Technology no silver bullet when dealing with ever-evolving landscape of cyber risk

by | Apr 19, 2021

Dr. Ann Irvine may be chief data scientist at Resilience, but she’s also the first person in the room to say: technology isn’t going to solve this problem.

“Cyber security is a really big deal for our customers — they’re spending millions and millions of dollars on it and it’s a hard problem that’s changing constantly,” she said. “I’m not going to come up with an algorithm that spits out three very specific technical controls they can implement and walk away. It’s more complicated than that, and it’s foolish to pretend technology can be a silver bullet.”

‘People first, powered by data’ is more than just a tag line at Resilience — it forms the foundation of the company’s approach to what it does. Cyber Meteorology is a holistic framework to analyze and contextualize risk — a risk forecast, if you will — that allows Resilience’s team to think “broadly and deeply” about what’s going on with a company from a cyber security perspective, Irvine explained.

In a world where many other cyber MGAs are “leaning much more heavily into their technology offerings than we are,” Resilience is focused first and foremost on customer service, helping customers be more cyber resilient. Cyber Meteorology is not a technology, though Resilience does have supporting internal systems. Rather, Cyber Meteorology is an approach to risk analysis that relies on data, as well as human expertise, and that includes “not only basic technical security information such as open RDP ports and MFA, but also things like the corporate landscape of a company, the structure of its teams and how its physical offices are distributed, what its security team looks like and their internal processes and plans,” Irvine explained. Their approach emphasizes not only technical controls, but also what a company’s critical systems are, their main threat vectors and system dependencies, and other factors that may make a company complex or unique from a security perspective.

“It’s a way of looking at what really might happen to this company and how much it might cost, and it really goes way beyond ‘can they check these five technical control boxes’,” she said.

And that’s where the differentiator is, Irvine noted. While you want to use it to your advantage, the reality is technology augments expertise, and the goal of her team is to enable this approach to holistic cyber security assessments and overall cyber wellness. From a technology perspective, Irvine is developing systems that enable Resilience’s experts to be more efficient and effective. Resilience wants its underwriters spending their valuable time “asking smart questions and thinking through the complexities of an organization, not doing data entry into some form.”

When a broker or a customer interacts with Resilience, they should feel like their specific and nuanced risks and complexities are understood. This philosophy around cyber risk is applied throughout the lifecycle of Resilience’s interactions with customers. It starts with the underwriters at Resilience Cyber Insurance Solutions, (the wholly owned subsidiary of Resilience) evaluating new submissions and carries through to Resilience’s security team, which works with customers post-bind through a variety of tabletop exercises and consultations. The team even uses this approach as they perform continuous security monitoring and handle claims. Resilience’s goal is, again, to emphasize customer service and “have bespoke conversations that are customized and catered to their specific challenges and risks.”

“Especially targeting the middle market, it’s just complicated,” Irvine said. “We’re working with big, complex companies that demand more than the output of some cookie-cutter risk assessment system.”

One of the elements of the whole philosophy of Cyber Meteorology is to help clients be stronger and safer — the more cyber wellness they have, the better risk they are, and the stronger Resilience’s book of business is. It’s a bit antithetical to the insurance model, Irvine noted, because an insurance company earns “street cred” by paying claims and here’s Resilience trying to help clients prevent a claim in the first place. They’re taking a thoughtful approach, using Cyber Meteorology to look at overall cyber wellness and how it can be improved.

Going forward, with a growing book of business, Resilience is interacting with many organizations across different industries and learning a lot about the nuances of security risk at those individual companies. All the data gathering is helping Irvine and her team improve the technology they’re building to make it more impactful and better able to support this “high-touch model” of Cyber Meteorology.

“We’re using a data-driven approach to learning and we have a feedback loop that’s part of our technology as well as our human approach to all of this,” she said. “I’m excited to put ourselves out there, grow our business, learn and become more efficient and effective in this approach.”