Confessions of a Cybersecurity Professional

Cyber risk quantification is the what the future needs – for critical infrastructures, industrial enterprises, and insurers alike. 

I have become the head of Marketing at DeNexus just two short months ago. Yet, we have done a lot thus far, from raising nearly $5 million dollars in our seed round, hired an experienced sales leader and built-out our engineering team by 2x. Now, I think it’s a great time to look back and highlight why I joined DeNexus and how my observations on cybersecurity in general have brought me here.

The draws to DeNexus are many. The people, the technology, and the amazing partners vested in our success are immensely promising. However, the unique vision of DeNexus, and our ability to execute on that vision, was the ultimate motivational factor that brought me here. So that begs the question. – What is our mission? 

The DeNexus Mission, According to Me

Well, as a marketer I would state that our official vision is to be the global standard for industrial cyber risk quantification for agencies, shareholders, investors, and boards. While this mission is clear and impressive, I think it is important to state what this mission statement means to me.

As an individual with over 12 years’ experience working with some of the world’s leaders in ICS/OT networking and cybersecurity, I see DeNexus as the critical change-agent and much-needed forcing function for cybersecurity and risk management innovation. When it comes to the industrial control systems (ICS) and operational technology (OT) sectors, CISOs and CTOs need to expand risk management policies to include cyber risk, while at the same time get more out of their investments in cybersecurity solutions. Through quantifying cyber risk, we are arming CISOs, CTOs and CFOs with the crucial, actionable business-impact information they have needed for a long time. DeNexus is making the industrial world more resilient against modern, evolving cyber threats and their potential cost implications. This is what our mission means to me.

Resiliency over Security

In broad terms, DeNexus places cyber resiliency over pure cybersecurity. The reasons behind this value position are clear. First, we’re not a cybersecurity company, and we do not intend to be. We believe that the market has many great solution offerings already. Second, it is impossible for any cybersecurity solution to provide 100% protection from malicious actors and the associated costs incurred to ICS/OT asset owners as a result.

Considering that the estimated cost of ransomware attacks alone topped $20 billion dollars in 2020, which was up from $8 billion in 2018, it is clear that cyber risk is an a growing and expensive risk. In addition, ICS/OT operations remains a prime target, with municipalities and critical infrastructure equating for neatly 30% of all ransomware targets just this year. The industrial sector, and the cybersecurity stakeholders managing these diverse operations, must adopt a more holistic risk-oriented approach for the future.

How can CISOs, CTOs and CFOs better invest, build, and manage their cyber risk posture? What tools and services work best for their operational needs? What is the ROI of the various cybersecurity solutions available today and how do they compare to one another? What is the Value at Risk (VaR) for any operation over time? How can they prioritize cybersecurity-related investments? How can they allocate capital efficiently to cover potential losses, or decide how much risk is warehoused in their balance sheets vs off-loaded to insurance companies? All these questions are critical for industrial asset owners and global insurance agencies alike. Yet these questions are still largely unanswered. How do I know this?

My Confession

I have worked in the cybersecurity field for over 12 years, providing SaaS solutions and hardware to some of the largest IT, OT and hybrid enterprise customers across the globe. Along the way, our most critical aim in sales and marketing was always to validate the ROI of our offering to the customer. To do this, we invested heavily on internal sales training sessions provided from third-party consultant firms and created customer success programs to incentivize customer referrals – all in the effort to validate our ROI in front of other customers. With this said, while highlighting the money question for our customer was always the end-goal, I confess it was seldom achieved with clarity. It is because of this challenge that I believe much of the cybersecurity space has resorted to a worst-case scenario selling strategy where they rely on banner cyber-attack examples to proof their solution’s worth. This is short-sided.

Using the worst-case result in cyber-related sales is often called the Fear, Uncertainty and Doubt (FUD) method. And it is a common crutch used by insurance and cybersecurity solution providers alike. Funny enough, both insurance and cybersecurity solution providers aren’t always sure of what the true cost implications of that worst-case scenario actually is. In fact, they seldom are.

Why We’re Here

As it applies to selecting and validating investments in cybersecurity solutions with clear business metrics, much of the cybersecurity industry has fallen a bit flat because cybersecurity is only one part of the cyber risk calculation. And while it is not the primary charter of cybersecurity innovators to protect their customer’s bottom-line, it usually is the foundational driver behind every customer’s buying decision. If cybersecurity solution providers could validate their offerings' with business metrics, I suspect the growth of the sector would catch up to the growth of cyber threats.

Meanwhile, on the other side of the table, insurance agencies are grappling with the growing claims and damages resulting from cyber threats targeting critical infrastructure. These large institutions are keen to develop and accurately price cyber risk insurance products that are aligned with the actual risk exposure that their clients are exposed to. Who are these clients? Well, they are the very same ICS/OT asset owners that are buying cybersecurity solutions in hopes of reducing their cyber risk.

In the end, we have three separate stakeholders that would benefit immensely from knowing the business impact of cyber risk in defined network environments and operations. Yet all are unable to achieve this end goal with any accuracy because they have inherent barriers to accessing the data they require to solve cyber risk. No data means no data analytics and no cyber risk quantification. The reason for this is that cybersecurity solution providers must protect their data from each other because this is part of their core IP. ICS/OT asset owners must protect their operational data out of safety concerns and mandates. Lastly, insurance agencies are unable to accurately underwrite cyber risk of ICS/OT asset owners at scale because they are unable to obtain the data required to quantify VaR from cybersecurity solution providers and ICS/OT asset owners.

The outcome is a cyber risk gap that is valued at $1 Trillion US dollars, of which only 1% is insured. This cyber risk gap afflicts the two main stakeholders, and the problem is getting larger by the day. 

On one side, industrial enterprises and municipalities are fraught risk exposure with little ability to cover themselves or investors from the potential downside of a cyber event. On the other side, insurers are left on the sidelines unable to address much a massive market (called the cyber risk market) because they cannot accurately price policies, calculate loss reserving and make proper capital allocations. According to the credit ratings agency, AM Best, ransomware now accounts for 75% of all cyber insurance claims. Growth in claims as a result of cyber risk is outpacing growth of cyber insurance premiums, said a June report. Yet insurers are still driven to create new products for cyber insurance to address new threats because they must. 

Cyber risk quantification is the what the future needs – for critical infrastructures, industrial enterprises, and insurers alike. 

Why DeNexus?

As I alluded to earlier, I joined DeNexus because of their mission and their ability to execute on their mission. And, as you can see, the mission of DeNexus solves a problem that has crippled all cybersecurity stakeholders within the industrial world today. At DeNexus, we’re answering the ‘money question’ and thus unifying the mutual interest of cybersecurity solution providers, ICS/OT asset owners and insurers together with detailed data actionable risk modeling to help them achieve the common goal of true cyber resiliency.  

To Learn more about the DeRISK Platform, download our solution brief below: