Mastering Cyber Risk: Matthew Alderman on Cybersecurity, Leadership & Building CyberSaint Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Mastering Cyber Risk: Matthew Alderman on Cybersecurity, Leadership & Building CyberSaint

April 22, 2025 • Joe South • Episode 190

Send us a text

Join Joe as he reconnects with Matthew Alderman, Chief Product Officer at CyberSaint, in this insightful episode of the podcast! With over 250 episodes under his belt, Joe dives deep with Matthew, a cybersecurity veteran, podcast host, and advisor, to explore:
CyberSaint’s Game-Changing Approach: How CyberSaint uses historical loss data to revolutionize cyber risk quantification, helping CISOs justify budgets with real financial metrics.

Career Insights: Matthew shares his journey, from running startups to advising new ventures, and how he balances multiple roles (CPO, podcast host, advisor, and family man).

Leadership & Communication: Why CISOs need to speak the language of business to earn a seat at the boardroom table.

Practical Tips: Advice on avoiding burnout, building a mentorship network, and leveraging your personal brand in cybersecurity.

Free Cyber Risk Analysis: Visit CyberSaint.io to benchmark your organization’s cyber risk against industry peers.
Connect with Matthew: Find him on LinkedIn Matthew Alderman or X @Maldermania
Listen to Matthew’s Podcast: Check out Business Security Weekly at securityweekly.com/BSW.

Chapters

00:00 Reconnecting and Reflecting on Podcasting Journey
02:19 Balancing Multiple Roles and Responsibilities
05:44 The Importance of Personal Well-being
07:53 Career Goals and Retirement Aspirations
10:31 Integrating Consulting and Podcasting
11:55 The Value of Mentorship in Professional Growth
15:02 Building Trust and Reputation in Networking
16:39 Leveraging Podcasting for Career Opportunities
18:20 Innovations in Cyber Risk Management
23:07 Integrating Risk and Control Data
25:30 The Importance of Risk Quantification
28:33 Communicating Cyber Risk to the Board
30:41 CISO's Role in Business Strategy
33:03 Free Cyber Risk Analysis Offering
36:20 Customizing Risk Models
39:58 Real-Time Risk Monitoring
42:24 Targeting Public Companies for Cyber Risk Solutions
45:14 Closing Thoughts and Future Directions

Subscribe for more cybersecurity insights, leadership tips, and industry trends! Drop your thoughts in the comments below—how do you approach cyber risk in your organization?

Make It Make Sense with Grant Hermes
A twice weekly podcast making sense out the chaotic political world

Listen on: Apple Podcasts Spotify

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

Speaker 1: 0:53

How's it going, matt? It's been a while since you've been on the podcast. I think you might have been one of the first 20 guests that I've had on. Maybe I'm being a little bit generous with that number maybe the first 10.

Speaker 2: 1:09

Oh, maybe I don't know.

Speaker 1: 1:11

Yeah, now I'm all the way at over 250 episodes out there.

Speaker 2: 1:14

Wow, I'm cranking out the content, but I really appreciate you wanting to even come back on oh, of course, Pleasure Like I do a podcast, so I might as well be on the other side every once in a while.

Speaker 1: 1:28

Yeah, it's interesting when you're on the other side. I'm not quite used to it yet. I don't go on very many other podcasts, but the ones that I do, it's just, it's different.

Speaker 2: 1:37

Yeah, it's funny because a lot of people ask me like what podcasts do you listen to? I don't, I don't listen to podcasts. And it's funny because, being a podcast host, you would think that I'd listen to more podcasts. I don't have time, so I I do mine, but I don't really listen to others.

Speaker 1: 1:56

I do mine, but I don't really listen to others. Yeah, that is. Yeah, that's very accurate, you know, and I never understood it until I started doing it. And now it's like, yeah, I don't really listen to podcasts like that. Maybe I'll put on Joe Rogan, right, if I'm doing the dishes or something like that, you know, to keep me a little bit busy, but like listening to other cybersecurity podcasts or just any other podcasts, overall it's a little bit difficult because you know, for us, we're not only doing a podcast, we're doing several other things. You know, which has its own challenges. How do you?

Speaker 1: 2:31

you know, how do you manage everything that you do, Right. Let's maybe cue in the audience to the different, the different roles and different hats that you're wearing you know, right. Let's maybe cue in the audience to the different roles and different hats that you're wearing on a daily basis.

Speaker 2: 2:42

Yeah, I wear about three on a daily basis. I have my day job chief product officer at CyberSync building out a risk quantification, what we call cyber risk management platform. So that's my day job. That's where most of my time is spent On average. It was funny I was telling somebody last night I average like seven meetings a day half an hour to hour long meetings. But I'm doing right about seven meetings a day. So I'm doing 35 meetings a week for my day job.

Speaker 2: 3:21

My podcast roll hat. So Mondays is my podcast and my recording day, so I have to make sure everything's ready for Monday. I block out an hour and a half every Monday for the podcast, so the podcast is an hour long. I block out 15 minutes before, 15 minutes after. That way we have buffer time, we get the guests in. So an hour and a half every Monday is dedicated to podcasts and I block out my Friday afternoons right after this time frame. Actually I block out Friday afternoons to make sure all my podcast prep is done. So my prep takes about an hour to an hour and a half a week. I have to do my prep call with my interview host. I have to prepare all my articles for our leadership communication segment. I do that in about an hour, hour and a half every week. Everything's ready to go record.

Speaker 2: 4:02

My third hat is kind of my advisory side. Right, I still have the advisory practice, I still advise startups, I still do some angel investment in the startups and so those kind of come and go. They ebb and flow depending on which clients I have at any given time what they need. So I've been helping a startup that's doing some really interesting stuff around incident response, investigation work, leveraging AI. So I've been helping them kind of like get their message together, help them understand how to communicate what they're doing out to the different buyer personas. So that's kind of my third hat on a regular basis and that's before. I'm a husband, a father, yeah, you know.

Speaker 1: 4:40

Yeah, light stuff, right, I mean, you're not not too, not too busy of a week, right? No, not at all. I'm real quick to say yes to new opportunities and taking on more and then managing it. I don't want to say it's challenging, but I think the burnout rate will increase as I don't do my own personal things. Right, like if I don't go for a walk, if I don't go work out, if I don't, you know, do my my float session. Right, like, it's like I'm, I'm slowly burning out, right, um and so it's. It's a, it's a fine balance I'm finding over the over the past couple of years. Right, like any. Any regular listener has heard me talk about burnout every single fall and it's. I just get to the point where I'm like hey guys, I'm literally not recording the next two months. I have episodes, they're going out, I'm not doing anything.

Speaker 2: 5:43

Yeah, Well, that's that's like the husband father side of it, Right? So every Monday night and Thursday night on a regular basis, we try to play pickleball, my wife and I, right? So we have a group of us here. Uh, live that we try to play every Monday and Thursday. So that kind of gets us out of the house, gets us going. Every once in a while the wife will grab me and go come on, we're going for a walk. I got to get up because, as I said, I sit on seven meetings a day. I'm constantly at this desk I actually that's the home machine right there or the work machine, so I'm sitting at that desk a lot during the day. So getting up, moving around, getting some exercise so you don't get burned out, are definitely important things to have to do.

Speaker 1: 6:26

Yeah, yeah, that's very true, it's. You know, I recently and when I say recently, I mean 30 minutes ago, right, I heard this video of kind of reengaging your brain or changing your why along the way. Right, why you do all of this, right, and I think that that is something that, for myself, has fallen off a bit right, my why when I started was let's get a career going that is successful enough to support a family, right. Let's have a house, right, like all those sorts of things, as I'm sure a lot of people you know go through that and probably are going through that. Right, I mean, that's an admirable goal and whatnot, right. And I've found that I accomplished that, but then I never reset, refocused, and so now I'm taking on more things than I probably should because in my mind, in the back of my head, I'm still trying to achieve that goal that was already achieved. Does that make sense? Did you ever go through something like that?

Speaker 2: 7:24

Oh, it completely makes sense. Yeah, I mean, my career path has been interesting. Anybody who's followed me knows that every two to three years I do something different, but I've always had this kind of goal in mind. Right, my kids are primarily grown. My youngest is 21. He graduates with his bachelor's from Texas Tech in May. He's got one more year. He's got his master's. He's the last one.

Speaker 2: 7:50

Right, I'm at a different stage in life. I'm in what I assume to be my retirement house that we built down here in Texas. I'm in a golf assume to be my retirement house that we built down here in Texas. I'm in a golf course community and I tell people my vision of retirement is I golf in the morning and I do advisory work in the afternoon. I'm not ready to quite do that yet, but that's my goal, and so the reason I have the advisory practice, the reason I do the podcast, is those are things I love to do and I can do them in retirement. I don't have to work full time if I don't want to, I still do because there's some things I want to finish, but in a few years I love just doing the podcast.

Speaker 2: 8:31

When I ran Security Weekly, paul and I were doing four podcasts a week. Each right, that's all we did and selling sponsorships and running the company and stuff. But we were doing four podcasts a week and so one podcast a week's easy. After you've done four a week, like it's not that hard, like once you have your system down. Like I said, takes me an hour prep an recording. I spend two hours a week. Okay, if I can augment that with some other consulting advisory work, that's a happy little retirement. And in Texas if you don't golf in the morning it's too darn hot in the afternoon to do anything else, so why not sit in the air conditioning?

Speaker 1: 9:14

Right, it's, you know. You describing that, you know, makes me think about what I'm working on right now, right, it's, you know you, describing that, you know, makes me think about what I'm working on right now, right. So, you know, I've had this consulting business I mean, I stray away from calling it a business, right, I've had customers here and there. It's not regular or anything like that, right, and it's purely on the side, on the side, and I always wanted something where I could go into, you know, a domain, a discipline, get the expertise you know from the nine to five from my own research and whatnot, and turn that around into a consulting business to have something, something extra right, thinking about it from that perspective of even, you know, retirement, I don't. I don't see myself, you know, you know, retirement, I don't. I don't see myself, you know, retiring into the sunset, not not doing anything, you know like what. Like what you just described is exactly how I kind of envisioned my own retirement, right, and I'm I'm much farther off, you know, from then. Then you from it, right, but that's how I view it too, and so now I'm starting to kind of that's how I view it too, and so now I'm starting to kind of restructure or rework my consulting with my podcast, with blog posts, everything else.

Speaker 1: 10:43

You're doing too many dispersed things. Right, you need to tie it all in and have a platform. Right, because right now you got three, four, five different platforms. Right, let's tie it all in. You're doing good work and it all feeds each other. But it's a different way of thinking. You know, and that's probably the thing that I love about cybersecurity the most overall is that, as an individual, I get to learn this stuff and the stuff that I learn is intangible. Right, it's not like a company could be like oh, that's my IP, you know, you can't use that knowledge anywhere else. It's like well, no, once I know how to secure the cloud, I know how to secure the cloud. I know how to secure the cloud like that's anyone's cloud. Right, I can take that and I can build something else off of it. Right, like that.

Speaker 2: 11:23

That really excites me, that gets me going, you know yeah, or to help others, actually help them with their startup, right. Right, because you've you've built different products. You've seen different things. How do you use that knowledge to help others as they build? Like I said, this company I'm working with the guys are young, they're young, they're babies. They're barely older than my daughter. They might not even be older than my daughter, right, but what they're doing is really cool, but they haven't been there before. How can I bring my leadership and some of the things I've learned and help them build a better product or how to market that product? And so those skill sets have a tremendous amount of value to others who are trying to build their own company from scratch are trying to build their own company from scratch.

Speaker 1: 12:19

What am I not thinking about? Because you don't know what you don't know until someone tells you or you live through it right, and in the beginning you really want to kind of limit those giant issues that occur because it takes up so much time and effort and money and whatnot.

Speaker 2: 12:31

Yeah, I mean Jason Albuquerque, my co-host, talks about it a lot. You need to have that network of mentors. It's not just one mentor, it could be multiple mentors, because each mentor has a different skill set that you might need to tap into at any given time Marketing versus the finance side versus technology, or whatever it may be and it's important for us and we are a tight-knit community continue to build out that network and your network of mentors. Who do you go to when you run into a problem and you need help? Right, like? I know who my mentorship group is Like. If I run into something, I know who I'm going to pick up and call and they're going to be there and they're going to be like hey, here's what I know, here's what I did, you know. Hopefully that helps you and that's why I always try to do the same thing in return.

Speaker 2: 13:47

Right Is, when people come to me, I always try to help them. I just had a buddy looking for a new role. He's finally wants to get back into the workforce. I took his resume. I sent it to all the recruiters, I know. I hope it helps, right, that's what I want to do. I want to help and give back and use my network to help connect other people. I want to help and give back and use my network to help connect other people.

Speaker 1: 14:08

Yeah, I think that's actually a really powerful thing right there that not a lot of people really understand, right, and you know, right from the very beginning I wanted my name to have some, some power behind it, Right? So when I do make that recommendation, you know there's no questions beyond what I say, right, like there's no questions from that person you know to me. Oh well, can they do this? Are they a good fit? How do they work with all that stuff? It's like my initial statement covers it all, right, the initial statement being you know my name, I'm referring this person to your role. I know you, I know this person, it'll work out well, right, and so I'm very selective, even I wouldn't say very selective, but when I refer someone, it's because I know that they can do it Right, I know that they're a good fit for it.

Speaker 1: 15:00

You know, and I really try to protect you know, not necessarily like my brand, you know security, unfiltered, or anything like that. I just try to protect my you know, not necessarily like my brand, you know, security, unfiltered or anything like that. I just try to protect my own personal you know brand, right, like when Joe says you know it's this, it truly is this. Like I don't have to worry about it, you know, great, that's something I take a lot of pride in, you know.

Speaker 2: 15:22

Yeah, and you should.

Speaker 1: 15:23

Being able to do that have people trust me like that.

Speaker 2: 15:26

Yeah, and it takes time to build those relationships, to build that trust, to put you in that position, right, but that's what we should all be doing to better our networks.

Speaker 1: 15:36

Yeah, and it pays dividends down the line too. When you need something now, you have that established network, you have that established brand and whatnot.

Speaker 2: 15:48

And we all need it at some point. Joe, trust me, we all do. We all go through the ebbs and the flows, and sometimes we need help in return.

Speaker 1: 15:57

Yeah, you know it's fascinating, right, when I was starting this podcast, I mean, literally, I expected five people to tune in. Maybe, you know, five on a good day, right. But you know, fast forward a couple of years, four years, which is kind of crazy for me to say, because for a while there it was like every year I was reassessing if I was going to keep doing it, Right, right, you know now, like, I've gotten, you know, job opportunities off of it. I've gotten consulting opportunities from it. You know job opportunities off of it. I've gotten consulting opportunities from it.

Speaker 1: 16:28

When I, you know, interview at a company, right, the first thing that I'm typically told is, oh, you have a podcast, so that, like, separates you completely from everyone else, right, Like, not only do you have a podcast, you're developing connections as you're doing it.

Speaker 1: 16:43

You know, like now, like I said, right, I have over 250 episodes going in, that's, most of those episodes are different people Like I mean you've been on twice, right, I mean it's not, it's not like I'm bringing the same people on all the time. And so now, you know, when I go to companies and they're saying we need an email security solution, I mean this literally happened, right, pretty recently was one of the directors was saying we need an email security solution. I mean, this literally happened right Pretty recently was one of the directors was saying we need an email security solution. This thing isn't working out. Who has any recommendations? No one else on the call except for me had a recommendation and it's not because I necessarily like worked with them directly, it's because I know the product, because I talked to the people that built it. You know it's a it's an interesting door. You know that I never would have expected.

Speaker 2: 17:29

Yep. Great connections, Great knowledge too. I mean, how many vendors have I interviewed in my career? A lot.

Speaker 1: 17:37

Yeah, yeah, that's a good point. That's probably like thousands at this point, right? Yeah, well, matt, you know, tell me about CyberSync, tell me about what your primary focus is right now, because I was looking at it and it looks interesting. I think you guys are approaching risk management overall from a different angle came here.

Speaker 2: 18:10

So the CyberSync team has been a sponsor on my podcast in the past. So I knew the team. I knew the founder, patrick O'Reilly, and I kind of always tracked them because they did some really interesting things around automating crosswalks. Then they built some automation capabilities to auto score controls. So I was always intrigued. Some people know that my first startup was in the GRC space. Controlpath was one of the early governance risk management compliance products out there in the industry. I spent two and a half years at Archer trying to fix it. So I have a lot of experience in this space.

Speaker 2: 18:42

And one of the challenges that the legacy GRC platforms have is they don't have a really good way of handling cyber risk. All the major platforms OpenPages, archer, even ServiceNow they really focused around operational risk but that doesn't necessarily translate to cyber risk, and so the joke has always been in the industry big G, little r, big C, heavy on governance, heavy on compliance but really light on risk. Governance, heavy on compliance but really light on risk. And Richard Syerson is a really really good friend of mine. He wrote the book of how to Measure Anything Cybersecurity with Doug Hubbard and one day Richard came to me and said we should do a startup together. I said, richard, the only startup you and I are going to do is if we can solve the risk management problem once and for all, which has to be some sort of quantified risk capability. Richard went off and did some other stuff. He's now at Qualys as their chief trust risk officer or something like that.

Speaker 2: 19:49

But that stuck with me a little bit in the back of my mind when I left Cyber Risk Alliance after the Security Weekly acquisition and being on the media side for a couple years, I got the itch to build something again. So my first kind of foray was to go to Living Security, which was building a human risk management platform. Take the human user side with risk management Really interesting. Except for here was the problem. Risk was just as number between zero and a thousand. What does that mean? Right, like, if you think about all these risk algorithms that are out there, there's some number between zero and 10, zero and a hundred, zero and a thousand. Some of them are unbounded. It's meaningless. It's a meaningless metric and this has been the problem in cyber for a long time is we look at things qualitatively and we multiply random numbers together to come up with a number. That really doesn't mean anything. And what do I mean by that?

Speaker 2: 20:54

As a CISO, I have to work with my executive team to go justify budgets. If I walk into the CFO, the CEO or the board and say we're 79 out of 100, and I need $2 million, what does that mean? 79 to what? What's the 2 million going to do? Move you to an 85? What does that mean? What does 85 out of 100 mean? It's what. What's the $2 million going to do? Move you to an 85? What does that mean? What does 85 out of 100 mean? It's a meaningless metric. However, if you can go to the board and say I need $2 million because I can reduce $10 million in risk and I can back that up through actual risk quantification, now I'm in a much better position to get the 2 million because I can write down 10 million in risk.

Speaker 2: 21:43

So what prompted me to come to CyberSaint was Patty, the founder. Patrick O'Reilly showed me what he was doing with actual historical loss data actual historical loss data. So there is a database of actual cyber loss events that has been around for almost 20 years Now. If we know anything about insurance and actuarial tables, we also know that that data exists for life insurance and all these other things. And what he figured out, joe, was how to take the cyber loss database, statistically analyze it and be able to drive risk quantification off of it. And when I saw it I was like dude, this is a game changer Because we've been talking about we don't have this data to actually do this, but he found it and he's doing it. Now. Patty is an ex-economist. He's a quant on the economic side right, so he's a math guy. But he figured out how to apply those same principles that finance and insurance use into the cyberspace. And I'm like dude, I'm in.

Speaker 2: 22:49

I know exactly what we need to build, because it's the gap that the old GRCs have how do you tie risk and compliance together? And whenever you see a change in your controls, how does it impact your risk? So what I've been building in the last year and a half is a basically we call it a cyber risk management platform. It's tying risk data with control data. So out of the historical loss database, we have 18 risk vectors that we can identify actual historical loss against for every industry. I can use it as a starting point to drive the potential inherent risk of an organization. Inherent risk of an organization based off of its peers' already sustained losses, and use that as a way to prioritize which controls, based off those risks, should I concentrate on to drive down the most risk? And that's kind of what we've built is this very connected risk compliance product, and so why is that important.

Speaker 2: 23:56

There's a lot of CRQ vendors, cyber risk quantification vendors, and they're really good at quantifying risk, but they have no idea about controls or compliance or how that ties into risk.

Speaker 2: 24:07

They're simply doing risk quantification for the purpose of driving insurance premium policies.

Speaker 2: 24:14

Okay, so I do the risk quant once, I do it once, once I'm done, because once I have my policy, I don't need you anymore.

Speaker 2: 24:20

Then you have the continuous control automation vendors that are doing continuous control automation I won't name names, but they're doing it at scale Great but they know nothing about risk. Their risk purview is a list of vulnerabilities, but they know nothing about risk. Their risk purview is a list of vulnerabilities, folks, that is not risk. So what we do is we bring those two together in a very unique way, and so what it allows our clients to do is not only quantify risks. We can actually use those risk quantification capabilities to actually justify whether I should or shouldn't remediate certain risks, because not only can I quantify the reduction in risk, I can compare that to the cost of the project and I can tell you whether there's a return on security investment or not. That's what I believe CISOs need to have a risk budget conversation with their board and their executive staff. That changes the game, because now they can justify spend based on actual reduction in risk dollars. That's what we're building.

Speaker 1: 25:27

Wow, that is a completely different way of doing all of risk. I mean, the biggest thing for me being in the role that I'm in, right, is basically making the argument for they want that they're going to be using, you know, and putting those numbers together. Are it's so difficult? And, like you said, right, it's on a scale of a thousand. What? What in the world does 700 mean? To me it sounds like a c right, like I mean, when I hear 700 out of a thousand sounds like I'm passing, I mean I don't know, I don't know, I don't know how else to relate that. You know, and that's everything that we've been taught, you know through all of our education. Right Is okay, that sounds like 70%, you know, and it has no context.

Speaker 2: 26:27

No, it has not Right.

Speaker 1: 26:40

It has no industry context and even when I try to tie it back and say, hey look, our competitor over here, they got breached this way and it cost them X amount of dollars, it's still loosely tied back somewhat right, like I mean, you kind of need that authoritative source like CyberSaint to go in and actually say, no, like this is the real data. You know, these are the numbers, so that's, that's very fascinating.

Speaker 2: 26:58

Yeah, and it's so interesting because what really kind of highlighted this for me is when I was at Living Security, one of our clients a large client they were trying to figure out how to put our risk score on a slide with the other risk scores and it was four different scores of four different ranges, and I went how can anybody understand this? Like literally, how can anybody understand why this tool's producing a 700, this one's producing a seven, this one's producing 70. Like it just didn't make sense to me. Right, it was like because it's all. It's all. It's all, it's all garbage, it's made up, craziness.

Speaker 2: 27:39

The only thing that really boards, ceos and CFOs understand is money. They're all money, people, cyber risks in something that they fully understand. I'm never, ever, as a CISO, going to get a full seat at that table, because if I bring vulnerability counts or incident counts or other things to the board, they're going to give you five minutes, you're out and they're going to have the real big boy conversation with everybody else. Then that's just reality. And I mean Jason Ben and I talk about this on the podcast all the time. Joe is, that's why we do a leadership and communication segment on the podcast. We're trying to help educate the next set of CISOs to learn how to be more business-focused executives, because cyber is a business risk that has to be managed, and it has to be managed like any other business risk. It's all about money, guys, and so that's why I went to CyberState, because I saw such a unique opportunity to do something different that I thought would actually move the needle in the risk conversation.

Speaker 1: 28:47

Yeah, you said something that is kind of like a it's a mentality switch. Right, Because typically, typically, when you think about the experience that CISO has right, Because typically, typically when you think about the experience the CISO has right, they probably have experience, as you know a technical engineer. Right, Like, they understand technology, they're the top security person at the organization. They are the go to person for it. Right, they're a leader in the community. They have their different avenues and outlets, like maybe they go on podcasts and whatnot.

Speaker 1: 29:17

Right, and coming from that background, you're not really geared towards talking to the board in a way that the board understands. You're geared in talking to other technical people in a way that they understand. Right, and that I've only had one CISO that really kind of drew that home to an extent. Right, I mean, like I feel like engineers can be a little hardheaded at times. Right, Because we're so in the weeds, we're so technical, it's hard to break through. But to have that understanding of, hey, the board is looking for this, this is how they view it. They view it as a business. It's a section of our business that they just seem to only throw money into and nothing comes out of it and they're required to do it. And so me going to the board and saying I need another 2 million. They're going to say, well, why do we have to burn another 2 million on you guys? You guys have been fine ever since. We haven't been breached yet. Why do we need to give you more money?

Speaker 2: 30:17

Right, and why not take that $2 million and go invest it in some new AI capabilities in this product line to grow my revenue? See, that's the battle that CISOs are going up against. They have to justify those dollars and the justification is do I spend $2 million on security or do I spend $2 million on AI? Those conversations happen all the time. We've had multiple segments on the podcast that highlight this. I had Sumedh Takkar, the CEO of Qualys, come on because his board asked him how much are we spending on cyber? Why don't we just buy a bigger cyber insurance policy to cover those losses? He's a security vendor getting asked these questions from his board. Very interesting interview for anybody who wants to listen to it.

Speaker 2: 30:58

I brought Jess Byrne and Jeff Pollard on from Forrester in their Future of the CISO report Huge kind of eye-opening based on the different role, the different CISO types. What kind of skillset do you need? And I just put a clip on LinkedIn the other day If you, as a CISO, want a board seat and you haven't run a P&L, you're not going to get a board seat, because board seats are reserved for people who understand how to run businesses right and they made that very clear. Jeff Pollard does a really good talk on this point, but CISOs who want to be board members also have to learn how to run a business. They need to be a founder, they need to run a company, because then they'll have the rest of the skill set the boards are looking for, which is the financial understanding.

Speaker 1: 31:51

That's interesting that you frame it like that. I never, I never thought about it like that. You know that really, the board is expecting you to run your business line like it's a separate business, you know under the same entity, and whatnot. And all of those people on the board, they're all doing that.

Speaker 1: 32:12

You know you think about the product marketing, the sales, all of those people. They're all treating it like a business, and security is the only one that's coming into the conversation. That's telling people that they're wrong. Right, making things more difficult. They're asking for more money without really having the evidence and the proof. So I mean that product at CyberSync that's going to be invaluable to really any company in any industry.

Speaker 2: 32:39

Then yes, and because we have a lot of the base data, it helps you quickly benchmark yourself against your peers. We actually give that away for free. By the way, it's funny, we have this thing called the free cyber risk analysis. You can go to the CyberSyncio website, sign up Four clicks. You put in your primary industry your secondary industry if you want to it's optional your revenue size and your employee size. We'll tell you the top five risks that your industry has faced and we'll tell you which controls are mapped to those risks. We give that away for free so you can see it yourself. It's eye-opening sometimes to see what your peers have been susceptible to, how much actual loss they've incurred just on the top five that's, five out of the 18 and which controls they should focus on. We do that as a way to help educate people on what we're doing and how we're doing it, but it's a great starting point for anybody who wants to try to move away from a qualitative kind of risk-based approach to a quantitative, risk-based approach.

Speaker 1: 33:45

Yeah, I mean, that's also a fantastic hook to just comment on the product, right? Because as security people, we're very curious. You give us a little crumb, all right. Now we want to see the whole slice of bread, right, we want to see the whole thing, and so for me, that would be an immediate okay. Well, what else is there? You showed me five. What are the?

Speaker 2: 34:13

other 13 that.

Speaker 1: 34:14

I'm missing. Yeah, it's interesting. Now I kind of want to go do it right now after this podcast. That's what I'm doing.

Speaker 2: 34:24

All right, go ahead, it's free Sign up. Now watch out, my marketing team might come after you after the fact.

Speaker 1: 34:30

but right before, I'm used to I'm used to marketing. At this point, you know it's um, yeah, that that is fascinating, and I wonder why no one else really even thought about doing it like this, Because a lot of people don't realize that the data exists.

Speaker 2: 34:49

If you look at the data source we're using, if you look at it in the raw, it's hard to figure out how to use it. You can't. It's hard to figure out how to use it and this is where Patty's brain really came into the mix which're basically producing two values loss event frequency and loss magnitude, or threat event frequency or single loss expectancy in the NIST 830 model. Right, it's very simple. Once I have those two numbers, I can either do a straight line ALE like 830, which is threat event frequency times, single loss expectancy, or I can take loss event frequency, loss magnitude, drop it into FAIR, run the 10,000 Monte Carlo simulations and produce the risk curves. It's not rocket science, but the hard part was the data source, the statistical analysis that then drives those quants, and so it's a foundation to the platform. We use it to help kickstart a lot of our clients. But then what I built into the platform was all the customization that clients can do themselves. Right, If you have different loss magnitudes, put them in the system. You can build your own risk models. You can create your own heat maps. You want a six by six? Create a six by six. You want a four by four, create a four by four. I don't care.

Speaker 2: 36:23

But what we do is we balance the old qualitative heat map with a risk quant on the other side of it. They're right side by side in the platform. It just opens your eyes to all right, I have all these risks that I think are high, but when you see the bubble, the size of the risk in quantified dollars, you instantly know where to focus. It's so evident. And so all that customizations in the platform. And then, with our latest release towards the end of last year, our version four release, I opened up beyond cyber risks, because we had a lot of clients that were like we love what you do for cyber risk. Can you add an enterprise or other types of risk in the platform? Absolutely, so we have clients can customize their own risk types and categories. They can track other types of risk outside of cyber risk in the platform. And now what we're looking for is are there similar data sources that we can use to quantify some of those risks?

Speaker 1: 37:18

Wow, have you ever done a case study of how accurate the numbers are to actual breaches? If you go back in time and let's say you run Equifax's number, I wonder how accurate it would be compared to the numbers of that breach.

Speaker 2: 37:39

Yeah, so remember, annualized loss expectancy is likelihood times impact. So we have the raw impacts, but we also know the likelihood of that attack, right? So everything in the platform is annualized loss expectancy. Okay, so we know the impact, but in order to keep it consistent, we used ALE as the metric in the platform. So we have that data. I have customers that have run through it and use it to prioritize the remediation, right so? I had a home builder here in the Dallas area use it to look at their posture compared to their peers. The CEO set their target. They use that to drive down their risk. They're going through remediation right now. We have a large public company out of the Seattle area that the first they got breached, first purchase they made was us to understand their current risk posture and they've used to prioritize all their downstream projects. Now they're enabling automation to automate all those control scores in real time to just continue to drive that real-time kind of risk quant data in the platform. Like great use cases.

Speaker 1: 38:49

It's probably like a great single pane of glass, not just for the CISO to look at, but maybe even other executives in the C-suite right Other board members that say, hey, I want to look at this 8 am every day. I just want to check it. Right, I want to see it.

Speaker 2: 39:03

See where I am. Let me look at my inherent risk. Let me look at my residual risk. Let me see how I'm trending. Where are my top risks? Are they trending up and down?

Speaker 2: 39:11

So lots of trending graphs in the platform kind of show you trend over time. Is ransomware ticking up or is it ticking down? Right, the beauty of the historical loss database is we get monthly updates right. So every month we're updating that data. So if you synchronize your risks with our industry data set, you're getting real-time updates to those trends as they're coming into the platform and so we can show those risk trends over time, which kind of helps you. Like is the inherent risk for ransomware going up or going down based off the latest breaches? And we use a by default we use a 10 year look back period, but you can shorten that down to three years so you can use just the last three years of historical loss to kind of fine tune how you want to track those. Lots of fun customization in the platform to support various use cases. But the data is awesome and that's what hooked me when I saw it.

Speaker 1: 40:03

Yeah, yeah, that's. I mean, that's what caught my attention right there. You know, when you talked about the data and how you found it, how it wasn't really even being used earlier. You know which kind of blows my mind, because I've been at companies where they're actively. They have some solution that's comparing them against their competitors right, and they get some arbitrary score that doesn't even make sense to me, right, and they're pitching it to the board and they're wondering why they never get approved for a solution for the next budget or whatever it might be right. Do you find that now? I know that this would be valuable in the federal sector, the government side of things. Do you find that a lot of government agencies are coming to you right now and finding the value? Not yet they're so compliance focused from a CMMC perspective.

Speaker 2: 41:00

right now, it's just they're not there.

Speaker 1: 41:04

That's a maturity thing right.

Speaker 2: 41:06

I mean, the industries that see the value in this obviously are the financials and the insurers, who have been doing this for a long time. Healthcare, a lot of public companies, and it's not necessarily the Fortune 500. I think our sweet spot is the 3,000 public companies that are not the Fortune 500. And the reason is they don't have highly mature security or risk management programs but yet need to understand materiality and potential impact of cyber risks in the SEC reporting requirements. That's where I think our sweet spot is and we're starting to see some of that. But I mean, look, we've got Fortune 500 clients using our platform. But I think we also have a really, really good use case for much right and that is extremely.

Speaker 1: 41:48

it's extremely valuable right, because you're you're, you're really capturing this data in a way that hasn't been conceptualized before. You know, like I keep on going back to that point. But this is really, it's fascinating to me because, even like I'm in the space, I'm the one that's preparing the report that the CISO is going to give, and I'm looking at these numbers and I'm saying they're not gonna. No one in that room is going to understand this. No one in that room, right? If I have to explain to the cso, right, and break it down, no one over there is going to understand it. You know, and so that that's where that revolutionary piece is coming from, that I keep on going back to it inadvertently yeah, that's the good and the bad, right?

Speaker 2: 42:45

yeah, it forces people to think differently. The problem is, people are so used to doing the old way and that they can't wrap their heads around some of that too. So I mean, we take the good with the bad yeah, well, that's kind of the.

Speaker 1: 42:58

That's probably like the government, the government side, the government impression, you know where. You know you always hear about how, like DARPA and the NSA and CIA, all these intelligence agencies, they're, they're, you know, decades ahead of what's publicly available and things like that, and that's that very true. I've talked to some of those people and you know I brought up something like you know some some like homomorphic encryption to a friend of mine who's in the Navy on the cyber intelligence side of it. He's like, yeah, we've been doing that for about seven years now, so go ahead and catch up, right. And that mentality is completely different. When we're talking about the other side of the house, right, the not-so-innovation, keep-the-lights-on house, right, where they're not interested in doing new things until it's an old thing for everyone else, right, it's a totally different mindset, kind of frustrating, yeah.

Speaker 2: 43:58

Again, we get the good with the bad mindset Kind of frustrating.

Speaker 1: 44:03

Yeah, again, we get the good with the bad. Yeah Well, matt, before we end things here, how about you tell my audience where they could find you if they wanted to connect with you and where they could find CyberSaint if they wanted to definitely go, take advantage of that free offering.

Speaker 2: 44:13

Well, anybody can find me on LinkedIn Matthew Alderman. I'm one of the early guys, so I don't have a bunch of crazy numbers behind my name. On X, I'm at Muldermania. Cybersaintio is the website for the company and the podcast is Business Security Weekly. Go to securityweeklycom forward, slash BSW and you'll find all my 380 plus episodes.

Speaker 1: 44:35

Nice, awesome, well, thanks, matt, I really appreciate you coming back on. It was a fantastic conversation.

Speaker 2: 44:41

Yeah, thanks for having me too.

Speaker 1: 44:43

Absolutely Well. Thanks everyone. I hope you enjoyed this episode.

People on this episode

Joe South

Host