.svg)
.jpg)
Highlights from conversations with Mike Zachman from Zebra Technologies
“Everyone’s on a journey for cyber risk and how they talk about it,” said Mike Zachman, Chief Security Officer (CISO) at Zebra Technologies. A long-time customer of X-Analytics, Mike joined the X-Analytics journey in the early prototype phases of the product. His feedback, dedication, and advocacy of the tool from a customer standpoint have been instrumental in transforming X-Analytics from an early prototype to a fully developed web-based SaaS reporting tool for calculating cyber risk.
Mike, who is also a member of the Technology Executive Council for CNBC, an alumnus of the FBI’s CISO Academy, and a former CISO for Caterpillar, joined X-Analytics to discuss the challenges for assessing and reporting cyber risk at the board-level. With $5B in annual sales, Zebra products are everywhere but hidden in plain sight. They are not sold in retail stores but their mobile computers, barcode scanners, and RFID printers are used in warehouses and major retail outlets. They are also used by postal carriers and package couriers. When Mike joined Zebra 6 years ago, the company was in the early stages of its cybersecurity journey, adopting the NIST (National Institute of Standards and Technology) CSF (Cyber Security Framework) and CIS’s (Center for Internet Security) risk matrix. As their program developed and grew more mature, they started looking at where their next best investment dollar should go. At the time, NACD (National Association of Corporate Directors), who recommends X-Analytics, was talking to boards about cyber risk quantification. They started to check it out.
X-Analytics takes the NIST cybersecurity framework to the next level by assigning dollars and percentages to risk. Using a company’s unique financial data, input from NIST and other cybersecurity frameworks, and the latest threat intelligence, X-Analytics' patented platform calculates the risk and ROI of current investments to identify gaps or weaknesses in a cybersecurity solution. These weaknesses are translated into dollar amounts for potential losses. X-Analytics then identifies mitigation strategies to decrease the risk and shows through dollars how the investment would make a cost reduction difference. By aligning the risk factors to the business, X-Analytics helps prioritize which investments will offer the best ROI and protection for the company.
Cyber is no longer dismissed as a pesky IT problem that can be solved with a silver bullet. The implications are vast, costly, and felt across the board room where they need to be discussed and transformed into a cohesive cyber risk strategy aligned with company goals. Mike explained the processes he uses to assess cyber risk and how X-Analytics provides a valuable lens in his toolkit for calculating risk, prioritizing business decisions, and sharing them with the board.
There’s an art to explaining risk—acceptance, mitigation, transfer—but how do you quantify and represent the risk? You need a quantifiable approach to illustrate exposure in dollars and percentages to help paint an impactful picture of risk.
Mike described the process as triangulation. He uses three primary sources: NIST CSF to measure maturity; CIS’s framework as a risk matrix; and X-Analytics to prioritize investments through a risk quantification model. Each provides a unique lens and point of comparison for quantifying risk and validating results. Together, they help answer the questions: Where should we spend our next dollar of investment? And how good is good enough when it comes to risk.
Mike said, like many companies, he started off using NIST CSF as his roadmap and CIS’s framework as “table stakes,” the minimum amount for getting in the game and starting a cybersecurity toolkit. These are critical for the cyber risk journey. But are they enough? Mike decided in his cyber journey, “we were looking for better ways to decide.” He looked to FAIR (Factor Analysis of Information Risk) as a risk quantification model but found it cumbersome, too hard and heavy. Mike said, “The energy put into it, the juice wasn’t worth the squeeze.”
When he was introduced to X-Analytics, he was hopeful he would “find a way to take that next step without it being such a burden.” With FAIR, he felt as though he spent too much time defending a number to stakeholders instead of focusing on what really mattered. What should we be doing next? Are we good enough? After exploring X-Analytics, Mike said, even in the early prototype days, he was impressed. He had two concerns, which he felt X-Analytics successfully addressed and answered: How hard is it to get the decision, and how credible is the advice? He said, “I really have to admit it was quite easy.” It was data entry with inputs he had readily available from the NIST cybersecurity framework.
Mike shared, “I just encourage people to take that step. Try it out. It’s going to be a little unique for everyone. I think you will be impressed with that it gives you another lens with which to view your program and communicate your program. [It helps] answer those questions: Are we doing enough? What would you spend your next dollar on? Are we over invested? It really helps add some credibility to those answers.”
After filling out a profile that describes your business in X-Analytics, the tool compiles a cyber risk assessment report within the first hour of use. The models quickly show you where the greatest need for cyber risk investment is and where it may not be needed as much, based on your business' unique needs. Mike said, “We had been overestimating the impact of some of the operational-related risks of cyber and underestimating the impact of some of the data protection elements of our program…That caused us to dig in.”
What Mike found was that the business did not rely on operational continuity as much as they thought it did due to their model and sales distribution channels. They believed business interruption was a big issue that would cause a critical impact. As the X-Analytics profile asked questions, they had to go and get answers. The questions and answers brought to light how much money would be lost by the hour. Mike said, “It’s helped us reprioritize our investments.”
Mike realized they were overinvesting in solutions to prevent business interruption. As a result, they invested more in data protection like tracking data sprawl and less in technology protection like EDR (Endpoint Detection and Response) where there may have been an overinvestment or redundancy of tools. Guided by the results presented in the data, they investigated and further aligned risk to cyber exposure. This started cascading into their messaging to executive leadership and the board.
Now that X-Analytics helped identify cyber risk exposure that was validated by Mike and his team of experts, it was time to share the data with the board. It did not happen all in one meeting. Mike said initially, “I was a little concerned about how credible the results would be. And I knew it had to first pass my own muster... I knew I was going have to get my peer executives to actually say, Yep, that makes sense. I understand it.” He earned the trust of his colleagues by building trust in the models. He explained how they worked; he gave demonstrations. He walked through what the models were saying and what assumptions were built into them. He listened to questions; the X-Analytics team helped answer them and allay concerns. Mike said that it was an elevated conversation about the methodology and data sources as they reviewed Zebra’s profile input. Through this communication, the company’s profile got cleaner, and he was able to get agreement that the model was relevant for their company.
Ultimately Mike said the trust was built from “very good decision support...We were looking for where do we spend that next dollar of investment to get the best risk reduction. It's very clear when it [X-Analytics] provides that information back. It definitely points you [to] where you should be going.”
From that position of trust, subsequent conversations were based upon the models and served as updates. Mike used the example, “I want to talk to you about how our risk profile has changed since I talked to you last. It’s increased significantly because we have a risk quantification model we put confidence in.” When providing these updates, Mike said he shares the shape of the numbers with the board. He doesn’t believe it matters what the exact number is. What’s important is the context, shape, and relationship. He said, “When you say something is riskier than something else, is it twice as risky, 10% risky? Now you can actually put better context around that.”
Mike added, “I have found that progression to be very powerful in our conversations. I feel that they are a lot more board worthy today than they were six years ago.”
As for the reception from the board, Mike said, “It’s been welcome. The journey I took was to build support and credibility in what we were doing and what X-Analytics was showing us from the beginning.” Thanks to dedication from customers like Zebra, X-Analytics continues to evolve and grow to show value for the investment.
Thank you to Mike Zachman from Zebra for taking time to share his journey with us.
Watch the interview and webinar.
.svg)
.jpg)
.jpg)
.jpg)
.jpg)
