In the first episode of our podcast Risk Grustlers, we unravel the complexities of dealing with cyber risks with Davis Hake, the co-founder of Resilience, a pioneering cyber risk solution company based in New York City.
Davis takes us through the journey of his company Resilience, which is redefining how companies think of the ‘economics’ of risk management with their innovative approach to addressing cyber risk, and the imperative need for a comprehensive understanding of risk management.
Prepare to be enlightened as he delves into the changing insurance landscape, the need for engaging buyers early on and the importance of knowing what works for your business.
Watch the complete podcast here:
Let’s take a look at some important highlights from the illuminating podcast.
Aayush: Why don’t you tell us a little about the journey of Resilience?
Davis: Back in 2016, we kicked off our journey into Resilience. At first, we focused on supplying data to insurance companies. Our big idea was different though – we weren’t keen on just adding another security tool. What we really aimed for was to transform how cybersecurity economics worked. That’s why we got intrigued by the behavior-changing potential of the insurance industry.
Think about insurance for a moment. It’s what makes seatbelts mandatory in cars and prevents massive fires from wiping out cities – all thanks to modern safety and building standards. Cybersecurity lacks something similar. When we delved into what was truly necessary, we saw the intricate risks and threats that abound.
Our goal? Blend analytics with actionable insights to enhance cyber hygiene for companies. And guess what? This model benefits both the companies and the overall business growth when everyone evolves together.
AGC: Insurance costs are going up, and insurance companies are getting more picky about checking how well a company’s security measures are before giving them coverage. What’s causing this change? And how should companies be ready for it?
DH: One of the big things nowadays that companies are really starting to think about is how to handle risks, especially when it comes to cybersecurity. I mean, there are a few ways to go about it. First, you can try to lower the risk by using security measures and controls. Another option is to avoid risky behavior altogether, but let’s face it, in today’s world, almost every business operates online, so you can’t completely avoid cyber risks. And then there’s the idea of transferring the risk, like getting insurance.
But here’s the catch – these strategies don’t work on their own. You can’t just dump all your cyber risk on an insurance company and forget about it, without taking any other precautions. In fact, back in 2019, we saw a real change in the cyber insurance scene. See, before that, insurance was mostly about covering the costs of data breaches and legal battles.
But then something shifted. With the rise of tactics like ransomware attacks, insurance companies started facing huge losses from paying off ransomware demands. Businesses were getting hit hard and had no choice but to pay up, even smaller ones. So, the insurance industry had to change its game. It started focusing more on not just preventing data breaches, but on helping companies become stronger in the face of these threats.
AGC: How does Resilience approach data breaches?
DH: We don’t just step in when something goes wrong. We’re there right from the start, while you’re getting your policy and even when you’re dealing with a claim. Our goal is to work together with you, to share the risk, not just pass it along. We’re like your early warning system, flagging any issues that could lead to a claim.
But it doesn’t stop there. We’re all about education too. We’ll let you know what strategies are most effective in cutting down the costs if something does happen. It’s all about understanding and tackling the unique risks your organization faces. And that’s the key to a solid cyber risk and resilience plan. That’s what we’ve seen really make a difference for our clients these days.
AGC:How should companies approach cyber risk management?
DH: For security leaders, this whole cyber risk thing is a real puzzle. You’re dealing with ever-changing threats from human adversaries, shifting targets and industries they’re after. Then you’ve got your own industry’s regulations, various control frameworks from vendors, and insurance companies throwing their own set of questions at you.
Now, with the FCC zooming in, even senior execs at the board level are asking, “What’s our plan for this risk? How do we measure and manage it? How mature are we?” Here’s the kicker: we need to shift from a compliance-driven risk approach to a risk-driven compliance approach.
Companies need to figure out what’s crucial and impactful for delivering value to their clients. Start from there and build up your security measures, which aren’t just technical controls. It could be governance, incident response planning, training, access management policies – you name it.
Master the basics, make them second nature, and then stack up those different compliance and control frameworks. This way, you can show your board, “Hey, we’re SOC 2 compliant, and we’re on our way to nailing HIPAA compliance.” Our go-to framework for board reporting is the cybersecurity framework.
But here’s the key: if you’re just aiming to pass a SOC 2 audit, you’re kind of missing the bigger picture, you know?
AGC: What experiences led you to come up with Resilience?
DH: When we kicked off in the US government, we landed right at the dawn of our awareness about critical infrastructure and the massive cyber risks it faces. From the get-go, I’ve been all about seeing cybersecurity risk as a big picture. You know, thinking about it from an all-hazards perspective.
So, it’s not just about getting the right cybersecurity tool. It’s a whole process to lock things down, especially after we got clued into the vulnerabilities through incidents like Stuxnet. And guess what? This applies across the board – rail, food, health, education. The pandemic really hammered home how delicate supply chains can be.
But it’s not just about industries; it’s the different types of threats too. Imagine, a communication breakdown can bring a whole business crashing down. Take Colonial Pipeline, for example. Their entire operation got impacted, and bam, down went their business.
This is what fueled our drive when we thought about launching our own company. We didn’t want to just create another gadget. We needed something that could change the game in how we handle cyber risk economics. We aimed to break those silos within a company, connecting the dots and making the whole organization more resilient against cyber risks.
AGC: Can you walk us through your thought process as you embarked on your business venture? Did you nail down the product segment right from the start, or did you have to pivot along the way?
DH: At first, we were more focused on what our users wanted rather than what the buyers needed. Back then, we were all about creating super advanced cybersecurity analytics for insurance companies. We had these awesome cyber insurance experts who were like, “Yes, this is exactly what we’ve been waiting for!”
But, when it came to landing those bigger contracts, we hit a roadblock. Turns out, these larger businesses weren’t looking for just another cyber risk rating tool. They wanted something that would genuinely level up their operations. So, we shifted gears. We started looking at how our cyber screen analytics could improve their everyday processes. We aimed at scaling the skills of their top-notch underwriters and even thought about ways to share Social Security benefits.
That’s when things clicked. When we aligned our analytics with their real business needs, we struck gold. Those major contracts started pouring in, and it was like a sign telling us we were onto something big.
AGC: When you were trying to evangelize your early buyers, how did you make them see the problem and the need for your solution?
DH: Coming from a politics background, I was used to making my case and rallying people behind ideas. What I quickly picked up, thanks to some amazing mentors, was that it’s less about talking and more about listening. Empathy is key, understanding the nitty-gritty problems users face every day, and then crafting a solution that seamlessly fits into the bigger business picture.
And let me tell you, soaking in that user love became my mantra. I even got to lead the customer success team for a spell. I vividly remember braving a snowstorm in February to huddle with an underwriting crew out in Connecticut. I dug deep, figuring out their pain points and learning what slowed them down.
Honestly, that’s the beauty of startup life. Engaging with these folks, truly getting a glimpse into their daily grind – it’s like striking gold. I’d come back armed with a notebook full of insights, feeling completely inspired. The best part? In just a few months, you could engineer something that drastically improved their day-to-day world.
AGC: What advice would you give young professionals in terms of how they can break into cybersecurity and even eventually work their way up to being CISOs?
DH:The security field thrives on diversity, both in experience and skill sets. Speaking from personal experience, I came from a political science background and tinkered with computers since I was young. However, I didn’t have formal technical training until I dove into this field. It’s worth noting that in the security realm, you can’t just talk the talk. You’ve got to get your hands dirty – set up network taps, deploy firewalls – it’s crucial hands-on work.
Starting out, I’d recommend diving into courses like ethical hacking, penetration testing, and security concepts. Get hands-on experience with your own computer, setting up these tools.
Certifications are abundant in this field, keeping curious minds engaged. But there’s more to it. There should be a holistic view of risk assessment. It’s about taking those checklists and shaping them to your organization’s unique needs. Then, conveying these insights to non-technical folks is key. Move beyond the fear-driven approach and embrace empowerment.
We need to shift the perception of security from being a mere cost center to a strategic asset. It’s about leveraging security to mitigate risks, enabling growth, launching new products, expanding into new regions – you name it. As security leaders, we must bridge the gap between our vital work and the business’ revenue and operations goals. After all, whether public or private sector, we’re all accountable to citizens, customers, or clients. Ultimately, it’s about delivering value back to them.
AGC: The acronym soup has intensified. Tool fatigue is real. What would you advise mid-market CISOs to focus on?
DH: At Resilience, we work with mid-market companies, seeing two sides of the spectrum. Some are growing close to a billion in revenue, acting like large enterprises. Others hover around 300 to 500 million, facing similar compliance demands, like fintech firms or banks.
Now, whether big or small, our initial advice is universal. Step back, grasp what fuels your business daily. This isn’t just for execs; the entire team needs to sync up.
We link roles, from risk managers to CFOs, connecting expertise without breaking silos. Aligning on driving the company and customer value, we quantify setbacks like major incidents in the next few years, aided by cyber risk modeling.
The beauty? It’s not just for techies. You can discuss these risk probabilities with non-tech execs, reaching up to the boardroom. It’s about understanding your business’ risk tolerance.
Once that clicks, compliance falls into place, tailored to your business – think NYDFS standards for fintech in New York or HIPAA for telehealth, plus California Privacy Act.
And beyond standards, smart practices shine. Encrypting customer data at rest, and practicing data recovery to fight ransomware. By shortening recovery time, you cut ransom risks, keeping operations flowing despite threats.
AGC: How do new founders diving into cybersecurity navigate the landscape? What ideas should they focus on? Which problems should take the lead?
DH: In the security innovation space, a major challenge is often having a cool solution in search of a problem. Instead, trends in IT should guide problem-solving, like shifts to the cloud, evolving threats from AI, and spear phishing.
As a founder, focusing on real problems that impassion you is key, ensuring you stay driven. Budding founders should focus on tangible, real-world issues that ignite their passion.
Our journey as co-founders was a tale of bridging gaps. There was a gap between technology and the pressing needs of businesses to handle cyber risks. And that’s where our idea came into play – the birth of cyber resilience.
When it comes to convincing buyers, especially in the insurance realm, relationships are gold. We took it up a notch, personally meeting industry veterans. It wasn’t just about shaking hands; we were diving headfirst into their world, soaking up their challenges firsthand. This hands-on approach led to a whirlwind of brainstorming, prototyping, and validation.
The industry was craving this freshness. They were stuck in a bit of a legacy tech rut. Our fast-paced problem-solving hit the right notes, bringing us into the spotlight.
It’s important to hunt down those real problems that light you up, and not be afraid to make personal connections.