Cybernomics Radio
Welcome to Cybernomics, the podcast where we break down the latest enterprise innovations and challenges shaping the Information Security industry. Whether it’s AI, cloud computing, or digital transformation, we dive deep into the forces driving businesses forward.
Join host Josh Bruyning as he engages with industry experts and technology leaders to explore how businesses are leveraging technology for growth. From cutting-edge advancements to the economic impact of tech decisions, Cybernomics delivers insights that keep you ahead of the curve.
Tune in for expert analysis, compelling discussions, and a front-row seat to the future of Information Security.
Cybernomics Radio
#37 - The Hidden Costs of Scaling a Cyber Risk Program with Chad Boeckmann, CEO @TrustMAPP
In this episode, we explore the intricate relationship between risk management and business objectives, specifically tailored for small and medium-sized businesses. Chad Boeckmann discusses strategies to elevate cybersecurity risk awareness among executive leadership, the role of cyber insurance, and the importance of bridging the gap between security teams and business leaders.
00:00
The Changing Landscape of Risk Management
03:07
Understanding the Nuances of Risk Management
06:11
The Role of External Forces in Risk Management
09:07
Bridging the Gap Between Cybersecurity and Business Objectives
12:10
Cultural Disconnect in Cybersecurity Leadership
15:12
Starting Conversations About Cyber Risk
17:58
The Importance of Cyber Insurance
21:02
Establishing Relationships for Effective Communication
23:46
The Dangers of Relying Solely on Cyber Insurance
26:59
Fear-Mongering vs. Realistic Risk Assessment
29:53
The Importance of Trust in Cybersecurity
32:52
Closing Thoughts and Resources
Welcome to this episode of Cybernomics. This episode is brought to you by Bruning Media, a New York-based firm that helps tech companies gain thought leadership, one podcast at a time. I'm your host, josh Bruning, and my guest today is Chad Beckman. He is the CEO of TrustMap 26 years in the cybersecurity and risk compliance GRC space, and today we're talking about something that's near and dear to my heart, near and dear to your heart, chad. We're talking about how to scale a risk management program, and this is specifically for the small and medium businesses. How do you scale that program in a way that's manageable and effective?
Speaker 1:And before we started this podcast episode, chad, we kind of determined that this is a very nuanced space. Right, this is something that there's no magic bullet, there's no one way to fix this. So let's start with this. Fix this. So let's start with this. Why is risk management, especially for small businesses, so hard to define? And why is it so hard? And actually, let's reframe this If we were thinking of this as a political issue. Right, there's a problem that needs to be solved and you know, someone out there is purporting that they can solve it and that someone, in our case, would be either a software company or a service provider that's coming in. There has to be an issue before there's a solution. How would you treat this issue? Number one what is the issue and how do we approach this in a way that's actionable for small and medium businesses?
Speaker 2:Well, for each company, as you said at the beginning, it's very nuanced, it's specific to each situation, each profile, what industry they're in perhaps, what customers are going after, what geographies they serve and it generally getting serious about risk management. Cyber risk management, in the specific context here, is generated by usually external forces. That could be insurance is driving it right. Oh, we have to get a SOC 2. We have to, you know, support that we're doing great cyber hygiene to get an actual approval for a policy. It could be customers. Maybe a manufacturing company is a subcontractor of a prime contractor for the DOD and you know everything flows downhill and so they're going to that company that is a manufacturer, as a subcontractor, would need to certainly be CMMC compliant and they would have to provide and apply more rigor to their cybersecurity program and hence, you know, really identify where the risks are and begin to develop a program around it. So you know, going back to what I was stating, it's context is everything when it comes to really driving the risk management challenges and understanding what those are, and we've heard this statement. What I'm about to say many times over the last 20, well, probably last 10 years, is it all starts at the top right. So the C-suite, even the board, need to have cybersecurity as at least a topic, a subject that is on their radar, that they want to make sure they understand and they measure. Not every company is there yet where, at the board level even you know, ceo, cfo they actually have a. They spend time thinking about and trying to understand what their cyber risk is, and so if an organization is usually elevates that topic, unfortunately after they have an adverse event such as a data breach, and then it becomes really important, it gets everybody's attention and formal programs are created. Now external pressures could be, like I mentioned, from regulators entering new markets, let's say, businesses entering Europe, and GDPR comes into play. Well, there's a lot of additional data discovery, data identification and notification and communication processes that would go into being GDPR compliant, as an example. Well, that would now be a new item that needs to be addressed as part of their risk management program. Ultimately, what I've seen start to emerge over the last year, particularly what I've seen start to emerge over the last year, particularly for perhaps slightly more mature cybersecurity programs is being able to really understand how does our operational risk, those risks and events that we deem are either critical or maybe not critical. How do they influence the business outcomes? And so, starting to change the discussion from well, here's our cyber risk right.
