I recently had the honour and privilege to share a stage and panel discussion with Gaurav Banga (CEO Balbix) and Daniel Gisler (CISO Oerlikon Group) at the Swiss Cyber Institute’s Global Cyber Conference. A fantastic event held in an auspicious location with a commanding view over Zurich. The panel discussion itself was excellent and although much of it has been covered elsewhere, what I took away from the lively interaction with the delegate audience is that there is a real interest in trying to understand the risk exposure associated with cyber risk, but at the same time perhaps a little scepticism that it is possible to (a) gather the data necessary to make risk exposure calculations and (b) that those calculations are even achievable at significant scale.
Nevertheless, I had some fantastic conversations in the margins before and after the panel. As a risk management professional and an evangelist for the use of data science to observe and understand the risks we are trying to manage so that we are making decisions from facts rather than perceptions. On reflection, the majority fell into three broad categories. For this blog I thought I would share my experience of them. I will call them, ‘the fellow traveller’, the ‘silver bullet seeker’, and the ‘Unsure.’
The Fellow Traveller
These were my favourite conversations, like minded individuals who already understood the power of hard data. They were either users, consumers, or developers of capabilities which gather data from live environments to deliver actionable insights. Whilst sharing insights into each other’s experiences and challenges we faced, which were often very similar, we were intensely curious about the use cases each other had sought to address. What was fabulous is, in doing so, we then started to explore what could be possible if you were to combine data sets. I know it sounds geeky, but imagine if you could build a real-time live data model of your whole business and the environment in which that business operates that enabled you to estimate your risk exposure to a range of risk types at any given time, enabling you to optimise risk taking to deliver strategic goals. Undoubtedly my fellow travellers and I believe it is possible. However, we also recognise there is a long way to go. That said, it was fun to be unbounded and explore the potential art of the possible with like minded souls.
The Silver Bullet Seeker
I would characterise these conversations as ones where my interlocutor was seeking a single silver bullet that would solve all their problems. I enjoyed these conversations too, because I learned a lot. These men and women were a hundred percent on board with the ideas I was describing, and they were interested in the capabilities of tools like Balbix, but they also had some clear ideas as to what additional capabilities they need to have as well. Typically, the conversation would revolve around me describing a vision for risk management based on observed data with as close to real-time information as possible. We might then talk about how Balbix does this, as well as the limitations of what is currently possible. They would ask questions and explore use cases. They would ask, can it do this, or can it do that, and we would stray into areas where I don’t think anyone has solved the problem yet. Areas such as being able to quantify at a given point in time (using live data rather than a physical test) a company’s ability to recover fully from a total loss equivalent to some of things we saw with notpetya. It’s a big ask, and one I think we as evangelists for the use of data to understand risk should be thinking about; and these conversations are invaluable for understanding the challenges people are facing and provide a great input for discussions with my “fellow travellers.”
However, what struck me about the Silver Bullet Seekers, was when I sought to understand how they were currently addressing some of the risk management issues, it was through manual processes and subject matter expert workshops. The feeling I got was that although we can make a step change in improving some of the assessment capabilities using the data science tools we have now, they were keen to wait for a full “Silver Bullet” solution before moving to adopt. Which I guess aligns to those described as ‘late adopters’ or ‘conservatives’ in cycles used to describe technology adopters, and may go some way to explain a little of the scepticism I mentioned earlier. Nevertheless, a fabulous insight into the challenges security professionals are facing today.
My third set of conversations revolved around professionals whose view was that their organisation was insufficiently mature for data driven risk quantification. These were possibly the most interesting conversations for me. As it was a viewpoint I found difficult to understand and one I was keen to explore further. Having an engineering background, I would always take the opportunity to grasp something that I saw as furthering my knowledge or understanding of a problem. I’m also a great believer in surfacing issues so that they can be addressed. If you know all the problems you face, you can build solutions for them. My sense from these conversations was that there were a number of factors at play. Some were just focussed on addressing immediate and pressing issues and had neither the bandwidth, nor probably the budget to think more broadly; some were already dealing with a prescriptive organisational view of how to manage risk being dictated to them and were busy just trying to comply with those demands; some truly were in a place where even the concepts of risk management were not widely discussed or seen as helpful to the management of the business. All fascinating food for thought, and although challenging, hugely enlightening.
I’ve often used the “Post-it” analogy for these sorts of situations. Nobody knew they needed Post-its until they appeared on peoples’ desks after 3M had managed to make a weak glue instead of a strong one and set about marketing them by leaving them around offices. People picked them up, found them useful, ordered more and now they are indispensable. Are we at a “Post-it” moment for data driven risk quantification? I think so. The difficulty we face of course is making it sufficiently available for the benefit to be grasped and used. It’s one thing to drop blocks of sticky notes on peoples desks and quite another to connect to someone’s network, hoover their data and show them what you’ve found!
As many people who know me would say, I like to talk, and I do. I thoroughly enjoyed myself at the conference, and I came away knowing more than when I arrived, and with a whole pile of fresh ideas and problems to noodle. It is a truism, that everyday is school day for those with a curious mind.
My thanks to Gaurav and the Balbix team for inviting me, and my congratulations to the Swiss Cyber Institute for organising and hosting such a great event!