February 12, 2025 • 30 mins
In this episode, we explore the intricate relationship between risk management and business objectives, specifically tailored for small and medium-sized businesses. Chad Boeckmann discusses strategies to elevate cybersecurity risk awareness among executive leadership, the role of cyber insurance, and the importance of bridging the gap between security teams and business leaders.
00:00
The Changing Landscape of Risk Management
03:07
Understanding the Nuances of Risk Management
06:11
The Role of External Forces in Risk Management
09:07
Bridging the Gap Between Cybersecurity and Business Objectives
12:10
Cultural Disconnect in Cybersecurity Leadership
15:12
Starting Conversations About Cyber Risk
17:58
The Importance of Cyber Insurance
21:02
Establishing Relationships for Effective Communication
23:46
The Dangers of Relying Solely on Cyber Insurance
26:59
Fear-Mongering vs. Realistic Risk Assessment
29:53
The Importance of Trust in Cybersecurity
32:52
Closing Thoughts and Resources
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to this episode of Cybernomics.
This episode is brought to youby Bruning Media, a New
York-based firm that helps techcompanies gain thought
leadership, one podcast at atime.
I'm your host, josh Bruning,and my guest today is Chad
Beckman.
He is the CEO of TrustMap 26years in the cybersecurity and
(00:24):
risk compliance GRC space, andtoday we're talking about
something that's near and dearto my heart, near and dear to
your heart, chad.
We're talking about how toscale a risk management program,
and this is specifically forthe small and medium businesses.
How do you scale that programin a way that's manageable and
(00:47):
effective?
And before we started thispodcast episode, chad, we kind
of determined that this is avery nuanced space.
Right, this is something thatthere's no magic bullet, there's
no one way to fix this.
So let's start with this.
Fix this.
So let's start with this.
Why is risk management,especially for small businesses,
(01:10):
so hard to define?
And why is it so hard?
And actually, let's reframethis If we were thinking of this
as a political issue.
Right, there's a problem thatneeds to be solved and you know,
someone out there is purportingthat they can solve it and that
someone, in our case, would beeither a software company or a
(01:33):
service provider that's comingin.
There has to be an issue beforethere's a solution.
How would you treat this issue?
Number one what is the issueand how do we approach this in a
way that's actionable for smalland medium businesses?
Speaker 2 (01:47):
Well, for each company, as you said at the
beginning, it's very nuanced,it's specific to each situation,
each profile, what industrythey're in perhaps, what
customers are going after, whatgeographies they serve and it
generally getting serious aboutrisk management.
Cyber risk management, in thespecific context here, is
(02:12):
generated by usually externalforces.
That could be insurance isdriving it right.
Oh, we have to get a SOC 2.
We have to, you know, supportthat we're doing great cyber
hygiene to get an actualapproval for a policy.
It could be customers.
Maybe a manufacturing companyis a subcontractor of a prime
(02:35):
contractor for the DOD and youknow everything flows downhill
and so they're going to thatcompany that is a manufacturer,
as a subcontractor, would needto certainly be CMMC compliant
and they would have to provideand apply more rigor to their
cybersecurity program and hence,you know, really identify where
(02:59):
the risks are and begin todevelop a program around it.
So you know, going back to whatI was stating, it's context is
everything when it comes toreally driving the risk
management challenges andunderstanding what those are,
and we've heard this statement.
What I'm about to say manytimes over the last 20, well,
(03:23):
probably last 10 years, is itall starts at the top right.
So the C-suite, even the board,need to have cybersecurity as
at least a topic, a subject thatis on their radar, that they
want to make sure theyunderstand and they measure.
Not every company is there yetwhere, at the board level even
(03:46):
you know, ceo, cfo they actuallyhave a.
They spend time thinking aboutand trying to understand what
their cyber risk is, and so ifan organization is usually
elevates that topic,unfortunately after they have an
adverse event such as a databreach, and then it becomes
really important, it getseverybody's attention and formal
(04:09):
programs are created.
Now external pressures could be, like I mentioned, from
regulators entering new markets,let's say, businesses entering
Europe, and GDPR comes into play.
Well, there's a lot ofadditional data discovery, data
identification and notificationand communication processes that
(04:29):
would go into being GDPRcompliant, as an example.
Well, that would now be a newitem that needs to be addressed
as part of their risk managementprogram.
Ultimately, what I've seenstart to emerge over the last
year, particularly what I'veseen start to emerge over the
last year, particularly forperhaps slightly more mature
(04:50):
cybersecurity programs is beingable to really understand how
does our operational risk, thoserisks and events that we deem
are either critical or maybe notcritical.
How do they influence thebusiness outcomes?
And so, starting to change thediscussion from well, here's our
cyber risk right.
(05:11):
People used to take, as you sawbefore, josh, a vulnerability
report, even an aggregation orvulnerability trends over the
last three months, and use thatas a board report slide.
That doesn't really tell a goodstory.
That just says you'remonitoring vulnerabilities.
What are you doing about it?
But, more importantly for thebusiness to care, how is it
(05:35):
impacting the go-to-market, howis it impacting the products
that they have brought to market?
What are the you know potentialrecovery and what's the
resilience factor for generatingthat revenue and establishing
and maintaining the productsthat the business uses to
generate revenue and to servesociety and the customers depend
(05:57):
upon.
So, being able to, you know,aggregate the information in
such a way that it ties back tobusiness processes.
That is directly linked toproducts and to, obviously,
products and the way thoseproducts are created, brought to
market, sold and supported comeright back to the regulation as
(06:20):
well in specific industries.
Speaker 1 (06:22):
So is it safe to say that the issue here that you're
talking about is the disconnectbetween cybersecurity, risk
management and the business orbusiness objectives?
Speaker 2 (06:34):
Business objectives primarily yeah.
I'm a firm believer in reallystarting with.
What are the businessobjectives?
What does the CEO, coo, cfo,what do they care about?
