[00:42] Cyber Risk on Demand

Rachael: I'm excited to welcome to the podcast Avi Bashan from Kovrr. They specialize in cyber risk quantification, so financially quantifying cyber risk on demand. It’s my favorite topic ever around cyber insurance. Avi, welcome to the podcast.

You were making some really good points to, why do we need this? Why now? Cyber, cybersecurity's been around for a while. You look at other industries that are much more mature, but let's just start at the beginning. Why now, and how do we get a handle on this thing?

Avi: Cyber risk qualification, it's an emerging area. It's quite new. I think what is happening in the cybersecurity industry, it used to be the tech guys. It's a tech thing, cybersecurity, related to our computers, and to our IT. But what is happening, and we're seeing it happening now with the Ukraine thing as well, is that cybersecurity is a thing that affects how companies are operating. It affects the infrastructure of our lives now, and this means it can cause financial losses that really affects how companies operate today.

What is happening is that people that are not the cybersecurity guys care about it. The CEOs care about it, the boards care about it, and chief operating officers care about it. But I would say the hard thing is that a lot of people don't have this cybersecurity expertise. So how can you convey this message, talking about vulnerabilities that we understand and know, but a lot people don't?

 

This Can Cost You Money

Avi: I usually have my dad test. My dad's a CFO and he doesn't know a thing about vulnerabilities, but he understands money very well. When I'm talking with him about a vulnerability, or some interesting research, he's like, "Well, why do I care?"

But when we discuss and say, "This can cost you money," now we're talking. We have a lot of companies that are affected, who are losing a lot of money because of these events.

People care about this now. But they don't want someone getting into the room and start talking about CVEs. They want to understand the bottom line, and how much you are going to lose from an event or might lose. I think that's the thing that is triggering all of this movement for cyber risk quantification.

What we're seeing is new methodologies, tools are starting to be used by the security teams. By chief risk officers that want to convey these, I would say, cybersecurity issues in a way that everybody understands. In a way you now can manage, not just by maybe introducing a control, but maybe doing some other risk transfer mechanisms, like we do in any other type of risk.

Rachael: It's such a dynamic industry. I guess that's where I'm so fascinated about what you guys do, particularly this on-demand notion. You look at things like the Ukraine and there's a lot of concern of what's cascading out from that in terms of, is there a cascading effect? How should folks be looking at their infrastructure and protecting themselves? You talk about modeling. I know we were talking about probabilistic modeling.

 

Types of Risk

Rachael: That seems very sophisticated to try to put together. I would just love to talk a little bit more about that. This seems like cutting-edge technology, frankly, for what we're dealing with in such a unique environment today.

Avi: I think the beauty is to make a complex thing look simple. Maybe there's a lot of work going beneath, but our goal is to make this thing more approachable; make this something that is understandable for people that don't have a cybersecurity background. The way we're approaching it is looking at our types of risk. So risk is not just from cyber.

We see it since the first insurance contract was signed in Lloyd's in London more than 200 years ago. People started thinking about risk, it was for ships back then, and started building these models to quantify risk and understand how it's going to affect us. There's a lot of understanding there about the probabilistic nature of risk.

I come from a cyber background. We like to a lot of times think about cyber risk as a binary thing, it's a zero or a one. But risk is probabilistic. It might happen or not, with different likelihoods. What we looked at is how you're doing other types of modeling for other types of risk. We took this approach and started applying it for cyber. I think we learned quite a lot from that process.

We understood how there are events that are more likely to happen; there are events that are less likely to happen. It's the technology we developed, but also we're seeing cybersecurity professionals starting to understand that there's some level of risk that you might live with.

 

You Live With Risk

Avi: It's fine if you know and you're doing those, I would say, appropriate steps to live with that, for example, by buying insurance sometimes. That's insurance. Let's talk, for example, of car insurance. Every time you go on the road, there's risk. You live with risk, but you're transferring some of it. I think the same approach should be applied for cyber as well.

There's risk. We'll try to reduce it. You'll have your seatbelt and your airbag. So the chances that something will happen to you in an accident is lower, but in the end, you'll buy insurance for the case that it's not.

Eric: I agree with you, but I don't know that people recognize cyber risk as they do car risk, where they need car insurance. At least in the States. I can't speak internationally to car insurance, but I feel it's built into society. In fact, many times it's mandated. You can't have a car registered without car insurance in the States. Most states, but there might be a couple that are exceptions.

I don't see the same understanding of risk in the cyber world. In fact, if you go back 20 years, I don't think most people even cared and looked at the financial cost or financial impact, potential cost, of cyber activity on their business, their networks, whatever it may be. Rachael, you've been studying lately. What's the total number of cyber costs now to the global economy? Wasn't it 3.5 trillion dollars a year?

Rachael: The last number I saw was 6 trillion actually, for the cost of cybercrime. It’s equivalent to the world's third-largest GDP, behind the US and China.

 

[08:58] The World’s Largest Economy

Eric: Economy? GDP of the world's largest economy?

Rachael: Yes, exactly. It's pretty significant.

Eric: That's a lot of cost. Let's assume that number's 50%, it could be half as much. It's $3 trillion. To me, that's a lot of risk. But I don't hear CIOs, I don't hear CISOs, necessarily talking about it. I don't hear them talking about risk usually. And I definitely don't hear them talking about cost in that regard: the financial impact to the business. I don't hear them talking about ROI, oftentimes.

It's such a potential impact to them. Where if you talk to somebody, "Why do you have car insurance?" "Well, I have to. If I fall asleep at night and run off the road, I need to have the state's collision coverage for that." It's just assumed. What do you see? Do people really think about risk in the business, or are they not there yet?

Avi: I think this is a growing trend. We're seeing more CISOs, more CROs are talking about this. I think one of the driving forces here is cyber insurance, so do business today. I think one of the first questions that we get asked is, "Do you have cyber insurance?" Because when we're selling our product to people, they want to know that if something happens, we can continue our operations.

Eric: They're asking if you have cyber insurance, as a business?

Avi: We, as cover, yes. I'm a big believer in free-market versus regulation. We see that businesses today require this from other businesses, because of all of the supply chain impacts that we saw. They want to know that the businesses that they're working with have this ability to continue operations.

 

Cyber Risk Insurance

Avi: It can be compliance and can be cyber insurance. Once you start going into the cyber insurance space and you're paying a premium to get some coverage, you want to understand: do the premium that I pay, does the coverage that I get, make sense? Let's say you buy $5 million coverage, is that okay? Is that enough? How do you know? I think this is a really driving force here.

Once you start to talk about cyber in financial terms, you really want to understand, okay, I'm buying this coverage. I'm transferring some of the risk, but how much did I transfer? What can happen to my business? How much can I lose? I think that's one of the factors. There's a lot more. I think a lot of those come from just the events that are happening in the world, and companies losing money, paying ransom. All of those have real financial effects on businesses.

I think this is where the non-cyber people are like, "Okay, this is costing me. This cost me money. What can I do now? I want to understand what is my exposure, like I do for other types of risk."

Eric: From a CFO perspective, I mean, they're always trying to save money. IT and security are a cost component of the business. In your travels, your discussions, how is that being looked at? How are you seeing CFOs and businesses make that cost-risk trade-off, maybe, is the best way to look at it. How much do I spend? Maybe it's really almost an ROI.

 

I’m Saving You from Risk

Eric: How much do I spend on cybersecurity protection, on cyber insurance? How do I think about that, versus how much do I put towards profitability or some other project?

Avi: I think that's a good point. Usually the CISO is a cost center. When the CISO enters the CFO's room, he never smiles. He says, "How much is this going to cost me?"

Eric: I think that's the case at Forcepoint, I am sure.

Avi: I think one of the things that CISOs are looking to show is, "I'm not costing you. I'm saving you," and switching this dynamic of saying bad things happen. Now you understand how much it's going to cost you. Only by paying some amount, by implementing control or by transferring the risk, the business then will be more profitable, because the chances of you losing are lower. That way, they can show the ROI.

I had a conversation a few months ago and it had quite an impact. This CISO of a huge bank in Europe said that he'd invested a few million dollars. It was a multiyear implementation plan of controls. In the end he said, "Well, now I got the budget and I invested the money. I know we're more secure, but I don't have a way to show it."

Eric: To quantify that? How do you measure you're better? How good is insurance if you never use it and how do you value that?

Rachael: But isn't that the point?

Eric: So what did you do? What did you say?

Rachael: What was the answer?

 

Risk Quantification

Avi: This is why he was interested in starting his risk quantification, the financial risk quantification. He didn't use it before. But the beauty is that once you're doing modeling, you can show how things behave with and how things behave without.

You can say, "This is how my organization looked like before. Let's run a model. This is the exposure. Let's run a model and see how this happens now that I implemented all of this stuff, and what the delta is. This is how much I saved for the organization."

You can also, I would say, justify future spend. So you're going to say, "If I'm going to do A, B, and C, this is going to reduce my cost." This is exactly one of the major use cases of cyber risk quantification.

