IT Brief Australia - Technology news for CIOs & IT decision-makers

Exclusive: Richard Seiersen discusses cybersecurity risk management

Fri, 6th Sep 2024

Richard Seiersen, the Chief Risk Technology Officer at Qualys, has taken massive strides in the field of cybersecurity risk management.

With just over eight months in his current role at the company, Seiersen's journey has already been marked by a deep commitment to educating and guiding security leaders.

Speaking to TechDay in an exclusive interview, he described his role as "idea farming," a phrase coined by his children, which highlights his focus on thought leadership in the domain.

As part of this, Seiersen's work recently brought him to Australia to talk cybersecurity risk management with industry leaders in a series of nine separate workshops. 

Australian appetite for learning

Seiersen recalled, "Over 100-plus busy leaders from global companies, including some of Australia's largest financial institutions, took four hours out of their day to learn about risk. It was a great honour for me. It's really exciting to see how much the market there is keen on upping their cybersecurity risk management game – and I even got to try some Vegemite in the process."

Seiersen's workshops, deeply rooted in his expertise as a serial CISO and chief risk officer, are based on the principles outlined in his co-authored book, How to Measure Anything in Cybersecurity Risk.

The book, a bestseller used by governments and universities worldwide, provides a foundation for understanding and quantifying cybersecurity risk.

"Cybersecurity risk quantification is about measuring risk in a grounded, principled manner," he said. "I showed people how to apply basic measurement concepts to operational metrics and quantifying risk in terms of dollars and probability," he explained.

The increasing imperative to quantify risk

Quantifying risk is something that is increasingly critical Seiersen explained as with financial headwinds and increased scrutiny on budgets, security leaders must increasingly focus on how they use their resources. 

"We're seeing a decrease in budgets across the board," Seiersen said. "That doesn't mean there's no opportunity. It means you need to work within those constraints and realise that you can't secure all the things anymore. You have to show the business that you're protecting what matters – and how the risk of not doing so would really impact the business."

Measurement critical for effective communication

This means, according to Seiersen, that there is an urgent need for cybersecurity teams to communicate effectively about risk. He highlighted how currently one of the key challenges in cybersecurity is the mismatch between how security teams talk about risk – in particular the language they use - and what the business wants to hear. 

He shared the typical scenario where security professionals currently go to the business with a laundry list of critical incidents and a heat map of high, medium and low risks asking for money as a case in point. This approach doesn't suffice anymore in terms of securing funding, and handouts are only being given as a sense of moral duty rather than as against need. 

"In today's digital world, the stakes are getting increasingly high and businesses stand to lose a lot if they get it wrong," he said.
For Seiersen a critical part of getting that communication right is "quantification which requires close collaboration with business partners."

Getting measurement right

When it comes to measuring risk, Seiersen flagged the need to be clear about its definition –  defining risk as the state of uncertainty which could lead to a catastrophic loss or some other undesirable business outcome. 

It then follows that risk management is the mitigation or transfer of risk for the most plausible losses that could impact the business. This requires proper measurement, something that many security individuals, he shared, say is too hard to do. 

Part of the problem, he attributed this to it being a relatively new area."Security is still a relatively new domain," he explained. "We have yet to discover really grounded principles like other established fields."

He also admitted that "the data is often messy" but pointed out that other STEM disciplines where the stakes are large – take health, take nuclear physics – manage.

He argued that security teams should be looking at and adopting practices from these other domains, and ones such as finance and engineering, which have established principles of measurement. 

"We need to become measurement professionals," Seiersen said. "Every single serious STEM domain, where the stakes are large, integrates measurement with practice. In security, we need to do the same." 

For him, benchmarks should only be used when there is complete uncertainty. "Currently security is almost like an Amazonian tribe evading the gaze of modernity," he said. "We need to adopt practices that are necessary for doing real engineering work. We need the best and brightest working on these topics, infusing our domain with grounded, principle-based education."

Measure what matters 

For Seiersen the priority is to "Measure what matters. This means close collaboration with the business to really understand the business's objectives, what the most plausible threats are, what it stands to lose, the controls they have in place in terms of people, products and processes, and the capital efficacy of them."

"Then the focus should be on mitigating those risks or they should be offsetting them against insurance, or should risk exceed that, against capital reserves."

He also stressed that businesses are risk-generating machines, so security professionals need to be sure their security approach can scale and keep up.

This focus on measurement, communication and business alignment is central to Seiersen's approach to cybersecurity risk management. 
His dedication to advancing the field is evident in his work, both at Qualys and in the broader security community. 

As a reminder he shared, "We can't be average at measurement anymore. The stakes are high, and we need to be good at it."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X