What are the three to five yearbusiness objectives that the
business itself has that the CEOreports against or CFO reports
against to the board?
(06:54):
And what I found is a lot ofcases the security team, the
CISOs, don't necessarily have.
Even the CIOs don't have thatKind of information, which is
really unfortunate.
So the closer you can get towhat those individuals at the
C-level truly are focused on andhow they're managing their
(07:18):
teams and driving their ownoutcomes right for their role,
the closer you can get tounderstanding that and
understanding what the businessdoes to actually survive as a
company, meaning what productsor services they're offering,
and tying that back to whatcybersecurity is doing,
information security is doing.
That's how you start to map outhow to report against risk and
(07:44):
how certain vulnerabilities,misconfigurations, whatever they
might be, that are reportedagainst certain applications,
and you understand that theseapplications A, b and C are
supporting a key businessoutcome that the executives care
about.
Now you're on your path tobegin to creating that mapping
(08:04):
of a proper business, what Ilike to say a business context
risk program.
So you know you can start atthe very aggregate level and
then work yourself down whatapplications impact product or
service, what infrastructure issupporting that application, and
you know kind of go down levelby level.
Speaker 1 (08:26):
It's pretty interesting because it comes
down to culture and we know thatCISOs, ctos.
It's pretty interesting becauseit comes down to culture and we
(08:48):
know that CISOs a CMO and a CFOmay have more in common with
each other than a CISO may havewith the CMO, for example, or
the CFO Sometimes rightSometimes, I mean.
Speaker 2 (09:02):
it's an interesting comparison you gave there.
For example, the CFO caresabout risk financial risk and
the CISO cares risk rightFinancial risk and the the CISO
cares about data risk cyber riskright.
So they have that piece incommon certainly.
Speaker 1 (09:18):
Right, so they can have a beer.
They can have a beer over thatconversation.
Yeah, exactly.
Speaker 2 (09:24):
Like you and I could have a beer with a insurance
underwriter right with aninsurance underwriter, right?
You kind of understand thelingo at least, and so you know,
you're right, that a lot ofsecurity, information security,
cybersecurity team or leadersgenerally come from either audit
(09:46):
or from IT somewhere through IT, from a background, which I
think is great, because you needto understand what you're
trying to protect, right?
So you?
Do need to understand theunderlying technology right.
That's really important,obviously so that's.
Speaker 1 (09:59):
That's very briefly.
That's the other side of thecoin.
Do you think that this is?
It's equally as important forthe business to understand the
technology as it is for thetechnology?
You don't think so.
Speaker 2 (10:17):
Well, not to the degree we might think, but I
think it's important for,obviously, executive leadership
to understand you know, at leastat an aggregate, what
applications are supporting.
You know the business processfor product X or product Y,
right, and you know many timesthere could be legacy systems
that can't be patched anymoreand so that's on the CIO's
(10:39):
roadmap to replace thatapplication eventually.
And certainly you're going toget support by the CISO or the
security team to make thathappen sooner than later.
Because that risk exposure, ifyou can't patch a legacy system
without it breaking, well, everyday, every week, every month
that goes by, your risk exposureperhaps grows even larger on
(11:03):
that asset and I guess,understanding how that affects
the bottom line.
Speaker 1 (11:09):
that's kind of what makes the business folks perk up
and listen.
So I mean, what are some waysthat you would start that
conversation with businessleaders?
I guess you generally, as in,like people how they would start
that conversation, but alsospecifically how you Chad
Beckman.
How would you start thatconversation about risk, cyber
(11:29):
risk, particularly with thebusiness folks?
Speaker 2 (11:31):
So one question I like to use oftentimes in a
discussion, like you posing thequestion you did, is what is the
business objective you'retrying to solve by, you know,
conducting a risk assessment,let's say, and what is the scope
?
Right?
And usually, when you get tothat second question, what is
(11:52):
the scope of what you're tryingto measure and what the ideal
outcome is?
That tends to really open up alot of dialogue, because what
I've found is, if you haven'tbeen been a consultant before or
had to think about SOWs, let'ssay, the term scope can mean a
(12:15):
few different things, and soit's helpful then to start that
dialogue with individuals tohelp them think about what is
the purpose of assessingbusiness division A versus B
right, and how does that supportthe key processes that the
company relies on right Customersupport function, financial
(12:38):
function, e-commerce functionsright, and starting to have
dialogue into what each businessunit does, how that impacts the
revenue of the company, thecontractual commitments of the
company, impacts you know therevenue of the company, the
contractual commitments of thecompany.
So that's how I like to startthe dialogue and start getting
information and start providinginformation back.
Speaker 1 (13:01):
So in other words, you're starting the conversation
in their language.
Yeah, I can't walk up tosomebody in spanish, ask for
directions using English.
I mean it's not going to workRight, so, or someone who speaks
Spanish, they won't understandwhat I'm saying, obviously,
because I'm speaking a foreignlanguage.
And it's the same, based onwhat you've said, if you don't
(13:21):
start in their language.
I mean, that's like coming upto somebody and going, you know,
talking to a CFO and saying allright, we've got all these
vulnerabilities that are in oursystem and our risk exposure is
X, y and Z, and if we don'tpatch these servers, then guess
what?
Our risk exposure will increaseand the bad guys are going to
(13:41):
get us and everybody's going toget hacked.
The CFO is going to be like okay, I don't even know what any of
those things that you just saidare.
Speaker 2 (13:49):
Yeah, they're going to say, well, why do I care?
Help me understand that.
Help me understand why I careExactly.
And so what you laid out iskind of a classic example of
where we don't speak.
You know the business languageand so that's where risk
quantification I think helpsbecause it can actually start to
(14:10):
provide loss in terms offinancial dollars.
But that can also bechallenging at times if you are
talking to a CFO, becausethey're going to be smarter than
you are on the businessfinancials, right.
So being able to sharpen thepencil and using let's continue
(14:45):
with the CFO example using themas your advocate to build out
and get more accurate theresults of a risk quantification
outcome, I think is reallyimportant and make them part of
the process and part of the team, if you will.
That provides the final resultsand through that, you and your
team that are conducting anongoing and maturing a risk
management program are going tolearn more about the business
and how the business thinksabout itself from other teams
like the financial team.
Speaker 1 (15:06):
So if I'm a small or medium business owner, let's say
I'm a CEO of a medium-sizedbusiness 75 to 250 employees,
let's say, maybe a little bit ofa broader range.
Yeah, Okay, fair enough.
And let's say I'm a CEO, I'm alittle bit more invested in
(15:27):
cybersecurity because Iunderstand I still need to be
sold a little bit.
But Overall I understand thegravity of what we're dealing
with.
I understand the impact thatthis can have to my business and
it can devalue my business if Idon't have proper cybersecurity
.
But I don't know anything aboutcybersecurity.
(15:48):
What are one or two concepts incybersecurity that a CEO needs
to understand?
A CEO needs to understand,because I don't think that it's
all on the CISO to have toexplain what this is right.
It's sort of like certainpolitical movements where one
demographic wants the otherdemographic to understand them
(16:09):
and they don't think it's myresponsibility to explain my
identity to you, right?
But we know that in reality youdo have to explain a little bit
and you have to bridge the gapand you also have to have the
other demographic at least alittle bit interested in
identifying your issues andempathizing with you.
(16:30):
So it's not all on the CISO,the CEO and the business team.
They need to be a little bitinvested.
But let's say there is the will, the CEO is somewhat invested.
What are a few cybersecurityconcepts that they should
understand that would help themget that conversation going with
the IT or the risk managementteam.
Speaker 2 (16:49):
Yeah, it kind of goes back to what we were talking
about earlier.
First and foremost, before youstart having, for anybody who
starts having a discussion oncybersecurity risk and
explaining that in termsnon-security, non-technical
people can relate to, it'sreally understanding what you
mentioned briefly.
(17:10):
Where are they coming from?
Whoever is communicating andtrying to establish the
relationships or communicate thecyber risk profile to the CEO,
for example, under building thatrelationship with them, taking
them out to lunch, talking alittle bit about business but
more about themselves, right,understanding truly where
(17:32):
they're coming from.
What's their background reallylike to do for hobbies, that
type of thing, understandingthem as a person, that'll lay
the groundwork to helpunderstand how to best
communicate with that individual.
Speaker 1 (17:45):
So I'm like getting ahead of myself a little bit.
I think that before you startexplaining the concepts of cyber
security or business, you'resaying that first you need to
establish a personalrelationship with that other
party at least some level ofpersonal relationship.
Speaker 2 (17:59):
Nah, you know what Screw it.
Speaker 1 (18:01):
I'm not being nice to anybody.
I want them to do exactly whatI say.
I'm not taking anybody out tocoffee or beer, and if you don't
like it then you can pound sand.
Speaker 2 (18:11):
Then you have about a 90-day half-life at that
company.
Speaker 1 (18:15):
Yeah, you're not going to be around for too long,
no, all right.
So let's shift a little bitInsurance, cyber insurance.
If I'm a small business, Iprobably again if I'm a CEO who
knows nothing aboutcybersecurity.
But I know there's this thingcalled cyber insurance that if
something happens it's aget-out-of-jail-free card.
(18:37):
That's what I'm thinking.
Right, I don't know any better.
What do I know?
Do you think that a companyshould rely solely, or at least
to a great extent, oncybersecurity insurance?
Because to me that sounds likea done deal.
If I get cybersecurityinsurance, something happens,
boom, I'm covered.
Speaker 2 (18:56):
You gave me a softball question here.
I like it.
So absolutely not.
You know, I've heard stories ofcompanies doing exactly that
and, as a result, they have one,maybe at the most two people
responsible for security, andsecurity doesn't get any budget
(19:16):
because they have insurance thatcan offset their risk.
Well, you know this.
My my story there may have beendated a year or two, but you
know one thing is to understandthe insurance market is
certainly waking up because ofthe wave and wave and wave of
data breaches, and that'sbeginning to cost them, and so
(19:37):
premiums are going up.
Coverage is going down, so youpay more for less when it comes
to insurance coverage, and Ithink that can be a very
positive change.
To have the conversation withthe CEO, cfo, cio, whoever is
going to help support investingin the security program, because
(20:00):
it's going to be.
You know, now you're shiftingyour cost thinking about in
terms of insurance premiums toin terms of investing in a
long-term, more sustainablesecurity posture that will
ultimately help reduce yourinsurance premiums and your
reliance on that over the longterm, and in no way is any
insurance policy going to cover100% of your losses.
(20:21):
You know you're going to haverevenue loss potentially You'll
have loss, potentially loss ofcustomer reputation.
You're going to have legalexpenses, depending on your
business type.
You're going to have thestandard identity and credit
monitoring services which, bythe way, most insurance policies
do cover.
If you have a cybercrime policy,for example, a data breach
(20:43):
policy, they'll cover thoseservices.
But, yeah, I mean, it's nolonger can somebody just take
one approach to their cyber riskand use insurance as that
singular approach.
That is not a viable solution.
And going back to having thatconversation, let's say, with
the CEO right, it's a recipe forgoing out of business.
(21:03):
That's how I would open with myanswer and then start to break
down the reasons and why that is, given what I just described.
Speaker 1 (21:13):
All right, I want to get a little controversial here.
Right, I'm on one side of thisfence and I'm in the minority
Talking about using fear.
Some people call it fearmongering.
When talking about risk,largely, I think the
cybersecurity community isagainst fear mongering.
Right, they don't want to go tothe business and say the house
is on fire, things are fallingdown.
(21:33):
But here's what I neverunderstood about that If
security is what we do, then theresult of not having security
is that you're not safe.
So to tell someone, if you donot have a risk management plan
which is the biggest risk of allif you have no idea of what
(21:54):
your risk is, that's the biggestrisk.
Is it not incumbent on the CISOor someone from the risk
management world to demonstratethe gravity of not having a risk
management program and,ultimately, not having
cybersecurity?
Speaker 2 (22:12):
I really hope there aren't any companies out there
today in that position.
Speaker 1 (22:16):
Because I'm thinking if I go to a mom and pop shop
and they have no risk managementor no cybersecurity, not even
an MFA?
Speaker 2 (22:23):
Here's what typically is going on, though.
In those situations, mom andpop shop particularly they have
an MSSP or MSP where they'reoutsourcing all of their
technology, right With theexception of maybe a few
machines on site, and they'rerelying on that MSP MSSP for
their security services.
In addition, they probably arealso buying some form of cyber
(22:48):
insurance as well.
Speaker 1 (22:50):
Most companies already have a baseline.
They have something in place, Ithink.
Speaker 2 (22:55):
I mean, this is a pretty broad statement, but I
would like to think that mostcompanies understand the
importance, Because look, howlong have we been talking about
cybersecurity as an industry?
And we're still talking aboutit Not as an industry, sorry, as
a society right A long time.
I think it probably startedwith when people were still on
(23:17):
AOL dial-up.
We had the Norton antivirus.
Speaker 1 (23:21):
Right Again.
I had firewalls.
Mcafee came with every computerthat you bought from Best Buy.
Speaker 2 (23:26):
Yeah right.
So, I think part of the favor ofevery company now is the fact
that it's been beat into ourheads enough, particularly since
the wave of data breaches overthe last 10 years, that this is
a really important topic.
And if they're a company of anysize, particularly with
shareholders, board members,there is certainly some level of
(23:51):
credence put into acybersecurity, cyber risk
program.
Now, whether it's mature or not, and how well they're operating
it, how much time andinvestment they put into it,
that's where the variable reallycomes into play.
Now, taking your example, let'ssay a hardware store, right,
certainly they're not going tohire anybody dedicated to
(24:13):
cybersecurity.
They're going to be outsourcingall of those functions,
cybersecurity.
They're going to be outsourcingall of those functions and they
will add on cyber insurance tothe regular general liability
and other liability insurancethat they carry.
And so that's a totallydifferent business profile than,
say, a company that has severalhundreds, several hundred
(24:34):
thousands of employees, right?
Speaker 1 (24:37):
So um, and it sounds like yeah, context matters, and
I love that you talked aboutmaturity, because you know, I
think, that maturity has thisdiminishing return where, the
more you invest in maturitylet's say, somebody trying to
get to a CMMI style level of afive right, that's their goal
(24:59):
it's not as worth it to go froma 4.8 to a five as it is to go
from a one to a three right orone to a two.
So I think that's also maybe apart of this conversation as
well.
Maturity is important, but youhave to come in with an
understanding that the businessmay already have existing
processes in place, and I thinkthat that's the best answer.
(25:20):
The answer you gave to myquestion is the best argument
that I've heard so far, which isyou don't want to scare people
because the reality is theyalready have some measure.
After all this time of talkingabout security, there's some
measure of security in everybusiness, even if it's an
antivirus that's on endpoints,and so to come in waving the
(25:42):
flag that the house is on fire,trying to get them from a
maturity level of four to a five, doesn't make much business
sense.
It's cost prohibitive,typically, right, right, okay.
Well, you haven't convinced me100%, but I'm slightly more on
the side that fear mongering isnot good.
(26:03):
But if I'm in the business ofsecurity, guess what?
I'm going to make some kind ofargument that if you don't
implement my product or service,you are less safe today than
you may otherwise be tomorrow.
Speaker 2 (26:17):
You know that's very interesting.
You bring that up and I thinkanybody that's been in this
industry for a while would arguewith you and say that is
exactly the problem with thevendor landscape in
cybersecurity, because everybodywell, not everybody, too many
companies somewhat take thatapproach.
Yeah, at the end I'll be all.
(26:38):
We have the dashboard of alldashboards.
We have the single pane ofglass.
You know, you name the phrasethat is used, it's been used.
Speaker 1 (26:45):
If it's used once, it's been used by a thousand so
it's not even so much that themessage whether whether it's
true or not is that it has beendiluted with a lot of falsehoods
, false promises and inauthenticservices and products.
Okay, you know what, chad?
You're on a roll.
I think you might be convincingme that that might not be the
(27:06):
way to go.
I'm as close as if being at 12o'clock is that you've convinced
me.
I'm at 1159.
Speaker 2 (27:16):
So what do I need to do for the last minute?
Speaker 1 (27:18):
You have to convince me that, in order to sell guns
to a country, I should not tellthem that this will make you
much safer.
And if you don't purchase myguns, guess what?
You're going to get attacked byneighboring countries and
they're going to obliterate you.
So I think that it's still apart of the conversation.
I think that the problem istrust.
Speaker 2 (27:41):
Yes, yes.
And what do countries do first?
They try diplomacyconversations, relationship
building policies, so on right.
Speaker 1 (27:53):
Yeah, wow, wow.
That's incredible.
Actually, I think you mighthave gotten me to 12 o'clock.
We don't have much more timehere and I want to give you a
chance to let people know howthey can find you, how they can
learn more about TrustMap andanything else that you want to
close with.
Speaker 2 (28:11):
Yeah, thanks for having me on, Josh.
This was a lot of fun.
So, Chad Beckman, you can findme on LinkedIn.
My last name is spelledB-O-E-C-K-M-A-N-N.
First name, Chad, and you canlook up TrustMap at
T-R-U-S-T-M-A-P-Pcom.
That's Trustmapcom and we havea contact form there.
(28:33):
A bunch of information todownload and review use cases
and so on.
So explore that website, reachout to us when any questions or
feedback Always happy to hearthat.
Speaker 1 (28:40):
All right, awesome Thanks, chad.
Appreciate you being on theshow and being so gracious with
your time, and thank you forlistening to this episode of
Cybernomics.
Check out Bruning Media atbruningcom.
That's B-R-U-Y-N-I-N-Gcom, andyou can find me on LinkedIn as
well, josh Bruning.
Shoot us an email, send us acomment.
If there's a topic you want usto talk about, we're happy to do
(29:03):
it, and if you'd like to be onthe podcast, I would love to
talk to you as well.
So with that, chad, thank you,thank you.
Welcome to this episode of Cybernomics.
This episode is brought to youby Bruning Media, a New
York-based firm that helps techcompanies gain thought
leadership, one podcast at atime.
I'm your host, josh Bruning,and my guest today is Chad
Beckman.
He is the CEO of TrustMap 26years in the cybersecurity and
(00:24):
risk compliance GRC space, andtoday we're talking about
something that's near and dearto my heart, near and dear to
your heart, chad.
We're talking about how toscale a risk management program,
and this is specifically forthe small and medium businesses.
How do you scale that programin a way that's manageable and
(00:47):
effective?
And before we started thispodcast episode, chad, we kind
of determined that this is avery nuanced space.
Right, this is something thatthere's no magic bullet, there's
no one way to fix this.
So let's start with this.
Fix this.
So let's start with this.
Why is risk management,especially for small businesses,
(01:10):
so hard to define?
And why is it so hard?
And actually, let's reframethis If we were thinking of this
as a political issue.
Right, there's a problem thatneeds to be solved and you know,
someone out there is purportingthat they can solve it and that
someone, in our case, would beeither a software company or a
(01:33):
service provider that's comingin.
There has to be an issue beforethere's a solution.
How would you treat this issue?
Number one what is the issueand how do we approach this in a
way that's actionable for smalland medium businesses?
Speaker 2 (01:47):
Well, for each company, as you said at the
beginning, it's very nuanced,it's specific to each situation,
each profile, what industrythey're in perhaps, what
customers are going after, whatgeographies they serve and it
generally getting serious aboutrisk management.
Cyber risk management, in thespecific context here, is
(02:12):
generated by usually externalforces.
That could be insurance isdriving it right.
Oh, we have to get a SOC 2.
We have to, you know, supportthat we're doing great cyber
hygiene to get an actualapproval for a policy.
It could be customers.
Maybe a manufacturing companyis a subcontractor of a prime
(02:35):
contractor for the DOD and youknow everything flows downhill
and so they're going to thatcompany that is a manufacturer,
as a subcontractor, would needto certainly be CMMC compliant
and they would have to provideand apply more rigor to their
cybersecurity program and hence,you know, really identify where
(02:59):
the risks are and begin todevelop a program around it.
So you know, going back to whatI was stating, it's context is
everything when it comes toreally driving the risk
management challenges andunderstanding what those are,
and we've heard this statement.
What I'm about to say manytimes over the last 20, well,
(03:23):
probably last 10 years, is itall starts at the top right.
So the C-suite, even the board,need to have cybersecurity as
at least a topic, a subject thatis on their radar, that they
want to make sure theyunderstand and they measure.
Not every company is there yetwhere, at the board level even
(03:46):
you know, ceo, cfo they actuallyhave a.
They spend time thinking aboutand trying to understand what
their cyber risk is, and so ifan organization is usually
elevates that topic,unfortunately after they have an
adverse event such as a databreach, and then it becomes
really important, it getseverybody's attention and formal
(04:09):
programs are created.
Now external pressures could be, like I mentioned, from
regulators entering new markets,let's say, businesses entering
Europe, and GDPR comes into play.
Well, there's a lot ofadditional data discovery, data
identification and notificationand communication processes that
(04:29):
would go into being GDPRcompliant, as an example.
Well, that would now be a newitem that needs to be addressed
as part of their risk managementprogram.
Ultimately, what I've seenstart to emerge over the last
year, particularly what I'veseen start to emerge over the
last year, particularly forperhaps slightly more mature
(04:50):
cybersecurity programs is beingable to really understand how
does our operational risk, thoserisks and events that we deem
are either critical or maybe notcritical.
How do they influence thebusiness outcomes?
And so, starting to change thediscussion from well, here's our
cyber risk right.
(05:11):
People used to take, as you sawbefore, josh, a vulnerability
report, even an aggregation orvulnerability trends over the
last three months, and use thatas a board report slide.
That doesn't really tell a goodstory.
That just says you'remonitoring vulnerabilities.
What are you doing about it?
But, more importantly for thebusiness to care, how is it
(05:35):
impacting the go-to-market, howis it impacting the products
that they have brought to market?
What are the you know potentialrecovery and what's the
resilience factor for generatingthat revenue and establishing
and maintaining the productsthat the business uses to
generate revenue and to servesociety and the customers depend
(05:57):
upon.
So, being able to, you know,aggregate the information in
such a way that it ties back tobusiness processes.
That is directly linked toproducts and to, obviously,
products and the way thoseproducts are created, brought to
market, sold and supported comeright back to the regulation as
(06:20):
well in specific industries.
Speaker 1 (06:22):
So is it safe to say that the issue here that you're
talking about is the disconnectbetween cybersecurity, risk
management and the business orbusiness objectives?
Speaker 2 (06:34):
Business objectives primarily yeah.
I'm a firm believer in reallystarting with.
What are the businessobjectives?
What does the CEO, coo, cfo,what do they care about?
What are the three to five yearbusiness objectives that the
business itself has that the CEOreports against or CFO reports
against to the board?
(06:54):
And what I found is a lot ofcases the security team, the
CISOs, don't necessarily have.
Even the CIOs don't have thatKind of information, which is
really unfortunate.
So the closer you can get towhat those individuals at the
C-level truly are focused on andhow they're managing their
(07:18):
teams and driving their ownoutcomes right for their role,
the closer you can get tounderstanding that and
understanding what the businessdoes to actually survive as a
company, meaning what productsor services they're offering,
and tying that back to whatcybersecurity is doing,
information security is doing.
That's how you start to map outhow to report against risk and
(07:44):
how certain vulnerabilities,misconfigurations, whatever they
might be, that are reportedagainst certain applications,
and you understand that theseapplications A, b and C are
supporting a key businessoutcome that the executives care
about.
Now you're on your path tobegin to creating that mapping
(08:04):
of a proper business, what Ilike to say a business context
risk program.
So you know you can start atthe very aggregate level and
then work yourself down whatapplications impact product or
service, what infrastructure issupporting that application, and
you know kind of go down levelby level.
Speaker 1 (08:26):
It's pretty interesting because it comes
down to culture and we know thatCISOs, ctos.
It's pretty interesting becauseit comes down to culture and we
(08:48):
know that CISOs a CMO and a CFOmay have more in common with
each other than a CISO may havewith the CMO, for example, or
the CFO Sometimes rightSometimes, I mean.
Speaker 2 (09:02):
it's an interesting comparison you gave there.
For example, the CFO caresabout risk financial risk and
the CISO cares risk rightFinancial risk and the the CISO
cares about data risk cyber riskright.
So they have that piece incommon certainly.
Speaker 1 (09:18):
Right, so they can have a beer.
They can have a beer over thatconversation.
Yeah, exactly.
Speaker 2 (09:24):
Like you and I could have a beer with a insurance
underwriter right with aninsurance underwriter, right?
You kind of understand thelingo at least, and so you know,
you're right, that a lot ofsecurity, information security,
cybersecurity team or leadersgenerally come from either audit
(09:46):
or from IT somewhere through IT, from a background, which I
think is great, because you needto understand what you're
trying to protect, right?
So you?
Do need to understand theunderlying technology right.
That's really important,obviously so that's.
Speaker 1 (09:59):
That's very briefly.
That's the other side of thecoin.
Do you think that this is?
It's equally as important forthe business to understand the
technology as it is for thetechnology?
You don't think so.
Speaker 2 (10:17):
Well, not to the degree we might think, but I
think it's important for,obviously, executive leadership
to understand you know, at leastat an aggregate, what
applications are supporting.
You know the business processfor product X or product Y,
right, and you know many timesthere could be legacy systems
that can't be patched anymoreand so that's on the CIO's
(10:39):
roadmap to replace thatapplication eventually.
And certainly you're going toget support by the CISO or the
security team to make thathappen sooner than later.
Because that risk exposure, ifyou can't patch a legacy system
without it breaking, well, everyday, every week, every month
that goes by, your risk exposureperhaps grows even larger on
(11:03):
that asset and I guess,understanding how that affects
the bottom line.
Speaker 1 (11:09):
that's kind of what makes the business folks perk up
and listen.
So I mean, what are some waysthat you would start that
conversation with businessleaders?
I guess you generally, as in,like people how they would start
that conversation, but alsospecifically how you Chad
Beckman.
How would you start thatconversation about risk, cyber
(11:29):
risk, particularly with thebusiness folks?
Speaker 2 (11:31):
So one question I like to use oftentimes in a
discussion, like you posing thequestion you did, is what is the
business objective you'retrying to solve by, you know,
conducting a risk assessment,let's say, and what is the scope
?
Right?
And usually, when you get tothat second question, what is
(11:52):
the scope of what you're tryingto measure and what the ideal
outcome is?
That tends to really open up alot of dialogue, because what
I've found is, if you haven'tbeen been a consultant before or
had to think about SOWs, let'ssay, the term scope can mean a
(12:15):
few different things, and soit's helpful then to start that
dialogue with individuals tohelp them think about what is
the purpose of assessingbusiness division A versus B
right, and how does that supportthe key processes that the
company relies on right Customersupport function, financial
(12:38):
function, e-commerce functionsright, and starting to have
dialogue into what each businessunit does, how that impacts the
revenue of the company, thecontractual commitments of the
company, impacts you know therevenue of the company, the
contractual commitments of thecompany.
So that's how I like to startthe dialogue and start getting
information and start providinginformation back.
Speaker 1 (13:01):
So in other words, you're starting the conversation
in their language.
Yeah, I can't walk up tosomebody in spanish, ask for
directions using English.
I mean it's not going to workRight, so, or someone who speaks
Spanish, they won't understandwhat I'm saying, obviously,
because I'm speaking a foreignlanguage.
And it's the same, based onwhat you've said, if you don't
(13:21):
start in their language.
I mean, that's like coming upto somebody and going, you know,
talking to a CFO and saying allright, we've got all these
vulnerabilities that are in oursystem and our risk exposure is
X, y and Z, and if we don'tpatch these servers, then guess
what?
Our risk exposure will increaseand the bad guys are going to
(13:41):
get us and everybody's going toget hacked.
The CFO is going to be like okay, I don't even know what any of
those things that you just saidare.
Speaker 2 (13:49):
Yeah, they're going to say, well, why do I care?
Help me understand that.
Help me understand why I careExactly.
And so what you laid out iskind of a classic example of
where we don't speak.
You know the business languageand so that's where risk
quantification I think helpsbecause it can actually start to
(14:10):
provide loss in terms offinancial dollars.
But that can also bechallenging at times if you are
talking to a CFO, becausethey're going to be smarter than
you are on the businessfinancials, right.
So being able to sharpen thepencil and using let's continue
(14:45):
with the CFO example using themas your advocate to build out
and get more accurate theresults of a risk quantification
outcome, I think is reallyimportant and make them part of
the process and part of the team, if you will.
That provides the final resultsand through that, you and your
team that are conducting anongoing and maturing a risk
management program are going tolearn more about the business
and how the business thinksabout itself from other teams
like the financial team.
Speaker 1 (15:06):
So if I'm a small or medium business owner, let's say
I'm a CEO of a medium-sizedbusiness 75 to 250 employees,
let's say, maybe a little bit ofa broader range.
Yeah, Okay, fair enough.
And let's say I'm a CEO, I'm alittle bit more invested in
(15:27):
cybersecurity because Iunderstand I still need to be
sold a little bit.
But Overall I understand thegravity of what we're dealing
with.
I understand the impact thatthis can have to my business and
it can devalue my business if Idon't have proper cybersecurity
.
But I don't know anything aboutcybersecurity.
(15:48):
What are one or two concepts incybersecurity that a CEO needs
to understand?
A CEO needs to understand,because I don't think that it's
all on the CISO to have toexplain what this is right.
It's sort of like certainpolitical movements where one
demographic wants the otherdemographic to understand them
(16:09):
and they don't think it's myresponsibility to explain my
identity to you, right?
But we know that in reality youdo have to explain a little bit
and you have to bridge the gapand you also have to have the
other demographic at least alittle bit interested in
identifying your issues andempathizing with you.
(16:30):
So it's not all on the CISO,the CEO and the business team.
They need to be a little bitinvested.
But let's say there is the will, the CEO is somewhat invested.
What are a few cybersecurityconcepts that they should
understand that would help themget that conversation going with
the IT or the risk managementteam.
Speaker 2 (16:49):
Yeah, it kind of goes back to what we were talking
about earlier.
First and foremost, before youstart having, for anybody who
starts having a discussion oncybersecurity risk and
explaining that in termsnon-security, non-technical
people can relate to, it'sreally understanding what you
mentioned briefly.
(17:10):
Where are they coming from?
Whoever is communicating andtrying to establish the
relationships or communicate thecyber risk profile to the CEO,
for example, under building thatrelationship with them, taking
them out to lunch, talking alittle bit about business but
more about themselves, right,understanding truly where
(17:32):
they're coming from.
What's their background reallylike to do for hobbies, that
type of thing, understandingthem as a person, that'll lay
the groundwork to helpunderstand how to best
communicate with that individual.
Speaker 1 (17:45):
So I'm like getting ahead of myself a little bit.
I think that before you startexplaining the concepts of cyber
security or business, you'resaying that first you need to
establish a personalrelationship with that other
party at least some level ofpersonal relationship.
Speaker 2 (17:59):
Nah, you know what Screw it.
Speaker 1 (18:01):
I'm not being nice to anybody.
I want them to do exactly whatI say.
I'm not taking anybody out tocoffee or beer, and if you don't
like it then you can pound sand.
Speaker 2 (18:11):
Then you have about a 90-day half-life at that
company.
Speaker 1 (18:15):
Yeah, you're not going to be around for too long,
no, all right.
So let's shift a little bitInsurance, cyber insurance.
If I'm a small business, Iprobably again if I'm a CEO who
knows nothing aboutcybersecurity.
But I know there's this thingcalled cyber insurance that if
something happens it's aget-out-of-jail-free card.
(18:37):
That's what I'm thinking.
Right, I don't know any better.
What do I know?
Do you think that a companyshould rely solely, or at least
to a great extent, oncybersecurity insurance?
Because to me that sounds likea done deal.
If I get cybersecurityinsurance, something happens,
boom, I'm covered.
Speaker 2 (18:56):
You gave me a softball question here.
I like it.
So absolutely not.
You know, I've heard stories ofcompanies doing exactly that
and, as a result, they have one,maybe at the most two people
responsible for security, andsecurity doesn't get any budget
(19:16):
because they have insurance thatcan offset their risk.
Well, you know this.
My my story there may have beendated a year or two, but you
know one thing is to understandthe insurance market is
certainly waking up because ofthe wave and wave and wave of
data breaches, and that'sbeginning to cost them, and so
(19:37):
premiums are going up.
Coverage is going down, so youpay more for less when it comes
to insurance coverage, and Ithink that can be a very
positive change.
To have the conversation withthe CEO, cfo, cio, whoever is
going to help support investingin the security program, because
(20:00):
it's going to be.
You know, now you're shiftingyour cost thinking about in
terms of insurance premiums toin terms of investing in a
long-term, more sustainablesecurity posture that will
ultimately help reduce yourinsurance premiums and your
reliance on that over the longterm, and in no way is any
insurance policy going to cover100% of your losses.
(20:21):
You know you're going to haverevenue loss potentially You'll
have loss, potentially loss ofcustomer reputation.
You're going to have legalexpenses, depending on your
business type.
You're going to have thestandard identity and credit
monitoring services which, bythe way, most insurance policies
do cover.
If you have a cybercrime policy,for example, a data breach
(20:43):
policy, they'll cover thoseservices.
But, yeah, I mean, it's nolonger can somebody just take
one approach to their cyber riskand use insurance as that
singular approach.
That is not a viable solution.
And going back to having thatconversation, let's say, with
the CEO right, it's a recipe forgoing out of business.
(21:03):
That's how I would open with myanswer and then start to break
down the reasons and why that is, given what I just described.
Speaker 1 (21:13):
All right, I want to get a little controversial here.
Right, I'm on one side of thisfence and I'm in the minority
Talking about using fear.
Some people call it fearmongering.
When talking about risk,largely, I think the
cybersecurity community isagainst fear mongering.
Right, they don't want to go tothe business and say the house
is on fire, things are fallingdown.
(21:33):
But here's what I neverunderstood about that If
security is what we do, then theresult of not having security
is that you're not safe.
So to tell someone, if you donot have a risk management plan
which is the biggest risk of allif you have no idea of what
(21:54):
your risk is, that's the biggestrisk.
Is it not incumbent on the CISOor someone from the risk
management world to demonstratethe gravity of not having a risk
management program and,ultimately, not having
cybersecurity?
Speaker 2 (22:12):
I really hope there aren't any companies out there
today in that position.
Speaker 1 (22:16):
Because I'm thinking if I go to a mom and pop shop
and they have no risk managementor no cybersecurity, not even
an MFA?