Speaker 2:People used to take, as you saw before, josh, a vulnerability report, even an aggregation or vulnerability trends over the last three months, and use that as a board report slide. That doesn't really tell a good story. That just says you're monitoring vulnerabilities. What are you doing about it? But, more importantly for the business to care, how is it impacting the go-to-market, how is it impacting the products that they have brought to market? What are the you know potential recovery and what's the resilience factor for generating that revenue and establishing and maintaining the products that the business uses to generate revenue and to serve society and the customers depend upon. So, being able to, you know, aggregate the information in such a way that it ties back to business processes. That is directly linked to products and to, obviously, products and the way those products are created, brought to market, sold and supported come right back to the regulation as well in specific industries.
Speaker 1:So is it safe to say that the issue here that you're talking about is the disconnect between cybersecurity, risk management and the business or business objectives?
Speaker 2:Business objectives primarily yeah.
Speaker 2:I'm a firm believer in really starting with. What are the business objectives? What does the CEO, coo, cfo, what do they care about? What are the three to five year business objectives that the business itself has that the CEO reports against or CFO reports against to the board? And what I found is a lot of cases the security team, the CISOs, don't necessarily have. Even the CIOs don't have that Kind of information, which is really unfortunate.
Speaker 2:So the closer you can get to what those individuals at the C-level truly are focused on and how they're managing their teams and driving their own outcomes right for their role, the closer you can get to understanding that and understanding what the business does to actually survive as a company, meaning what products or services they're offering, and tying that back to what cybersecurity is doing, information security is doing. That's how you start to map out how to report against risk and how certain vulnerabilities, misconfigurations, whatever they might be, that are reported against certain applications, and you understand that these applications A, b and C are supporting a key business outcome that the executives care about. Now you're on your path to begin to creating that mapping of a proper business, what I like to say a business context risk program. So you know you can start at the very aggregate level and then work yourself down what applications impact product or service, what infrastructure is supporting that application, and you know kind of go down level by level.
Speaker 1:It's pretty interesting because it comes down to culture and we know that CISOs, ctos. It's pretty interesting because it comes down to culture and we know that CISOs a CMO and a CFO may have more in common with each other than a CISO may have with the CMO, for example, or the CFO Sometimes right Sometimes, I mean.
Speaker 2:it's an interesting comparison you gave there. For example, the CFO cares about risk financial risk and the CISO cares risk right Financial risk and the the CISO cares about data risk cyber risk right. So they have that piece in common certainly.
Speaker 1:Right, so they can have a beer. They can have a beer over that conversation. Yeah, exactly.
Speaker 2:Like you and I could have a beer with a insurance underwriter right with an insurance underwriter, right? You kind of understand the lingo at least, and so you know, you're right, that a lot of security, information security, cybersecurity team or leaders generally come from either audit or from IT somewhere through IT, from a background, which I think is great, because you need to understand what you're trying to protect, right? So you? Do need to understand the underlying technology right. That's really important, obviously so that's.
Speaker 1:That's very briefly. That's the other side of the coin. Do you think that this is? It's equally as important for the business to understand the technology as it is for the technology? You don't think so.
Speaker 2:Well, not to the degree we might think, but I think it's important for, obviously, executive leadership to understand you know, at least at an aggregate, what applications are supporting. You know the business process for product X or product Y, right, and you know many times there could be legacy systems that can't be patched anymore and so that's on the CIO's roadmap to replace that application eventually. And certainly you're going to get support by the CISO or the security team to make that happen sooner than later. Because that risk exposure, if you can't patch a legacy system without it breaking, well, every day, every week, every month that goes by, your risk exposure perhaps grows even larger on that asset and I guess, understanding how that affects the bottom line.
Speaker 1:that's kind of what makes the business folks perk up and listen. So I mean, what are some ways that you would start that conversation with business leaders? I guess you generally, as in, like people how they would start that conversation, but also specifically how you Chad Beckman. How would you start that conversation about risk, cyber risk, particularly with the business folks?
Speaker 2:So one question I like to use oftentimes in a discussion, like you posing the question you did, is what is the business objective you're trying to solve by, you know, conducting a risk assessment, let's say, and what is the scope? Right? And usually, when you get to that second question, what is the scope of what you're trying to measure and what the ideal outcome is? That tends to really open up a lot of dialogue, because what I've found is, if you haven't been been a consultant before or had to think about SOWs, let's say, the term scope can mean a few different things, and so it's helpful then to start that dialogue with individuals to help them think about what is the purpose of assessing business division A versus B right, and how does that support the key processes that the company relies on right Customer support function, financial function, e-commerce functions right, and starting to have dialogue into what each business unit does, how that impacts the revenue of the company, the contractual commitments of the company, impacts you know the revenue of the company, the contractual commitments of the company.
Speaker 2:So that's how I like to start the dialogue and start getting information and start providing information back.
Speaker 1:So in other words, you're starting the conversation in their language. Yeah, I can't walk up to somebody in spanish, ask for directions using English. I mean it's not going to work Right, so, or someone who speaks Spanish, they won't understand what I'm saying, obviously, because I'm speaking a foreign language. And it's the same, based on what you've said, if you don't start in their language. I mean, that's like coming up to somebody and going, you know, talking to a CFO and saying all right, we've got all these vulnerabilities that are in our system and our risk exposure is X, y and Z, and if we don't patch these servers, then guess what? Our risk exposure will increase and the bad guys are going to get us and everybody's going to get hacked.
Speaker 1:The CFO is going to be like okay, I don't even know what any of those things that you just said are.
Speaker 2:Yeah, they're going to say, well, why do I care? Help me understand that. Help me understand why I care Exactly. And so what you laid out is kind of a classic example of where we don't speak. You know the business language and so that's where risk quantification I think helps because it can actually start to provide loss in terms of financial dollars. But that can also be challenging at times if you are talking to a CFO, because they're going to be smarter than you are on the business financials, right. So being able to sharpen the pencil and using let's continue with the CFO example using them as your advocate to build out and get more accurate the results of a risk quantification outcome, I think is really important and make them part of the process and part of the team, if you will. That provides the final results and through that, you and your team that are conducting an ongoing and maturing a risk management program are going to learn more about the business and how the business thinks about itself from other teams like the financial team.
Speaker 1:So if I'm a small or medium business owner, let's say I'm a CEO of a medium-sized business 75 to 250 employees, let's say, maybe a little bit of a broader range.
Speaker 1:Yeah, Okay, fair enough. And let's say I'm a CEO, I'm a little bit more invested in cybersecurity because I understand I still need to be sold a little bit. But Overall I understand the gravity of what we're dealing with. I understand the impact that this can have to my business and it can devalue my business if I don't have proper cybersecurity. But I don't know anything about cybersecurity.
Speaker 1:What are one or two concepts in cybersecurity that a CEO needs to understand? A CEO needs to understand, because I don't think that it's all on the CISO to have to explain what this is right. It's sort of like certain political movements where one demographic wants the other demographic to understand them and they don't think it's my responsibility to explain my identity to you, right? But we know that in reality you do have to explain a little bit and you have to bridge the gap and you also have to have the other demographic at least a little bit interested in identifying your issues and empathizing with you. So it's not all on the CISO, the CEO and the business team. They need to be a little bit invested. But let's say there is the will, the CEO is somewhat invested. What are a few cybersecurity concepts that they should understand that would help them get that conversation going with the IT or the risk management team.
Speaker 2:Yeah, it kind of goes back to what we were talking about earlier. First and foremost, before you start having, for anybody who starts having a discussion on cybersecurity risk and explaining that in terms non-security, non-technical people can relate to, it's really understanding what you mentioned briefly. Where are they coming from? Whoever is communicating and trying to establish the relationships or communicate the cyber risk profile to the CEO, for example, under building that relationship with them, taking them out to lunch, talking a little bit about business but more about themselves, right, understanding truly where they're coming from. What's their background really like to do for hobbies, that type of thing, understanding them as a person, that'll lay the groundwork to help understand how to best communicate with that individual.
