How to Effectively Communicate Risk Stories

Megan: Hi, I'm Megan Phee and this is GRC& Me, where we interview industry thought leaders in governance, risk and compliance, on hot topics, industry specific challenges, trends and more. Learn about your methods, solution and outlook in the space. Hello everyone and welcome to GRC& Me. Joining me today are two experts in the risk quantification field. Rich Seiersen, who is an experienced CEO, CISO and risk management faculty member, working with brands like GE, Twilio and Lending Club. Rich is also a published author and his books include, how to measure anything in cybersecurity risk and the metrics manifesto, confronting security with data. Joining Rich and I is Mark Tattersall, VP of product at LogicGate, who leads the team on developing risk cloud quantify. And today, we all talk about risk quantifications for insure tech. What conversations are actually happening at the board level, technology that can drive greater consistency and lastly, what inspired Rich to write his books. And now, here's our conversation with Rich and Mark. Hi, Rich, hi, Mark. Thank you for joining us on another episode of GRC& Me.

Rich: Hi, Megan. Pleased as punched to be here.

Mark: Hi, Megan. Likewise.

Megan: Wonderful. All right, well, let's get into the conversation today. So, Rich, we were talking offline, before today's episode, about the importance of risk quantification for the insurance technology space. Can you expand on that impact of risk quantification? What will it have on the insurer tech for our listeners?

Rich: A little background, by the way, on this topic. So, my first book, which I co- authored with Doug Hubbard, it's called how to measure anything in cybersecurity risk. And I'm not here today to sell books, I don't make any money in books at all, unfortunately. But that book, it's the only security book that has been required reading for the Society of Actuaries exam, as of 2018, I don't know if it still is. And so, there's a lot of relevance there to, at least, some of my scholarship on this topic. What I found out though early on, at least, with insurance, they were doing more benchmarking with companies. So, they didn't have actuarial tables, they didn't have automobile accidents going back decades. And so, how insurance was doing things is they... I was at a company at the time and they looked at our company like, oh, you're a SaaS company, everyone seems to wear hoodies, you're in the Bay Area. We'll look at other companies like that and, kind of, do this and do that. And what they didn't do though is, so they gave us a rate that was just, kind of, like, oh, you look like them, you look like you're 20 and you look and talk and walk like them, but they didn't look at the value at risk. They didn't look at the fact that we were persisting a couple trillion records of PII, in the cloud, at the time. And they didn't take into consideration also the strength of controls or anything like that, really. And I get it, insurance was easy, relatively easy, to get back then, it was relatively cheap, cyber insurance that is. Not the case anymore, not with the advent of ransomware. So, things have really changed. So, the methodologies and approach, from an insurance perspective, were really benchmark based, they weren't risk based. So, in our case, for example, where we had a lot of value at risk, the insurance company actually ended up taking on a lot more risks than they suspected. I mean, it would've been one of the largest breaches in history and we would've quickly drained all the coffers of that money. And we weren't nearly as protected as we thought we were. The insurance companies had an opportunity to make a lot more money too, in the process, if they would've taken any consideration of the value at risk and controls. Or even potentially denied insurance, which they weren't doing back in the day. I ended up buying 20 million more insurance. But the bottom line is that, there is a need now, again, with the advent of ransomware, with the fact that it's just been really bad for the insurance companies who owned a lot of risk, right? Had a lot of policy out there. So, there's a lot of drivers that really need... they need better quantitative risk management, they need to take in consideration value at risk, they need to take into consideration control strength. Listen, you're not going to get every jot and every tittle, you're not going to be able to understand everything but that's why it's called risk management. Risk management is like, hey, gosh, I don't know everything but I'm going to make a bet and if I can beat the house, then great. And so, whatever information I can bring to bear to my decision making, I want to have. I know that's a lot of words but it's real, it's happening now and there's a lot of opportunity to really do better and I think it's quite exciting, obviously.

Mark: It's interesting actually, Richard, the kind of, how much cyber insurance should I buy was one of the things we kept hearing again and again, when we were interviewing CISOs and leaders in this space last year, as we were trying to understand how we could help our customers make better risk informed business decisions. The other key one that, kind of, led us down the path to actually building out risk quantification was about how to communicate risk effectively to the board. And that was really one of the pivotal things, along with the, kind of, like, how much insurance to buy, that kind of towards building risk cloud quantify. I'd really be interested in your experience and how you have used risk quantification to explain and detail risk to the board and the decisions you're making.

Rich: Sure. I'll tell you about how I thought about it and then, how I'm actually thinking about it now, even most recently. So, I held to the perspective that I didn't need to show the sausage factory to the E team or to the board, to audit committee, whatnot. I was doing the quant stuff, I mean, I had the skills, I knew how to do it, I was pretty handy at it but I didn't feel a need to go in and show a distribution or an S curve or pick your statistical poison, I didn't feel the need to go and share that with the team. Albeit, most board members are more educated and quantitatively savvy. I mean, listen, most of those folks eat risk for breakfast, right? I mean, one of them at GE, Jeff Immelt, had his undergraduate in applied maths from Dartmouth and he had a quantitative MBA from Harvard. And he's a smart guy but he was the dumb one in the room, a lot of physicists and whatnot, if you know anything about GEs business. But I didn't feel a need to present quantitative data at that time. This is important to say, I was presenting decisions that we were making and if they ask the rationale, why? So, it's more of a qualitative discussion. Because you don't have a lot of time to stand in front of them and what have you. I think that's changing though and I do think the appetite is definitely more on, they want to see quantitative stuff. And I think there is much more of an appreciation for being able to share uncertainty. I know people are uncomfortable with that but I think that's a reality. It is interesting, there was some research done and it's out of University of Merced, out their cognitive science group, they were working with NASA. And there was a problem with... I think this was in the Himalayas, with alpaca's dying when it gets really cool. And this is devastating, not just for the alpacas but for their livelihood. And one of the problems they were having was with people who were not specifically trained, being able to look at forecasts about weather specifically and then, basically, pick up the back phone. I don't know what they were doing to communicate with... This is actually NASA and The Red Cross, to actually get alpaca coats and whatnot out there, right? It was interesting. What they found was that, actually, untrained, people who were potentially even educated, were far more better at making accurate forecasts when they're actually looking at real distributions, not the stuff that we tend to do in the security industry to communicate risk, actual stuff. Things look like, kind of, camel lumps and things like that and with credible intervals, whatnot. They were much better, both the trained and untrained people were much better at making decisions that had live or death, in this case, were alpacas and for the livelihood. So, I thought that was very interesting. I know it's, kind of, a little bit of an aside but I suppose there's this prejudice that we have, that people are going to be uncomfortable with seeing statistical materials. And here I am, a guy who wrote the book on it and I'm really turning a leaf. But it's also being asked for, people want this data, people who are doing credit want this data, people who are doing insurance want this data, executives want this data, presented in a way that it retains our uncertainty without obscuring our certainty. At this point, typically, when I'm talking publicly, I didn't say PS: die, heat maps die, but I won't say that here.

Megan: You're talking about, kind of, a shift, that you're starting to see, of wanting to know more of the story and giving more space and air time to understand it. And really having those that are more familiar with it wanting to lead in and giving an opportunity to those that do this to help to defend what's going on within the business and also help to inform strategic opportunities.

Rich: I would say this, I want to share this point. I might have made it unclear because this is why I told the alpaca story, is that, A, there is industry drivers that are requiring reporting where we understand impact is money, is a range of loss and probabilities. I mean, if you look at standards, you're seeing that, it's all in there. There is a belief or a mythology links, historically, that executives and untrained people are allergic and get the heebie- jeebies if you start using statistical language and/ or goodness forbid, you show a curve, distribution, they're like... There isn't a lot of support and the research is actually the exact opposite, that people are actually able to make better risk decisions with what's been used in the past a hundred plus years in statistics. Go figure, I guess, these engineers, life scientists, physicists, et cetera, actuaries, maybe they know something about presenting uncertainty.

Megan: Exactly. And Mark, I'm sure that is a lot of what you're seeing as well. And so, one other thing we were talking offline, the three of us, was about how people, processes and technology are all used to help to project real loss. And so, would love to hear both of your thoughts on that, Rich start with you. What do you mean by that? How can people be able to predict or project losses?

Rich: So, there's two sides of the coin. Previously I was talking about risk and forecasts, enterprise risk level sorts of things. That's one of my first book deals with, by the way, where you're confronting, kind of, irreducible uncertainty like, you have this big black box, which is an enterprise and it's third and fourth parties. How do you go about forecasting probable future loss, right? And all that stuff. And so, my first book covers that. But the reality is, from an operational perspective, as a CISO or as a risk leader, I'm in the business of deploying capabilities. So, I got systems made up of capabilities. So, I'm hiring people, I'm buying technology and building processes out. So, part of my job, as an operational leader now, there's a risk leader and operational leader, is to be able to understand, are my capabilities, I've deployed, are they scaling? Meaning, over time, as we measure over time, are they keeping up with the volume of risk that my business is trading? So, successful businesses are in the business, if they're successful, exposing more value to more people, through more channels at higher velocity. If they're successful, you should be doing it because you want to make more money, right? And then, on the other side, you have bad guys, who are in the business of stealing your shorts and getting really good at that. And here we are, we sit in the middle of security, so we have these volumetric, kind of, activities happening on either side of us. And I'm spending money and doing things and I want to know, are my controls, are they scaling? Are they working? So, we're in the business, from a metrics perspective, operational metrics, we're in the business of measuring our capabilities. Are they scaling? Or if they're deficient, if they don't meet our risk tolerance, we discover that through measurement. Can I measure that they're actually accelerating to the goals they need to meet? Or am I decelerating? So, that was the conversation we had and I don't need to get overly technical but that's the other side of the coin. So, you have the risk side, big black box and then, you have the operational side, where you actually have telemetry coming from your systems and you're trying to measure. And so, those two things can really work together. Meaning, you can actually then have your risk, what was a big black box, reducible uncertainty, you can start having that be informed by empirically, mathematically, unambiguous and auditable data. It's not a complete story still but it's a lot better. So, I write a lot this stuff and think about it all day long, so it's interesting to me, I don't know if it is to anyone else.

Mark: Well, it resonates with me, actually, because that was definitely a lot of what we heard about wanting to have a seat at this table, about how risk, like a CISO, can support the business in the growth that they're looking to drive. And in order to do that, they felt like they needed to bring more to the table than a heat map or one to five scale or trust me, we need to go work on this area or put resources in this area. And, kind of, risk quantification was starting to, kind of, help provide a little bit more empirical understanding about, okay, I see where we want to go, I have a better understanding about where we are now and I can therefore, kind of, join the conversation about what resources or where I need to devote my attention to support where the business needs to go. And then, you have that seat at the table that I think a lot of CISOs are looking for and are required to have these days, right?

Rich: Yeah. And I want to be able to say, let's say, audit committee says, hey, Rich, great presentation at the board, we'd like to meet with you for three hours. Typically, that would give any CISO the inaudible, they'd be like, oh my gosh, what's going to happen now? But I want to be able to have that conversation and say, hey, look, goodness forbid I shared a heat map and an upright corner is the maroon bleeding square with 10 things in it that I say, man, we're going to work on those things. Even if I do that... And people, listen, hey, look, I like risk art just as much as the next guy or gal. So, if I present that, I want to be able to say, but here's how we're rank ordering things and this is why. It's based on return on controls and we've taken into consideration our value risks, data controls, our capabilities. And while we don't know everything, we know something. And based on that, that's why we're making these investments. We're using a consistent ruler or measurement stick to understand this. It does it mean they were absolutely empirically going to lose this much money in the future, I'm going to write a check. No. I don't know that but I'm being consistent, right? I'm being accurate, with some precision, but mostly accurate and I'm being consistent about how I go about measuring things. I'm trying to reduce any, sort of, arbitrariness so I can make the best bet possible. That's the outcome that I'm shooting for. And listen, that's what your sales leaders do, by the way, at LogicGate, that's what they do. They do some sort of forecast and they, kind of, rank order things based on... But they don't know, there's a lot of uncertainty and this is what your CFO does. Everyone else does those stuff and we get to as well.

Megan: I love that. You'd mentioned your books and many of us know that you're a published author on the topic at hand but is that what inspired you? Or tell us a little bit about what inspired you to put pen to paper? Share these thoughts with the broader audience.

Rich: I mean, I said this in our last talk but one of my favorite quotes, necessity is the mother of invention and boredom is its father, right? And so, I was at Kaiser Permanente, largest health maintenance organization in the US, just big company and I was in there. I started there early on just running vulnerability management, which is worth hundreds of thousands of assets and expanded to GRC, data science and all this pen testing and all that jazz. When I was getting back from my assessment folks, either are pen testers, inaudible folks, whatnot, great industry leading cats, right? And I'm getting this information back and it was very inconsistent and it was August. And listen, Kaiser had things that people put their bodies into and the things they put into their bodies and everything in between and we're talking about literally, this is critical infrastructure. And so, I was like, gosh, this just doesn't feel good. I, kind of, feel like Billy Beane, Billy Beane's like, we're losing a lot, this doesn't feel good, there's got to be something better. Oakland A's, Billy Beane, Moneyball. And so, like him, I prone to wander, I started looking at people, typically, outside technology, who were dealing with a lot of uncertainty where they were. I ran into people I'd call measurement experts, people doing, again, statistical physics, life sciences, actuarial stuff, reading broadly and meeting few folks and that's how I ran across Doug Hubbard and listen, Doug didn't invent the methods that he pushes for that, now influenced FAIR and other things like that. FAIR found its roots in his first two books. He just provided a better API for the rest of us to understand how to use these methods to make better measurement. So that's, kind of, my path and how I got here. And I like the problem space and I think it's very needful and I do... I don't know, it's kind of a magical mystery tour, I enjoy it. What can I say? And so, I've written a second book because also, I'm a masochist and so, there you go.

Megan: What could we expect from that book?

Rich: Oh, I think, most of the people who really enjoyed my first book will be profoundly disappointed in this one. This one is awful, it's probably 40% code, probabilistic programming and it's hardcore Basian stuff. I mean, there's some fun narratives and history and then, it just gets right into sadness, with really hard to think about stuff. I expect a lot of people will buy it, having expecting it to be, kind of, like, the green book, relatively easy. And then, they'll start reading and it'll be smooth sailing then, boom. I gest a lot but it is readable, for those who are concept only readers. It's not that kind of girlfriend or not that kind of boyfriend, you got to spend all your time with it, it's hard.

Megan: Not for the fate of heart. You really want to be a student of the subject, right?

Rich: Yeah. Yeah. And please excuse me for all the mistakes. I'm a statistical API user but I'm not a statistician but we do our best.

Megan: So, what's next for you? So, you're pouring your thoughts into this really interesting new book that some will value and need and other that will be educated on maybe a new topic, a new way of looking at this. But what are some other things that you're working on right now? What's going on in your career trajectory, your life?

Rich: I realize that we thought our first book was going to be hated, long gangly title, pea green cover. We knew that it's value, starting at page 100, was really good for pressing flowers, so we knew that for sure. But we didn't realize, this is one of the bestselling security books ever, right? And we didn't plan that. Just like Led Zeppelin didn't plan Stairway To Heaven, to be great. No, I'm sorry, making a false comparison. But I don't know if this book will be hated or not, so I suspect that it will and so, my career will be in answering a lot of hate mail and tweets for several months. That'll be, kind of, what I'll be doing. I'm going to go do some, sort of, CISO gig. I sold my company and so, I'm now guy at large. I do a lot of advisory work with startups, still do a lot of training on quantitative stuffs as well but I probably will end up going back to some of the CISO gig. The things that seem to come my way are definitely more along with the quantitative side of things, companies that are really heavy into data science, typically big, they have big massive data platforms and they're looking for people who've, kind of, can play in that space fluently.

Megan: Well, Rich, I am glad that our paths crossed, I think it's around this common interest of risk quantification. I know, Mark, you used to dedicate a lot of your day time and probably weekend time thinking about this subject as well. Mark, tell us a little bit about the work that you and the LogicGate team have been working on as well.

Mark: Yeah. Yeah. We've been researching this for a good a year, year and a half now and not actually looking at this from, should we build risk quantification? It was far more an understanding about how do we help our customers make better risk informed business decisions. And it involved a lot of conversations with a lot of people like Richard, people in the practice, analysts, experts in the industry. And again and again, we heard this, kind of, same story around an ad- hoc, kind of, accumulation of information from various systems to go and stand up in front of the board or their boss and, kind of, make the case for, we need resources for this, we need to buy a tool for this, we need to strengthen controls in this area. And so, risk quantification we felt was one of the most important first steps we could help our customers take towards being able to have that conversation from a more, kind of, educated and solid footing, really. But we definitely see it as a stepping stone and not the end of the journey. So, we've built risk quantification into the platform, it's using the FAIR model right now but it's the beginning of a journey towards helping our customers use the risk cloud from LogicGate to, kind of, pull these various sources of information together, to use risk quantification and to be able to present that in a format, to whoever the consumer is, in a way that makes sense for the business decisions that they're making. And I think we already have a lot of that information in our platform, from how customers uses today. Risk quantification is a really important next step in that journey and we're constantly iterating and moving down that path towards helping our customers make better risk informed business decisions. And that's really what a big portion of our product team is focused on and researching and it's been an exciting journey so far. I think we've all learned a lot, we get speaks people like Richard and others and it feels like the way that the industry needs to go and we're excited to be a part of that journey.

Rich: For the millions of fans listening, they didn't pay me or ask me to say this but the way I got connected with LogicGate, every place I've been has had, at least, one GRC, one type or another. And they were all mostly sad and disappointing because the businesses where I was, they just didn't scale, because of, really, the data model and the platform approach. And the world's changed, right? Now we've got great things in the cloud, auto scaling and whatnot. But there's an expressivity and power that's necessary in GRC because we are dealing with... Every company's a snowflake, right? And you're dealing with different sorts of architectures, different concepts of assets, with different levels of decomposition and how they relate one another. Now, you have third- party and fourth- party risk. So, you have this, what I'd call, really, a network graph of complexity, that's changing and expanding and undulating. And so, as a risk leader, particularly, in the, I'd say, the Fortune 10 all the way down to growth companies, I really wanted something that could handle legacy but also accommodate more cloud native sorts of asset concepts as well. And so, what I found out about LogicGate is that, they were taking a graph based approach to how they understand things. Then when you overlay with that, more of the probabilistic sorts of stuff or quantitative risk management, to me, it seemed like, directionally, if I were to take what was a Brownfield Market and reinvigorate it, this is the approach that I would take. So, we started talking... Because I'm just excited and nerd, right? And wanted to chat. So, they didn't ask me to say this but I think that... And, in fact, if you look at my first book and go way past their first areas for pressing flowers and get the latter chapters, I get into data marketing and whatnot. But I talk about how you would want to add probabilistic programming and whatnot, into how you do your BI and whatnot. And that was using, kind of, old... because I wrote the book five years ago, that was using dimensional modeling, right? And I didn't write about it because no one cared, at the time, we were using graph stuff. But the graph approach absolutely is the correct way, if you're really into modeling to doing this. So, I just encourage those of you who are out there, who have experienced sadness with your ability to model, right? Risk, using a GRC, to give LogicGate a shake. I had a chance to look at the early risk quant solution as well and the visual domain specific language, that draggy- droppy stuff that they have and it really does seem quite accessible. Despite all the nerd stuff I said before, it actually looked very, very accessible. So, I just wanted to share that and they didn't tell me to say that, I'm just a nice guy.

Megan: Not a paid commercial. Well, Rich, I appreciate that. Most, I appreciate because of the lens in which you're coming. You literally wrote the book on it, you study it, you're a student of this space. Mark, you work on this product day in and day out. And having both your perspectives here, just to share a little bit about where the market is, where it's been and where it could be going, I think is valuable for all of our listeners today. So, Rich and Mark, thank you so much for joining us on another episode of GRC& Me.

Rich: Our pleasure. Keep up the good work. Thank you.

Mark: Thank you.

Megan: And to learn more about risk cloud quantify, check out the definitive guide to risk quantification ebook. It's located in the resource center at logicgate. com. So, until next time, this is Megan Phee, with GRC& Me.