Eric: Take me through that because I'm having trouble, and I'm assuming some listeners may. Maybe not. How do you do that cyber risk qualification? Or quantification, I guess, is probably the better way of looking at it. What metrics do you look at? What are the real drivers that you lean on, without getting into any proprietary IP? Actually, unless you want to share it, then that's good too.

Avi: So take your notebook out. There are two, I would say, major things. One is understanding the business. You need to understand the business, but from the digital lens, but also understanding the business aspects to it. Let's take a manufacturer. They have this nice website posted on a good content management system, and that system goes down. How much does this matter, that the business is going to lose?

 

[17:05] Vulnerability Exists

Avi: Understanding that vulnerability exists is one thing, but understanding what are the effects if something happens to that specific technology, that's another thing. So you need to understand the technology, but you also need to understand its business aspect, its importance to the revenue, or, I would say, financial aspects to that specific business. So that's one. Understanding the business, its digital assets relate to business operations. The second thing that is also important is understanding what is happening in the world and what could happen. Cyber is dynamic.

Eric: That's really the global cyber. I almost wish there was a risk index or something, but what's going on right now? Is the Conti ransomware group active or are they fighting amongst themselves? They're shutting down right now as we speak, some of their capability, but you're looking at components and aspects of the global situation like that.

Avi: We have a dedicated team, that's all they do. They wake up in the morning and look, what is happening in the world? What is happening today, what kind of attacks, what kind of vulnerabilities? Are there any new trends that are up and coming? This is a critical thing when you're looking at risks. You need to understand who can be attacked, but also how, and that's, I would say, a big piece of understanding and running a quantification model.

Eric: Then you mentioned the website. I'm thinking of a manufacturer who probably transact through the website. Maybe they don't, maybe that's just how you get to understand their business. I'm assuming you take some metrics, like on an average day, we sell a million dollars worth of our goods.

 

Reputational Risk

Eric: If we aren't able to transact, if our transactional systems are down, that's a million dollars of cost a day. That's the quantified risk to the business on the surface. Then you have reputational risk and other types of risk you would factor in. Is that fair?

Avi: Yes. Reputation is a tricky thing. There's a tangible and intangible loss. It's quite hard today to say how much reputation, and that's not just from cyber; for any kind of risk. What happens when an organization gets some bad rep because of an event? How much is it losing? That's a field that even in the academy, they're quite, I would say, struggling to model correctly. So those are where you put the intangible things.

Eric: It seems transitional. I'm sure we're still piping gas and oil through Colonial Pipeline, Home Depot's still in business, Target's in business.

Rachael: Equifax.

Eric: Equifax is in business. Shall I keep going, Rachael, or we really don't care because the stock prices are all okay.

Rachael: They rebound in no time. So it's fascinating, actually.

Eric: We understand the risk. You deliver this to a customer, so they now understand their risk. What do most clients do with it? "Okay, I got my risk here in my hand." Do they use it as an argument to the board to more heavily invest in insurance or cybersecurity technologies or protection? I mean, how do they do that?

Avi: What we're seeing is that, I think this is where the discussion is starting to get more sophisticated. It’s not just buying the next best EDR or firewall out there, which is great and also needs to be invested.

 

Investing in a Better Position

Eric: Which isn't helping anyway. That's not the problem. A solution, I should say.

Avi: It is, but let's be real. It's not 100%. There's never 100%. What we're seeing is the discussion’s starting to advance. There's understanding how you assess risk. There is some chance of something happening. When you're investing in your better position, the chances are lower, but what do you do with that? We see different reactions from different businesses. Some of them are saying, "Now I understand the risk. That's fine. I'm going to live with it."

Some are saying, "I'll do some risk transfer." Some of them are pricing the risk into their products. You have the cost of doing business. Maybe you'll price the likelihood of something happening. Now you need this additional factor to the price so you won't lose too much in case something happens. I would say that's the base of it, just making the conversation more transparent between business stakeholders that care about cyber now. They don't understand it but they care about it, to the cybersecurity guys. So that's one.

I think that the second thing that we're seeing is how we were handling this risk. It can be by transfer, and of course, improving your controls. Sometimes we do see organizations where they didn't price, I would say, or didn't take the right steps to reduce the risk. I'll give you an example, mobile security.

Eric: The Wild, Wild West.

Avi: I did a lot in the past, and I have quite a lot of experience in mobile security. I love this area.

Eric: I'm on the other side of the spectrum, but go ahead.

 

Why Mobile Security Is Interesting

Avi: But yes, quite a career in cybersecurity. I got a chance to taste a few things. One of the things in mobile security, why it's super interesting and also a threat, I would say, on a personal and for government agencies and businesses. Usually, most of the losses do not come from cybersecurity attacks on mobile devices. Because it's easier to attack PCs.

