains of of traceability are available uh from that to say not only
we saw an adverse risk in this area so we took this action which is tied to
resolving that risk and you can say well who says that that's tied to that well nist says iso says
you know it's it's it's pretty solid ground in fact some of the most solid ground we have in cyber security to
stand on not only are companies finding they're able to do that but also they're then
able to say and this is how much it actually remediated that risk and so a
pre and post snapshot of what the results were once those strategies were
applied the other thing that we're finding is they can much better calibrate the cyber
insurance they actually need and following off on some of the comments earlier at the beginning of the
podcast here that that is an increasing cost for companies
cyber insurance providers are finding that they're getting more losses than what they had anticipated so they're
raising those premiums so how much insurance should i really be buying how much should i be applying and what kind
of coverage should i have including how should i understand all of the many exclusions that these policies now
come with which companies don't do themselves a good enough favor of of really analyzing
those and then the final thing that i guess i would highlight zack is that uh you know we see a lot of interest around
m a and so when there's a merger when there's a another company being acquired
even in private equity uh it's really a case where traditionally there's been very little
notion as to the cyber security risk that's being taken on in an m a
acquisition transaction and so we're able to come in and we're able to
allow them to have insight into those risks many of them pre-doing the deal use that
as a negotiating approach so think of it like a home inspector comes in
and finds that the the water heater is about to go and the the furnace needs cleaning and so all of those expenses
get baked into the picture traditionally in m a terms uh the cost for cyber security
remediation has been believed to be zero and of course that's never the case out of all the numbers that might be right
that's simply not ever going to be the right number and uh and so millions of dollars
hundreds of millions probably billions over time have been lost as a result of
underestimating the need to remediate those cyber risks in m a so those are a few of the of the use cases that we end
up seeing yeah i love that last example with with m a i mean we are big proponents of that
i think there are a lot of private equity firms venture capital groups um all kinds of organizations that are
acquiring companies and or making major investments in companies and not
understanding that cyber risk piece and so they make that acquisition and then learn that all
of a sudden they have you know a million five that they need to put into the organization they get it back to where
it needs to be from a cyber security perspective or compliance as well um so we're big proponents of
that and then of course following a industry recognized framework um
is a must so that's um that's that's interesting you know with with the uh the the court cases as well i think
you're you're writing a lot of csos a lot of security professionals um are
going off of uh you know practices that are are you know they're they're taking bits and
pieces of the security program as they go but not really looking at it as holistically as as
maybe it should be um the last few minutes here for those
people that um haven't used the product the the threat or haven't got the tribaca risk
reports and such can you just walk through the process of how you
conduct an assessment and then what the the output looks like yeah absolutely and uh it's actually
uh very streamlined and in fact we in our work with the insurance industry today
we perform a basic baseline analysis even before
the insurer is engaged with the company so that is actually performed by the agent
but for all organizations they're able to basically uh allow us to
do our scans and many of these scans are scanning the ip threat surface
looking at their financials we utilize a api with sec edgar
and other sources that are available and then we apply the historical loss patterns that have
happened over time we then and all of this happens behind the scenes
we then take their industry uh and we say well let's say they're in
the wholesale plumbing products distribution industry and we've assembled based on historical
loss patterns industry adjustments that happen on each of those eight risk types so that we can really
dial in what their exposure is adjusted for their industry and accommodating
that then from there we sit down and validate their controls
and that really is a one-hour process we debrief them and it's areas think of the control as
something like uh what is what is the amount of time it takes today
to identify an unauthorized device being attached to your networks so very basic
concept and you know most people would agree that's a good thing to have in place
but nobody does that instantaneously and when you think about industrial control systems iot
uh shadow i.t my cloud arrangements and so on then it it it is really uh kind of
uh the way that we want to get a hold of these controls because there are lots of forms of exposure out there not just
necessarily corporate i t and what resides in the data center itself
attackers don't obey those boundary lines so we validate those controls across the
overall enterprise exposure and then that really allows us to
process our runs which at this point uh on average are
taking less than two hours and in fact that's an sla with us now uh that
average time will be less than two hours uh and we then their results and then we
simply schedule time we go through with the organization as as we've done with uh silent sector and
silent sectors clients to go through here's what this means here's what it
does and kind of one of the fundamental uh wake-up calls is
we did a lot of work with the economics department at the university
of chicago very well known that many nobel prizes that have been won there and so on and
they really kind of took things to the nth degree in helping us analyze what kind of risk exposure companies have and
getting the formulas dialed in to be able to determine that in a proper way
that is is obviously a very complex exercise but what we were able to come away with was
you simply have to establish the overall potential for risk of the
organization and that potential is what would an absolute worst case scenario be now
every organization has controls in place even if you today wanted to go out and
not have any controls for some strange reason you still end up with controls because
probably everyone understands you buy a piece of palo alto networks gear or a cisco router it's already got a level of
cyber security built into it whether you wanted it or not so this is a theoretical number but
