It’s as true for tech as it is for war and football: sometimes the best defense is a good offense. But that requires everyone within an organization to understand the threat and how to counter it.
Scott Kannry and Brendan Fitzpatrick, Axio’s CEO and VP of Cyber Risk Engineering respectively, understand this challenge. Axio’s goal is to help organizations neutralize cybersecurity threats through a combination of services and products. The company prides itself on removing the jargon and insider talk to make cybersecurity more accessible to the entire organization.
“One of the areas where I think we’re having a lot of success is helping the tech individuals speak business,” Brendan says. “We’re putting a tool in their hands where they can quantify those risks and say, I think this is what it could cost the bottom line. And now you’re speaking the CEO’s love language: it’s financial terms.”
Speaking of financial terms, Axio’s got a boost in November 2018 when they raised an undisclosed amount from early-stage investors NFP Ventures. If you’d like to make a contribution of your own — albeit in time and skill rather than money — they’re currently hiring, mainly for their New York office.
With backgrounds in insurance and technology between them, Scott and Brandon are the perfect double act for a business that combines preparedness with innovation. They explained why cyber insurance really is a good idea — and why it’s also not the only good idea.
Technical translation
Scott Kitun: The education component might be the most vital need that you can fill for these companies, because there’s a lot of them right now thinking that they’re flying with instruments, but they’re flying blind.
Brendan: Well, their tech personnel, their cyber experts, are telling them that they’re good to go. Most of our cybersecurity professionals, at least in the United States, come from a tech background, and when we go through cyber training we’re taught these are the things you do: you have long passwords, you plug the holes, use firewalls, and this and that. And we’re never taught to align ourselves with the business, and figure out what the critical assets of the business are, and prioritize those things.
One of the areas where I think we’re having a lot of success is helping the tech individuals speak business. Before, they say, hey boss, we’ve identified these five risks that are all red on my chart, which means nothing to a CFO or CEO. We’re putting a tool in their hands where they can quantify those risks and say, hey boss, I’ve identified these 15 things, these three things here concern me. I did a calculation and I think this is what it could cost the bottom line. And now you’re speaking their love language: it’s financial terms.
Scott Kitun: Most of your customers are not the people who are tech savvy: really the target is the people who don’t know what they’re doing, because they’re the ones who leave puddles everywhere.
Scott Kannry: We do a lot of business with the CSOs of the world, because, to Brendan’s point, the appeal for them in what we do is that ability to sit at the C Suite table and converse in that language. But you think about CFOs and CEOs and the chairs of audit committees on boards: you have huge technological gaps in terms of their understanding and ability to drive change, which often results in misplaced priorities and misplaced focus, because maybe all they know is regulations.
If you take the healthcare industry, for example — just because of how things have evolved over the last five to 15 years — every pharma and healthcare CEO, I’m sure, is really well attuned with their HIPPA obligations, protection of patient information. So they spend all their time and effort and resources there, because they don’t want to be the ones whose names are in the paper: if that company has a healthcare information breach, they’re getting fined a couple million bucks. So all the focus and effort is there. Meanwhile, they’re operating pharma manufacturing facilities that are producing disproportionately high quantities of some key blood testing compound, or something like that, and this facility doesn’t even have a firewall because the understanding isn’t there, as far as what risk really matters to the firm and what can go wrong.
Why cyber insurance is worth it
Scott Kitun: You guys are in the perfect position to talk about what companies can change going forward to do a better job, and to understand the gigantic liabilities that they’re carrying even if they’re insured, but not doing the things that they’re supposed to be doing.
Scott Kannry: Insurance isn’t a replacement for bad security, but at the end of the day, insurance does actually serve a unique purpose. Unlike any technological control that a company needs to have in place to prevent events from happening, a well done insurance policy is the only thing that will actually pay for the cost of an event if you have one. And ultimately, it’s a better balance of all the things that we help companies understand and then deploy.
You can always do more, and you go to security conferences where there are always folks that will sell you more shiny objects and silver bullets: but if you’re already doing a really good job from that standpoint, maybe it makes sense to spend your next dollar on an insurance contract, in the event that something happens. Because at the end of the day, that is the only thing aside from cash in the bank and other financial instruments that’ll help you pay for the cost of an event.
Brendan: When Scott recruited me, he was talking to me about the cyber insurance, and he was a reformed insurance guy, I was reformed tech ed, and I’m like, cyber insurance, that’s all bunk, right? And then he’s like, no, it’s a financial control. Just like you have your firewalls, that’s a technical control, and your process, that’s like an administrative control, cyber insurance is a financial control that augments all the other wonderful things that you’re doing, and it starts to make sense when you look at it that way.
How to spend your security budget
Scott Kitun: If you are a company who’s just trying to dip your toe in this and understand what’s the best way and where the gaps are, what do you recommend they start with?
Scott Kannry: Let’s not jump to coverage, because that’s just one piece of this puzzle. The way we’ll often describe what we do is, if you’re spending your first dollar or your 15th dollar or your 500th dollar, where are you going to get the most return on that dollar spent? If you don’t have a cybersecurity program, we’ll spend that first dollar on understanding what your risk is. Who are you, how do you use technology? And as a result of who you are and how you use technology, what could go wrong, and what are those narratives, and what might those narratives costs? Now you’ve got a business-centric picture of your risk.
Now, prioritize according to what would be your worst day, and beyond that, where am I going to get the most bang for my fourth dollar spent? Is it some type of control, because what I just described — a certain narrative — the only reason it can happen is because I’m not doing something? Well then, do something. And if the spending of that dollar prohibits that event from happening, that’s a far better spend.
Looking at that same analysis, say, I’m already doing all these things and I can do more, but maybe at this point I’ll get a greater return on that $500 by training my employees better, or having my lawyers tweak some clauses and contracts. If I’m doing everything else really well, maybe it’s buying that insurance that’ll pay for that event if I still have it, despite the improbability.