This discussion focuses on risk within the cyber security domain.
Sramana Mitra: Let’s start by having you introduce yourself as well as RiskRecon.
Kelly White: I’m the CEO and Co-Founder of RiskRecon. RiskRecon is a provider of cyber security risk readings that allows companies to solve a wide range of security challenges. Prior to founding RiskRecon in 2015, I was the CISO of a large top 25 financial institution.
Prior to that, I was a security consultant going all the way back to 1997. I’ve had a very strong practitioner foundation both as a consultant and as a CISO.
Sramana Mitra: Talk about the company.
Kelly White: Our company was founded on what I saw firsthand. That was the massive outsourcing of systems and services that has been driven by the digital transformation brought on by the IaaS and SaaS in which I saw significant outsourcing of the platforms the businesses ran on. That’s one of the macro trends of the industry that has serious implications.
What RiskRecon enables companies to do is gain continuous and deep insight into those systems and services that they’ve outsourced. It’s this capability that RiskRecon provides that’s enabling our customers to gain a better understanding of the risk as it relates to outsourced and third-party relationships, and how to understand how to act on that.
Sramana Mitra: Can you double-click down one more level and talk about how you do what you do? You can use use cases and whatever may see convenient to explain how you do what you do.
Kelly White: At a top level, companies are entering into partnerships with other vendors to fulfill important functions for their business. It could be marketing. It could be research & development or customer relationship management.
In the process of establishing that relationship, companies are commonly transferring sensitive data to that provider to make it work. In doing so, the organization and the customer vendor needs to understand if their risk interest is being protected.
The traditional approach for managing that is rooted in having a security standard that might call out things like encryption of sensitive data and patching of software vulnerabilities. The traditional way to understand if your vendor is managing that risk well is to send a questionnaire. The vendor just says yes.
RiskRecon can automatically verify vendor performance to security risk requirements. You aren’t just left to asking your vendor what they do. We can measure the cyber security performance of any company based on what they’re doing on the internet.
To your question on how we do that, every computer system that a company operates is a micro-instantiation of their cyber security risk program. It is in that system where the risk decisions are manifested. All the policies, procedures, people, and technology come together to patch the system, securely configure it, encrypt sensitive data, and build secure software.
Through our analytics, we can discover each of the systems that a company is operating on the internet and analyze the public or pre-authentication information available on those systems to understand the security posture. Are they using https? Are they patching the system? Are they using proper security headers?
By doing that for all the systems that a company operates on the internet, we can get visibility into how well they’re managing cyber security risk.