we're then able to show the company subtraction from that overall exposure
as a result of the controls they put in place and then we turn and add the final piece
which is how much of that risk have you now shifted or transferred to a commercial insurance carrier
so that what are you actually left with in terms of your net exposure at the end of the day and so that is really what we
highlight in our debrief and then from there we have a lot of exploratory tools
that do two things one is the first takes them through where are those risks
originating from and how do the threats the risks
the vulnerabilities and then my capabilities or in other words my controls
relate to those risks so we have a what we call the jellyfish diagram they can explore interactively
all day long and and it's based on everything being traceable back to the nist framework and we also use the ffiec
uh threat taxonomy from the federal bank examiner's handbook that's the first
kind of process once an organization has been through that they tend to then ask the question
okay well now i see my wrists i'm able to drill down on them and understand their origins are very detailed level
but now what do i do what do i actually do and that's where the second half of that
briefing is primarily and we've been through this again with silent sector and very proud to work
with uh the whole team at silent sector on advising these clients
what are the kinds of solutions that can best drive down which of these actual risks
and here again you can say well well who says that a sim solution uh maybe can or or you know additional
splunk rules or or endpoint behavioral analytics whatever may drive down this
particular risk well here again it's nist says and so nist has provided prescribed
traceability back to individual risks and we're now able to see
based on those recommendations about 600 pages worth of documentation that
include actual playbooks and so this is important and many times we work
with organizations that are struggling to gain compliance sign off from their
regulators and they're they're finding they're they're just challenged with
illustrating how their actions and strategies tied back to
[Music] extinguishing these compliance issues that are open and unresolved with their
regulators at at that point in time and so this helps them immensely in being able to formulate a plan to do that
and working with silent sector for example on you know how do i get this plan in place what do i address first
and then actually being able to measure now which most of these organizations have not been able to uh what is the
risk that's going to result from all of those actions so you know david thank you it's just it's it's it's so awesome
that you have have given really cyber security professionals and and the cyber security
paradigm as a whole a new a new i won't call it a weapon but a new statistic a
new a new number right that we can now go back to management and say look look
this is why this is why we've been bugging you for the last 10 years about this stuff this is why you know every
time we have code freeze and code changes that we're you know we're harping on this stuff or anytime sales
comes and we make us put something in without doing the security architecture properly and pin testing it's you know
there are tons of cybersecurity professionals out there that are going to thank you for this tool when you bring it in to the organizations and
we've like you said we've worked together before so we know the value that this provides because executives really do understand
they understand the dollar they do understand the dollar and they understand the assumed risk that they now have as
leaders of their corporations right that they they deal with and and i'm just going to call what is it it's it's shock
and awe right because the the old way the other way that we you know cyber security professionals we
get things done would be you know penetration testing it's something for me to tell you hey you have
um you know your website doesn't have a timeout for posts so i can i can ddos
your login right that means nothing when i put you on a zoom meeting and i say try
to get to your login page now and they go it's not working that's the moment that it clicks right
that was you know i could tell you that on paper 100 times but until you see it not work it changes it and i i really think that
this um this calculation this this formula that you've put together for for these organizations is really really going to
help them understand you know i think where it means the most not that it not that it doesn't mean to be you know you want to
be secure right but um this will help you understand why it's so important to implement the substitute right exactly
well thanks laura you know um one of the things that happens here is
that we we we have all this literature and i mean gartner and others uh saying well oh you've got to you've got to
align the cyber security function with the business yeah you've got to you've got to make it uh visible and and uh you
know it can it can tee up and and align with business strategies and you know
it's got to be more of a business function so that all sounds great but then you know the issue is well like
most things in life how do you do it and how do you accomplish that and so it's our belief that you know everything
in business is managed by dollars and cents at the end of the day and one of the neat things is to see the
cyber security function now able to go like in your example
and say look if we address this particular issue it reduces our risk by x dollars per
year and that's obviously an actual carrying cost it's not a it's not a theoretical people
like to think about risk in terms of well it's only it's only going to cost me if the risk actually happens
and the thing is that all of us don't use that principle in that in that
funny kind of way in our daily lives i mean i you know i buy car insurance and there's a reason for that and it it cost
me something i actually rate the check to the uh to the insurance company for
the premium that's a real cost and all of these cyber uh situations and
and risks have an associated cost as well all the insurance premium is telling you is that's the insurance
companies rendering based on their analysis which itself is quantitative of course of what exposure you have and
what they're on the hook for so you know that's that's a real cost in the real world but very few companies understand
that but it's great to see the cyber security function able to say you know what we we accomplished a cost
reduction here while enhancing the protection of the enterprise that's something that then has resonance with
management that they can understand further to your point yes yes it does and you know it could be
probably said that you know um running running you know services in and out of your ip space is just as
dangerous as driving you should have insurance um you know uh so it's it it just it
makes it makes complete sense right from and and i've been i've been hoping that that you know some brilliant would come along and figure
this out to make my job easier instead of having to you know as a cyber security professional you know scrape
and scrounge to try to build legitimacy on why we need to reduce the risk in this area or why this
area is such a great risk anyway and then that you're right that always comes back to well yeah but we're you know if somebody somebody has to do this or we
have to be attacked or you know we're not we don't have anything that anybody wants and there's there's always a million excuses not to spend money until
you see the dollar figures that are there from a risk perspective that that are going to be incurred if you if you
don't make a decision so well exactly thank you you know people appreciate that and
people have different biases i mean we're human we all have biases and so on but
we uh we worked not long ago with a 170 billion dollar customer
who uh had done risk register and they they paid several hundred thousand dollars to one of the big four
consulting firms to help them implement it and yet they had in their risk register they had 66 risks
so you know how do you how do you operate in 120 countries with 48 000 employees
and have 66 risks i mean it's almost it's almost unimaginable right but yet
that that was and a lot of risk registered technology it's valuable but it only gets us so far and often
those exercises and i attempting to identify those risks at that level are
really kind of bounded by the imagination of the senior management team weighing in
on something like a risk register so it's not uncommon to hear uh someone say
or a cfo or someone outside of the cyber security group say oh well you know i
was in the houston office last week and they had those servers that were running that that had no firewall protecting
them and i i i think that's got to be our biggest yeah yeah that one's yeah that one put me down for that in the
risk register and you know this is sort of like a opinion driven or professional
judgment of an exercise and that's only going to get us that so far there's
almost nothing else in the enterprise you would run on that basis i mean you the auditors wouldn't come in and say
well what's your opinion of the inventory levels you're now carrying well
i mean and but why we do that in cyber security is is really kind of uh a mystery and
and and now we can get to a much better maturity level with those kinds of of
insights absolutely traditionally you know we would we would be in places and you know in
previous lives of course we'd be in places where we had you know 155 000 vulnerabilities
and you know be under the guise of pci compliance and um i'd walk in and look and you know these teams are you know
they're operating 24 7 and shifts trying to get all the stuff patched and
i started looking at the vulnerability that were being listed and started doing exploitation
pocs against them and essentially downgrading the the risk of the vulnerabilities so that we could
you know it's almost like the supply chain crisis right it's like okay look you can't you can't boil the whole ocean right here we i'm using an i'm using a
uh you know kind of a a data driven exercise to say okay yes
this exploit is going to get through these three vulnerabilities no problem we're gonna have a problem these these are priority these three these these
fifteen thousand that are the same tls version one we can change the config on
those on those things later no one's gonna know you know no browser's gonna want to downstep um you know cryptography in modern time
so let's push that to the to the back right so we're kind of playing this rubik's cube game right where we're we're shifting colors around based on
um you know the the technical capability in a short amount of time to develop exploitation in poc to try to help just
you know hold the damn back just a little bit because it's you know everybody is just overwhelmed and there's just a lot of
products that'll you know do just a surface scan and say oh guess what you've got cross-site scripting and you've got you know
outdated java packages and you there's tls1 oh that's a bad one you know and so
there's all this you know this this garbage that gets spit out and if you just take that stuff for face value you
know it can it can really slow down technical teams and then it can also lessen the credibility too because you
know it's it's either you can't fix everything right it's like how do we how do we meaningfully go through this
exercise and tackle what's most important and the product that you have is a great way right to demonstrate okay
hey these these risks are going to cost you the most um you know this is why you've got to put in continuous
vulnerability scanning or or this is why you need to do penetration testing and these sorts of things because
these types of exercises in nist generate a lot of the security control set for
the technologies but also if you don't do it incur a lot of the risk yeah absolutely and so you know what
what we believe is attainable now there's a lot more that's attainable in getting these kinds of insights and
really putting effectively it's it and you guys have heard us reference this before but sort of like adding a gps to
your cyber security program yes gets you straight to the heart of the
matter straight to the place you need to be as a business and it also shows you the journey along
the way that's that's a beautiful closure right there we've we've got to jump i would i
would just love to have you back on the show again and um thanks for sticking around in the cigar lounge to to chat
with us uh kind of informally so i appreciate it very much well thank thank you so much david i mean this is just a
fascinating topic and i think it's a game changer for the industry um and the
fact that you've made this type of data accessible to mid-market and emerging
companies not just fortune 500s that that is incredible so
thank you uh thank you for joining us david it's been great chatting with you thank you zach really appreciate uh
getting the word out and uh uh you you know let us know where we can help uh at any time in the future well
thank you so much everyone for listening uh you can find more about arts nimbus at
we'll put a link to the show notes we'll have the link to arcs nimbus but also to the news
articles that mike talked about earlier today and please let us know your
questions any suggestions for topics any ideas that you want to discuss please let us know and we'll be happy to
cover them on future episodes thanks a lot and have a great day pick up your copy of the cyber ants book
on amazon today and if you're looking to take your cyber security program to the next level visit us online at join us next time for another edition of
the cyber rants podcast