Speaker 1:So I'm like getting ahead of myself a little bit. I think that before you start explaining the concepts of cyber security or business, you're saying that first you need to establish a personal relationship with that other party at least some level of personal relationship.
Speaker 2:Nah, you know what Screw it.
Speaker 1:I'm not being nice to anybody. I want them to do exactly what I say. I'm not taking anybody out to coffee or beer, and if you don't like it then you can pound sand.
Speaker 2:Then you have about a 90-day half-life at that company.
Speaker 1:Yeah, you're not going to be around for too long, no, all right. So let's shift a little bit Insurance, cyber insurance. If I'm a small business, I probably again if I'm a CEO who knows nothing about cybersecurity. But I know there's this thing called cyber insurance that if something happens it's a get-out-of-jail-free card. That's what I'm thinking. Right, I don't know any better. What do I know? Do you think that a company should rely solely, or at least to a great extent, on cybersecurity insurance? Because to me that sounds like a done deal. If I get cybersecurity insurance, something happens, boom, I'm covered.
Speaker 2:You gave me a softball question here. I like it. So absolutely not. You know, I've heard stories of companies doing exactly that and, as a result, they have one, maybe at the most two people responsible for security, and security doesn't get any budget because they have insurance that can offset their risk. Well, you know this. My my story there may have been dated a year or two, but you know one thing is to understand the insurance market is certainly waking up because of the wave and wave and wave of data breaches, and that's beginning to cost them, and so premiums are going up. Coverage is going down, so you pay more for less when it comes to insurance coverage, and I think that can be a very positive change.
Speaker 2:To have the conversation with the CEO, cfo, cio, whoever is going to help support investing in the security program, because it's going to be. You know, now you're shifting your cost thinking about in terms of insurance premiums to in terms of investing in a long-term, more sustainable security posture that will ultimately help reduce your insurance premiums and your reliance on that over the long term, and in no way is any insurance policy going to cover 100% of your losses. You know you're going to have revenue loss potentially You'll have loss, potentially loss of customer reputation. You're going to have legal expenses, depending on your business type. You're going to have the standard identity and credit monitoring services which, by the way, most insurance policies do cover.
Speaker 2:If you have a cybercrime policy, for example, a data breach policy, they'll cover those services. But, yeah, I mean, it's no longer can somebody just take one approach to their cyber risk and use insurance as that singular approach. That is not a viable solution. And going back to having that conversation, let's say, with the CEO right, it's a recipe for going out of business. That's how I would open with my answer and then start to break down the reasons and why that is, given what I just described.
Speaker 1:All right, I want to get a little controversial here. Right, I'm on one side of this fence and I'm in the minority Talking about using fear. Some people call it fear mongering. When talking about risk, largely, I think the cybersecurity community is against fear mongering. Right, they don't want to go to the business and say the house is on fire, things are falling down. But here's what I never understood about that If security is what we do, then the result of not having security is that you're not safe. So to tell someone, if you do not have a risk management plan which is the biggest risk of all if you have no idea of what your risk is, that's the biggest risk. Is it not incumbent on the CISO or someone from the risk management world to demonstrate the gravity of not having a risk management program and, ultimately, not having cybersecurity?
Speaker 2:I really hope there aren't any companies out there today in that position.
Speaker 1:Because I'm thinking if I go to a mom and pop shop and they have no risk management or no cybersecurity, not even an MFA?
Speaker 2:Here's what typically is going on, though. In those situations, mom and pop shop particularly they have an MSSP or MSP where they're outsourcing all of their technology, right With the exception of maybe a few machines on site, and they're relying on that MSP MSSP for their security services. In addition, they probably are also buying some form of cyber insurance as well.
Speaker 1:Most companies already have a baseline. They have something in place, I think.
Speaker 2:I mean, this is a pretty broad statement, but I would like to think that most companies understand the importance, Because look, how long have we been talking about cybersecurity as an industry? And we're still talking about it Not as an industry, sorry, as a society right A long time. I think it probably started with when people were still on AOL dial-up. We had the Norton antivirus.
Speaker 1:Right Again. I had firewalls. Mcafee came with every computer that you bought from Best Buy.
Speaker 2:Yeah right.