Would you invest most of your money in buying this fancy new solution for mobile protection? Or should you invest it in a better firewall or a better EDR, or better permission management to your organization? Once you understand where your losses are coming from, you can build a better strategy on this, not just by the technical importance, but also the financial losses that derive.

Avi: We see organizations starting to build strategies that are driven by financial likelihood of losses. This language now connects to everyone in the organization. The CISO can come to the CFO and tell them, "Because we don't have a good permission management system, there's a 20% chance that we're going to lose $2 million. Investing 100K, this will reduce this substantially. Is it worth our while?" The discussion is totally different now.

Eric: It's a business discussion. I love that approach. The ability to quantify risk, I think, is missing from most boardroom conversations, from most CIO and CISO. It's just not the way they have traditionally thought about the problem. I absolutely love the quantification of risk, because then you just have a business decision. Here's what it is, here's what we can do about it.

 

[25:21] A Better Understanding of Risk

Eric: That was another question I had. I'm assuming once they have a better understanding of risk, they can prioritize their cyber risk management decisions. I'm not sure what I'd call it, but once you understand the risk, you can understand how to prioritize your investments and protection.

Avi: I think as this space is quite early, maybe you can coin the way to call it. That's the time.

Rachael: Great opportunity here.

Eric: Just what the world needs, another definition and acronym. In today's world, without having that prioritization, how have you seen companies decide how to spend their money? What have you seen them do?

Avi: A lot of times it's the technical-level discussion, meaning, "I have a vulnerability. CV is 10, I need to run and patch this." I see a lot of attacks on mobile devices, for example, so we should probably install a mobile device solution. So I think it was more of a threat and technical discussion. Does it make sense on some level? It's what we call, in the business, the frequency, meaning how likely is an event to happen in an organization and a specific technology.

The other thing that now we're completing is the severity, meaning if this is happening, what can this cause us? I think this is the missing piece of the equation now, and this is where the discussion is starting to shift to.

Eric: That's what I see. It's traditionally been a hot technology. It's "This is exciting to me as a technologist. We should deploy the latest mobile MVM or whatever it is."

 

The Toughest Question

Eric: Why are you doing it? "Well, because I did it in my last company and it worked." Or whatever. The toughest question I ask customers, I think, in a given customer meeting, is what outcome are you expecting and why is that important?

It's a two-part question, but it will stump most customers because they don't understand the risk to the business. They may not understand the business need or application, so it's hard to articulate what the outcome is that they're expecting. If you can't describe the outcome you're expecting, you really can't describe the benefit. I think really looking at risk is so important in this business.

Avi: I think really, instead of being on other sides of the line, the CFO and the CISO, they're starting to share the same goal once you're shifting the discussion and looking at it through the risk lens.

Rachael: Myrna Soto who used to work here, she was the CISO at Comcast for many years. But one of the things she talked about bridging those gaps was having a BISO. Your business information security officer, who could translate the tech to the business team, and I think that's an interesting observation. I think we're starting to see more of those, because they're needed, because cyber is the cost of doing business today.

Eric: I think that's ridiculous. To me, that's a bandaid. Seriously. IT is a supporting element of the business. The CISO is usually a supporting element of IT. IT systems are there to enable the business that's why we've spent money on them. That's why they're there. I think everybody dealing in IT and cybersecurity should have in their job description some relation back to their function, their why.

 

Why We Are Here

Eric: Why are we here? It's to enable the business, it's to protect the business. But to do that, you have to understand it. So bringing somebody in to bridge that gap is a bandaid. I think people need to spend more time understanding the business, understanding the risk to the business and what their “why” is. I don't know if you agree or disagree, Avi, but I just hate bandaids.

Avi: I'm torn. I don't want to be the judge here. It might be a bit of a utopia, but every organization where every function there says, "How can I help the business? How can I help us grow?" it's a business that is growing towards success. It's moving as one unit as much as possible, but that's super hard. We're managing here, not a big organization. I can tell you, it's hard. But I think every organization that nails that, they're going to be unstoppable.

Rachael: That's the magic.

Eric: But it is the goal of the leadership to say, "Why are we doing this? Why do we need to do this? What are we doing that makes sense?" Bringing on a new firewall or a new EDR tool, why are we doing it? What's the outcome we're expecting? What is the benefit?

Looking at the cost, help me understand that. It's not because it's cool. There are 45,000 companies in the cybersecurity space right now, predominantly because they have a cool idea. The bulk of them are small businesses with a cool idea, but why are they there? What do they do and what value do they bring? To me, that's why they would stick around.

