Wednesday May 19, 2021
Measuring Risk w/ Richard Seiersen
Today we talk with Richard Seiersen, co-author of “How to Measure Anything in Cybersecurity Risk”.
Richard shared that at his first CISO position, he was challenged with addressing prioritization of risk, which led to his authoring a book with Doug Hubbard.
What can cyber learn from older risk disciplines? The life table used broadly to measure time-to-event data goes back 500 years.
Businesses keep falling back to the classic 5x5 "likelihood and impact" matrix which is an inconsistent, non-math-based method.
Without math it is really just casting spells in the board room. There are no ratios or explanation of differences, for example.
CISOs are called upon to make a bet about something. We will use subject matter expert opinions, and can make them measurably better. Consistency is key.
Wild guesses can still help constrain the forecast. There are existing models in cyber such as FAIR that provide a more mathematically applied approach.
Statistics came about because people needed to make bets with limited data. Dirty data can be worked with.
Embracing uncertainty is okay. Executives are actually very used to uncertainty.
Cybersecurity as a practice is in its adolescence with a high mortality risk. We need to adopt the grammar of science.
Key Takeaways
0:25 Richard is introduced
1:20 Richard talks about his cyber journey and his day job
3:02 Book talk
5:19 What can cyber learn from older style risk tactics
8:04 5x5 risk matrix
10:05 Improving accuracy
17:00 Gathering an accurate view
19:20 Monte Carlo simulations
22:04 The belief
25:17 Board-ready presentations
26:58 What keeps Richard going in cyber security
28:09 Why statistics were invented
Links:
Learn more about Richard Seiersen on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius