Measuring Risk w/ Richard Seiersen

Today we talk with Richard Seiersen, co-author of “How to Measure Anything in Cybersecurity Risk”. Richard shared that at his first CISO position, he was challenged with addressing prioritization of risk, which led to his authoring a book with Doug Hubbard. What can cyber learn from older risk disciplines? The life table used broadly to measure time-to-event data goes back 500 years. Businesses keep falling back to the classic 5x5 "likelihood and impact" matrix which is an inconsistent, non-math-based method. Without math it is really just casting spells in the board room. There are no ratios or explanation of differences, for example. CISOs are called upon to make a bet about something. We will use subject matter expert opinions, and can make them measurably better. Consistency is key. Wild guesses can still help constrain the forecast. There are existing models in cyber such as FAIR that provide a more mathematically applied approach. Statistics came about because people needed to make bets with limited data. Dirty data can be worked with. Embracing uncertainty is okay. Executives are actually very used to uncertainty. Cybersecurity as a practice is in its adolescence with a high mortality risk. We need to adopt the grammar of science. Key Takeaways 0:25 Richard is introduced 1:20 Richard talks about his cyber journey and his day job 3:02 Book talk 5:19 What can cyber learn from older style risk tactics 8:04 5x5 risk matrix 10:05 Improving accuracy 17:00 Gathering an accurate view 19:20 Monte Carlo simulations 22:04 The belief 25:17 Board-ready presentations 26:58 What keeps Richard going in cyber security 28:09 Why statistics were invented Links: Learn more about Richard Seiersen on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius