Mastering Cybersecurity Risk Management, with David X Martin

David X Martin is one of the world’s leading authorities on risk management and cybersecurity. Here he discusses the ideas and experiences behind the genesis of his outstanding book, “CyRM: Mastering the Management of Cybersecurity Risk.”

Looking back on it, David X Martin said he started his career in risk management when, as a young Eagle Scout sprawled on his back with a forest fire raging in the near distance, he found himself face-to-face with a venomous snake, coiled to strike. This was years before he would go on to become the founding Enterprise Risk Manager for Citicorp, the largest financial institution in the world, or author his sensational “The Nature of Risk” in 2012 or his most recent (and excellent, and paradigm-shifting) book, “CyRM: Mastering the Management of Cybersecurity.”

But Martin didn’t take a straight and narrow path. His journey to the pinnacle of risk management and cybersecurity began unexpectedly with a forest fire and a chance encounter with a snake.

“I was fighting a forest fire and I came back to base camp, totally exhausted, and I fell backwards and all of a sudden I hear this rattle, and the next thing I know I was about to kiss a rattlesnake,” said the NYU and Fordham Schools of Business Adjunct Professor Martin, whose 40-year career as a senior financial executive has included top positions at PwC, Citicorp and AllianceBernstein, along with multiple board positions and public-private co-chairmanships. “I was scared stiff. Somebody I was working with saw what was happening and had a pickaxe and actually swung the axe and cut the rattlesnake’s head off… That was the genesis for my book, ‘The Nature of Risk.’ Because I was so focused on the forest fire, I didn’t think about the risk of having all these animals leaving the forest.”

Martin is a gifted writer and communicator, and CyRM (CRC press, 2021) is a truly exceptional book, advancing board-facing concepts on risk management and cybersecurity which, chapter by engaging chapter, are by turns practical, thought-provoking, and sometimes perhaps even revolutionary (his concept of Cyberwellness is a game-changer, as we’ll get to at the end of this piece). This is the right book for the right time. It provides a clear and accessible repositioning of cybersecurity as a business strategy, in a narrative full of personal insights and experiences articulated by one of the world’s leading authorities on risk management and information security.

But this article is not so much a review of “CyRM” as it is a thought leadership profile of Martin himself. His own journey up the ranks of risk management and cybersecurity offers lessons that help readers viscerally connect with the messages in his book.

Re-thinking risk

David X Martin sees risk in a way others do not.

After leaving PwC, Martin was working at Citicorp when his CEO asked him to draft a report on risk that was, in itself, quite risky. The CEO was going to “unsheathe his sword and draw a line in the sand” in front of the board on how the bank was now going to manage risk. He tapped Martin to build a case that would sway one of the most powerful boards of one of the world’s most powerful financial institutions.

The meeting went well. Afterward, his boss let out a triumphant war whoop that echoed across the entire New York city-block-sized floor of the building. The next day, Martin was promoted to Enterprise Risk Manager for all Citicorp.

“Basically, the way I looked at risk was a bit different than most in that at the end of the day, banks are really at the mercy of their environment,” said Martin, who augmented his MBA with IT expertise early in his career at PwC, before developing and implementing a comprehensive process of enterprise-wide risk management. “So they really have to understand what the environment is going to be like in the future. You could be the best risk management leader in the world but if the environment is bad, the customer is not going to do well, and you’re not going to do well. So basically, I started really trying to understand the environment in order to manage risk.”

As Enterprise Risk Manager at Citicorp back in the 90s, he recognized that the environment of financial institutions was changing. Digital transformation was, and remains, a massive disruptive force. It opened whole new opportunity horizons for banks like Citicorp. But few perceived the cybersecurity risks also lurking within the uncharted digital frontier.

To better understand them, Martin hired MIT professor, Tsutomo Shimomura to ethically hack Citicorp. This was 25 years ago, when pen testing in the private sector was less common. Shimomura quickly and easily revealed major vulnerabilities and exposed massive potential risks to their call center and credit card lines. The ethical hack opened Martin’s eyes to the fact that cybersecurity, like every other risk, needed to be managed. He was amongst the first to do so.

“I realized how important cybersecurity was with Tsutomo Shimomura because, it’s interesting, you have armies that protect citizens, but armies didn’t cut it anymore because hackers will go right through those lines,” said Martin. “It’s a whole different world. And basically, I thought about it from a risk management perspective. I was brought up in the school of Walter Wriston, who wrote a book called, ‘Risk is a Four-Letter Word,’ and he always said to me, ‘David, there’s nothing wrong with risk as long as you manage it.’ So with ‘CyRM,’ it focuses on the risk management side of cybersecurity.”

Enter CyRM: Cybersecurity Risk Management

After leaving his position as Chief Risk Officer of AllianceBernstein, a major asset management company that managed $850 billion of assets while he was there, Martin embarked on a consulting, teaching and writing career. Pondering everything he’d learned about risk and cybersecurity, he put together a framework for a three-pronged cybersecurity risk management strategy that would help information security leaders and business executives come together for optimal business outcomes:

Risk Management: It needs to apply the tenets of risk management to cybersecurity in order to take a broad view of risks across an organization to inform resource allocation, better manage risks, and enable accountability.
CyberWellness: It needs to encompass not only the firm as a whole, but also every employee who needs to be responsible for the risks they undertake. This requires an active process with cybersecurity—just like physical wellness programs in which the company takes an active approach to promoting employees’ good health.
Cybersecurity as a Business Strategy: Cybersecurity needs to be repositioned for what it really is—a growth enabler, and not just designed to reduce operational risks by eliminating the dangers posed by viruses and hackers. It also needs to enhance product integrity, customer experience, operations regulatory compliance, brand reputation, and investor confidence.

Risk management and the modern CISO

The incentive structures for IT and business leaders are often at odds. Information security leaders desire 100% reliability because their job performance is traditionally evaluated on reliability. Business leaders, meanwhile, are supposed to grow companies and generate revenue, which requires a cost-benefit approach. No business will grow if no risks are taken. So how is that divide between information security and business bridged towards a common cause?

To begin, the CISO must be reconsidered as a manager of people and business, not only of IT systems.

“I tried to involve the CISO much more in the risk management orbit early on, and I think today, people should partner with CISOs more; they should also be on the executive committee. CISOs need to partner with the businesses to understand what the business requirements are, so they can then create the proper IT systems and security surrounding that.”

Martin developed “CyRM” to approach security as a business problem, not an IT problem. Information security must be aligned with business needs. The pandemic has accelerated the need for this alignment with the global shift to remote work and its pursuant digital cloud transformation. The attack surface has expanded exponentially, as have the volume of breaches, some of which have had devastating effects on companies’ brands and consumer trust.

“Risk is the absence of information. It’s a constant factor. Risk is always there, but you need information on what the risk is to make good decisions.”

There were many unknowns with the mass migration to remote work and the cloud. But companies needed to adapt quickly to a changing business landscape with new processes, products and services. “Going forward, those products and services,” said Martin, “must include a trust component. To grow and thrive securely and sustainably, the CISO must be brought into business decisions so that security is hardwired into everything.

“If companies build trust into their product and asset lines, they will be much more successful than their competitors.

Cybersecurity is a business strategy

Security posture is a competitive advantage in today’s challenging security environment. Today more than ever, the cost of a breach extends beyond the direct theft of funds or IP. Consumers will do their banking—or their shopping, or their healthcare—with a company they can trust will not compromise their data or privacy. In some respects, privacy-and-security-as-a-service contains parallels to the rise of safe workplaces and sustainable and green practices as a way of attracting customers and raising share value, i.e. ESG practices.

Secure growth means allocating thought and resources towards what needs to be protected, and how.

“What you need to figure out is what’s important, what and where are your crown jewels, and how will you create a security budget and focus on what is important. And that, to me, is the first step in applying any sort of risk management to the perspective of cybersecurity.”

Cyberwellness

This brings us to the concept of CyberWellness, which I find truly innovative and maybe revolutionary.

In his book, Martin points out that since the infamous Equifax breach of 2017, considered by many to be the worst in history, breaches have since only accelerated largely owing to increasing email attacks. Email breaches are far and away the largest vector of successful cyberattacks, and as a result, people are often characterized as security liabilities.

Martin turns that thinking on its head with his patented concept of Cyberwellness. Employee health became part of business strategy through HR wellness initiatives when it was proven to be good for business. Healthy employees lose fewer days to sickness or injury; happy employees are more productive; strong business cultures attract and keep top talent. So why, with so much of our personal and professional lives spent online, where the threats are non-stop and our knowledge of those threats is so minimal, are companies not better protecting their employees with cybersecurity awareness?

“People are the first line of defense! I think companies are crazy to think they can go it alone with security, without engaging their employees in a cyberwellness program. The attack surface has multiplied with the pandemic and everyone is working from home. If you can learn to protect yourself at home, you can protect your company at work! It’s not one or the other, it’s all one.”

Ponder that for a moment. Cybersecurity awareness is essentially a form of wellness. This truly dissolves the walls enclosing IT and information security from the rest of an organization. When cybersecurity awareness is treated as wellness, it becomes a wellness benefit that an employee takes home with them and can use to further protect their family and friends. It’s something that they will be more motivated to engage with.

CISOs are seeking awareness tools that transcend the outdated mindset of: “to the hammer, all problems are a nail.” Traditional training programs try to hammer people into place with boring, punitive training, rather than nurture them individually towards enlightenment.

With that in mind, Martin actually himself developed a gamified cybersecurity program. He had spent his career slogging through one punitive and boring cybersecurity training after another, and after researching options for a way to make it more engaging, settled on gamification.

“How do you get people involved? How do you get people interested in cybersecurity? You train them in a way that you grab their attention and they they interact with it, and they want to be the top player.”

Phishing awareness and digital hygiene are not just organizational problems. They affect individuals at work and at home. Educating employees on phishing protects them while ultimately strengthening organizational defenses. Therefore, the previous evolution of organizational health, safety and wellness as an HR priority is a model for how cybersecurity may become cyberwellness in the digital age.

“Cybersecurity cannot be guaranteed but a timely and appropriate reaction can. It’s no so much that we are missing tools ( which we are ). But even more so- we need to treat cybersecurity like a managerial and strategic issue.—not just a technical issue.”