Speaker 2:So, I think part of the favor of every company now is the fact that it's been beat into our heads enough, particularly since the wave of data breaches over the last 10 years, that this is a really important topic. And if they're a company of any size, particularly with shareholders, board members, there is certainly some level of credence put into a cybersecurity, cyber risk program. Now, whether it's mature or not, and how well they're operating it, how much time and investment they put into it, that's where the variable really comes into play. Now, taking your example, let's say a hardware store, right, certainly they're not going to hire anybody dedicated to cybersecurity. They're going to be outsourcing all of those functions, cybersecurity. They're going to be outsourcing all of those functions and they will add on cyber insurance to the regular general liability and other liability insurance that they carry. And so that's a totally different business profile than, say, a company that has several hundreds, several hundred thousands of employees, right?
Speaker 1:So um, and it sounds like yeah, context matters, and I love that you talked about maturity, because you know, I think, that maturity has this diminishing return where, the more you invest in maturity let's say, somebody trying to get to a CMMI style level of a five right, that's their goal it's not as worth it to go from a 4.8 to a five as it is to go from a one to a three right or one to a two. So I think that's also maybe a part of this conversation as well. Maturity is important, but you have to come in with an understanding that the business may already have existing processes in place, and I think that that's the best answer. The answer you gave to my question is the best argument that I've heard so far, which is you don't want to scare people because the reality is they already have some measure.
Speaker 1:After all this time of talking about security, there's some measure of security in every business, even if it's an antivirus that's on endpoints, and so to come in waving the flag that the house is on fire, trying to get them from a maturity level of four to a five, doesn't make much business sense. It's cost prohibitive, typically, right, right, okay. Well, you haven't convinced me 100%, but I'm slightly more on the side that fear mongering is not good. But if I'm in the business of security, guess what? I'm going to make some kind of argument that if you don't implement my product or service, you are less safe today than you may otherwise be tomorrow.
Speaker 2:You know that's very interesting. You bring that up and I think anybody that's been in this industry for a while would argue with you and say that is exactly the problem with the vendor landscape in cybersecurity, because everybody well, not everybody, too many companies somewhat take that approach. Yeah, at the end I'll be all. We have the dashboard of all dashboards. We have the single pane of glass. You know, you name the phrase that is used, it's been used.
Speaker 1:If it's used once, it's been used by a thousand so it's not even so much that the message whether whether it's true or not is that it has been diluted with a lot of falsehoods, false promises and inauthentic services and products. Okay, you know what, chad? You're on a roll. I think you might be convincing me that that might not be the way to go. I'm as close as if being at 12 o'clock is that you've convinced me. I'm at 1159.
Speaker 2:So what do I need to do for the last minute?
Speaker 1:You have to convince me that, in order to sell guns to a country, I should not tell them that this will make you much safer. And if you don't purchase my guns, guess what? You're going to get attacked by neighboring countries and they're going to obliterate you. So I think that it's still a part of the conversation. I think that the problem is trust.
Speaker 2:Yes, yes. And what do countries do first? They try diplomacy conversations, relationship building policies, so on right.
Speaker 1:Yeah, wow, wow. That's incredible. Actually, I think you might have gotten me to 12 o'clock. We don't have much more time here and I want to give you a chance to let people know how they can find you, how they can learn more about TrustMap and anything else that you want to close with.
Speaker 2:Yeah, thanks for having me on, Josh. This was a lot of fun. So, Chad Beckman, you can find me on LinkedIn. My last name is spelled B-O-E-C-K-M-A-N-N. First name, Chad, and you can look up TrustMap at T-R-U-S-T-M-A-P-Pcom. That's Trustmapcom and we have a contact form there. A bunch of information to download and review use cases and so on. So explore that website, reach out to us when any questions or feedback Always happy to hear that.
Speaker 1:All right, awesome Thanks, chad. Appreciate you being on the show and being so gracious with your time, and thank you for listening to this episode of Cybernomics. Check out Bruning Media at bruningcom. That's B-R-U-Y-N-I-N-Gcom, and you can find me on LinkedIn as well, josh Bruning. Shoot us an email, send us a comment. If there's a topic you want us to talk about, we're happy to do it, and if you'd like to be on the podcast, I would love to talk to you as well. So with that, chad, thank you, thank you.