Speaker 2 (22:23):
Here's what typically is going on, though.
In those situations, mom andpop shop particularly they have
an MSSP or MSP where they'reoutsourcing all of their
technology, right With theexception of maybe a few
machines on site, and they'rerelying on that MSP MSSP for
their security services.
In addition, they probably arealso buying some form of cyber
(22:48):
insurance as well.
Speaker 1 (22:50):
Most companies already have a baseline.
They have something in place, Ithink.
Speaker 2 (22:55):
I mean, this is a pretty broad statement, but I
would like to think that mostcompanies understand the
importance, Because look, howlong have we been talking about
cybersecurity as an industry?
And we're still talking aboutit Not as an industry, sorry, as
a society right A long time.
I think it probably startedwith when people were still on
(23:17):
AOL dial-up.
We had the Norton antivirus.
Speaker 1 (23:21):
Right Again.
I had firewalls.
Mcafee came with every computerthat you bought from Best Buy.
Speaker 2 (23:26):
Yeah right.
So, I think part of the favor ofevery company now is the fact
that it's been beat into ourheads enough, particularly since
the wave of data breaches overthe last 10 years, that this is
a really important topic.
And if they're a company of anysize, particularly with
shareholders, board members,there is certainly some level of
(23:51):
credence put into acybersecurity, cyber risk
program.
Now, whether it's mature or not, and how well they're operating
it, how much time andinvestment they put into it,
that's where the variable reallycomes into play.
Now, taking your example, let'ssay a hardware store, right,
certainly they're not going tohire anybody dedicated to
(24:13):
cybersecurity.
They're going to be outsourcingall of those functions,
cybersecurity.
They're going to be outsourcingall of those functions and they
will add on cyber insurance tothe regular general liability
and other liability insurancethat they carry.
And so that's a totallydifferent business profile than,
say, a company that has severalhundreds, several hundred
(24:34):
thousands of employees, right?
Speaker 1 (24:37):
So um, and it sounds like yeah, context matters, and
I love that you talked aboutmaturity, because you know, I
think, that maturity has thisdiminishing return where, the
more you invest in maturitylet's say, somebody trying to
get to a CMMI style level of afive right, that's their goal
(24:59):
it's not as worth it to go froma 4.8 to a five as it is to go
from a one to a three right orone to a two.
So I think that's also maybe apart of this conversation as
well.
Maturity is important, but youhave to come in with an
understanding that the businessmay already have existing
processes in place, and I thinkthat that's the best answer.
(25:20):
The answer you gave to myquestion is the best argument
that I've heard so far, which isyou don't want to scare people
because the reality is theyalready have some measure.
After all this time of talkingabout security, there's some
measure of security in everybusiness, even if it's an
antivirus that's on endpoints,and so to come in waving the
(25:42):
flag that the house is on fire,trying to get them from a
maturity level of four to a five, doesn't make much business
sense.
It's cost prohibitive,typically, right, right, okay.
Well, you haven't convinced me100%, but I'm slightly more on
the side that fear mongering isnot good.
(26:03):
But if I'm in the business ofsecurity, guess what?
I'm going to make some kind ofargument that if you don't
implement my product or service,you are less safe today than
you may otherwise be tomorrow.
Speaker 2 (26:17):
You know that's very interesting.
You bring that up and I thinkanybody that's been in this
industry for a while would arguewith you and say that is
exactly the problem with thevendor landscape in
cybersecurity, because everybodywell, not everybody, too many
companies somewhat take thatapproach.
Yeah, at the end I'll be all.
(26:38):
We have the dashboard of alldashboards.
We have the single pane ofglass.
You know, you name the phrasethat is used, it's been used.
Speaker 1 (26:45):
If it's used once, it's been used by a thousand so
it's not even so much that themessage whether whether it's
true or not is that it has beendiluted with a lot of falsehoods
, false promises and inauthenticservices and products.
Okay, you know what, chad?
You're on a roll.
I think you might be convincingme that that might not be the
(27:06):
way to go.
I'm as close as if being at 12o'clock is that you've convinced
me.
I'm at 1159.
Speaker 2 (27:16):
So what do I need to do for the last minute?
Speaker 1 (27:18):
You have to convince me that, in order to sell guns
to a country, I should not tellthem that this will make you
much safer.
And if you don't purchase myguns, guess what?
You're going to get attacked byneighboring countries and
they're going to obliterate you.
So I think that it's still apart of the conversation.
I think that the problem istrust.
Speaker 2 (27:41):
Yes, yes.
And what do countries do first?
They try diplomacyconversations, relationship
building policies, so on right.
Speaker 1 (27:53):
Yeah, wow, wow.
That's incredible.
Actually, I think you mighthave gotten me to 12 o'clock.
We don't have much more timehere and I want to give you a
chance to let people know howthey can find you, how they can
learn more about TrustMap andanything else that you want to
close with.
Speaker 2 (28:11):
Yeah, thanks for having me on, Josh.
This was a lot of fun.
So, Chad Beckman, you can findme on LinkedIn.
My last name is spelledB-O-E-C-K-M-A-N-N.
First name, Chad, and you canlook up TrustMap at
T-R-U-S-T-M-A-P-Pcom.
That's Trustmapcom and we havea contact form there.
(28:33):
A bunch of information todownload and review use cases
and so on.
So explore that website, reachout to us when any questions or
feedback Always happy to hearthat.
Speaker 1 (28:40):
All right, awesome Thanks, chad.
Appreciate you being on theshow and being so gracious with
your time, and thank you forlistening to this episode of
Cybernomics.
Check out Bruning Media atbruningcom.
That's B-R-U-Y-N-I-N-Gcom, andyou can find me on LinkedIn as
well, josh Bruning.
Shoot us an email, send us acomment.
If there's a topic you want usto talk about, we're happy to do
(29:03):
it, and if you'd like to be onthe podcast, I would love to
talk to you as well.
So with that, chad, thank you,thank you.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com