 

Big Risk to the Business

Eric: If you're running an organization and trying to defend it, I think you have to understand, we've been talking about it the whole podcast: risk. Where is the majority of the big risk to the business? What are our critical high-value assets, whatever you want to call them? Where do we focus? What do we do? But I do think it has to be an integrated organization. You don't just set up security because it's cool.

Avi, you talked about it with your mobile. Do you want to go spend 10 million bucks on a mobile solution when you don't even have a firewall? Of course not.

Rachael: But mobile's cool. Let's talk about QR codes too, but that's a whole other conversation.

Avi: Mobile is a device that we carry around all the time. It sounds so interesting, and it does on some level. But when you look at the data, most organizations today, most attacks just don't start from there. You have this pie. You need to spend your budget wisely. So where are you planning to spend it? I think that's the discussion. 

Having a discussion that is based on data and not on trends, and on the one hand, and two is, is I think this risk quantification enables to transform the cybersecurity organization to a business enabler. To say, "Hey, I help you do business. How do I do that so I save money? I’ll help you to work more efficiently." I think that's a conversation-changer.
Eric: When you typically talk to a prospective client about risk, do they typically understand where the value in the business is, and what their risk is? I know that's a broad question.

 

What a Good Answer Starts With

Avi: I'll give an ambiguous answer: it depends. As a smart guy one time told me, every good answer starts with it depends. I’d say it depends on the size of the business and the big organizations have this dedicated risk function in organization. This is new. I think this is why we see it now in bigger organizations. They understand the value that they're trying to protect from cyber risk or any kind of risk.

When it's more leaning towards the small organizations that don't have this more advanced understanding, oftentimes they need to protect everything. But it's quite hard to protect everything on the same level all the time. I think that's what currently I see. But I do hope that as cyber risk quantification starts to be a bit more common, this will drive people to understand more: what are we trying to protect?

What are we trying to achieve? How we can make the business work better? Where's the value in the business? I think this will shift the conversation and make CISOs and security and the security organization in companies more, I would say, a business enabler a lot of times.

Eric: What I'm hearing you say is the more mature, which is usually tied to larger companies that have been around longer, an organization is, the more likely it is to understand I'm going to be flip here, its business. But really, the risk, the high-value assets, the critical components of the business that they have to protect.

Avi: Yes, totally.

Rachael: To close the podcast, Avi, when we look at the cybersecurity landscape ahead, what's your outlook?

 

[36:54] Risk Is Not Going Away

Rachael: Are you feeling positive, "We're going to get ahead of this thing and crack this nut"? Or are you cautious, "I don't know. Let's see how things go"? What's your perspective here on the next five, ten years?

Avi: I've been doing this for 16 years. While things are changing, it's a cat-and-mouse game. It's always developing. Technologies shift and the cybersecurity landscape shifts a bit after it as well. I think it's because this is human-driven. Risk is not going away. It will be different, but it will always be a cat-and mouse-game. The attackers will shift. We'll need to follow. Hopefully we will follow very fast and catch them in time.

I think that the cybersecurity industry in general is doing a good job there. And I think we're going to keep seeing it and it's going to be even a bit more major in our lives. It's going to be more connected. I don't know what's going to happen the first time they're going to implement something in our bodies. That's where things are connected. All of those are just not going away.

Eric: I think what I'm hearing is we'll have podcast episodes for life. We have plenty of content to talk about for the rest of our time on this planet, unfortunately.

Rachael: I love it. Who's to say in the future generations, we're not raising little baby hackers, because you have to have the hacking skills in order to survive in society? I can already see our Blade Runner 2049 future ahead of us.

Avi: I have a two-and-a-half kid at home. She already has a hoodie. It's ready.

 

A Hoodie and an iPad

Rachael: That's fantastic. It all starts with a hoodie. That's right.

Eric: A hoodie and an iPad. 

Rachael: Well, thank you so much, Avi, for joining us today. This has been a fantastic conversation. Really appreciate your time. To all of our listeners, thank you for joining us this week. Don't forget, as always, smash the subscription button. You can get Avi's episode in your email inbox on Tuesday. Just something exciting to look forward to, and there's just not a lot of that in the world today. Until next week, be safe.

 

About Our Guest

Avi Basham is CTO at Kovrr and leads engineering and research efforts. He started his career in an elite Israeli intelligence technology unit. Following his service, Avi advised Fortune 500 companies on cybersecurity. Following his consulting period, Avi led research and development efforts at Lacoon Mobile security focusing on discovering novel new attacks and building state-of-the-art malware detection engines. Lacoon Mobile Security was acquired by Check Point. Avi is a lecturer at Bar Ilan University's Business School and holds a B.Med.Sc from the Hebrew University of Jerusalem.