An Interview with Wes Spencer, VP Channel Chief. FifthWall Solutions and Andrew Szokoly, VP of Client Services, Proda Technology
Wes: How did you discover the Cyber Defense Matrix?
Andrew: At IT Nation Secure, June 2022, I bumped into you in a session and from there… well, let’s just say the mindshare thing happened! Then back at home base– Proda, we put our spin on the Cyber Defense Matrix, combining what we were seeing on cyber insurance applications with the tools already in our stack to create the visual aid. Then our technical leadership team got to work adding some newer technologies to address the gaps we saw. We socialized the Matrix with a handful of customers and partners, and we quickly learned that the visual aid was really helpful in helping clients understand what each tool or process is doing to help protect them.
Wes: What is the Cyber Defense Matrix?
Andrew: Security has always been a part of the conversation with our clients, but security conversations can feel overwhelming unless the client wants to dig deeper into the actual technologies. The Cyber Defense Matrix is the perfect solution to illustrate the lifecycle of a security incident because it maps everything out against the different phases in the NIST framework in a way that allows you to see gaps and identifies where things overlap. It serves as a good overall benchmark as to where your business is in its security journey.
Wes: Your approach to innovation is unique. How do you use the Matrix in conversation?
Andrew: We find it easiest to get client buy-in when a toolset seems inexpensive, and most tools are way less expensive than responding to a cyber incident where you start paying for labor rather than automation. Businesses must have their bases covered with best practices like MFA and vulnerability management.
Before when we would only bring a list of talking points, some clients might have struggled to see how everything worked together. Now, we start the conversation with a review of our Cyber Defense Matrix to help create credibility in our cybersecurity service offering by aligning our tools and processes against NIST best practices.
Wes: It’s natural to have gaps in the Cyber Defense Matrix. Can you explain what that is?
Andrew: There are gaps because some areas of our cyber defense matrix don’t have tools associated with them. Those areas typically are handled by people and processes. We also want clients to know where gaps exist, not because we aren’t doing the right things but because nothing is 100%, and we don’t want to create a false sense of absolute security. As we discuss the matrix, we explain that people are far more expensive than tools. That’s why expenses rise as we slide into Respond and Recover, which occur after a security incident has been detected (Right of Boom). You are now paying your insurance deductible, which covers breach coaches, Incident Response teams, Lawyers, etc. We want to avoid that for the client. And this is where their comparatively small investment into Identify, Detect, and Protect, is so important.
In other words, it’s cheaper NOT to have a breach. But that means you must make the proper Left of Boom (before an incident) investments. Here’s the truth. A security incident could happen to anyone. And that’s why having the right insurance is so important.
Wes: How do you use cyber insurance to spark client conversations?
Andrew: When our clients come to us with their renewal applications, we start by getting a sense of how complex the application is. As part of our review, we examine a client’s coverage limits to ensure they are adequate. Then we dive into the controls being asked for, ensuring we understand the requirements and talk through solutions to fill security gaps to help improve their risk management program.
Clients understand that to be eligible for cybersecurity insurance, a security minimum must be established. So we can step in, help address any gaps required by insurance, and help the client find the policy and coverages they need to address their cyber risk.
“Stronger cyber tools just make sense, and Proda Technology works relentlessly to safeguard its clients. We educate about risk and preparedness,” Andrew Szokoly.