Netskope debuts as a Leader in the 2024 Gartner® Magic Quadrant™️ for Single-Vendor Secure Access Service Edge Get the report

close
close
  • Why Netskope chevron

    Changing the way networking and security work together.

  • Our Customers chevron

    Netskope serves more than 3,400 customers worldwide including more than 30 of the Fortune 100

  • Our Partners chevron

    We partner with security leaders to help you secure your journey to the cloud.

A Leader in SSE.
Now a Leader in Single-Vendor SASE.

Learn why Netskope debuted as a leader in the 2024 Gartner® Magic Quadrant™️ for Single-Vendor Secure Access Service Edge

Get the report
Customer Visionary Spotlights

Read how innovative customers are successfully navigating today’s changing networking & security landscape through the Netskope One platform.

Get the eBook
Customer Visionary Spotlights
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling
Your Network of Tomorrow

Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.

Get the white paper
Your Network of Tomorrow
Introducing the Netskope One Platform

Netskope One is a cloud-native platform that offers converged security and networking services to enable your SASE and zero trust transformation.

Learn about Netskope One
Abstract with blue lighting
Embrace a Secure Access Service Edge (SASE) architecture

Netskope NewEdge is the world’s largest, highest-performing security private cloud and provides customers with unparalleled service coverage, performance and resilience.

Learn about NewEdge
NewEdge
Netskope Cloud Exchange

The Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Learn about Cloud Exchange
Netskope video
The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Next Gen SASE Branch is hybrid — connected, secured, and automated

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch
People at the open space office
Designing a SASE Architecture For Dummies

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope achieves FedRAMP High Authorization

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud
Netskope GovCloud
  • Resources chevron

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog chevron

    Learn how Netskope enables security and networking transformation through secure access service edge (SASE)

  • Events and Workshops chevron

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined chevron

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

Data Lakes, Security, & Innovation
Max Havey sits down with guest Troy Wilkinson, CISO at Interpublic Group (IPG), for a deep dive into the world of data lakes.

Play the podcast Browse all podcasts
Data Lakes, Security, & Innovation
Latest Blogs

Read how Netskope can enable the Zero Trust and SASE journey through secure access service edge (SASE) capabilities.

Read the blog
Sunrise and cloudy sky
SASE Week 2024

Learn how to navigate the latest advancements in SASE and Zero Trust and explore how these frameworks are adapting to address cybersecurity and infrastructure challenges

Explore sessions
SASE Week 2024
What is SASE?

Learn about the future convergence of networking and security tools in today’s cloud dominant business model.

Learn about SASE
  • Company chevron

    We help you stay ahead of cloud, data, and network security challenges.

  • Customer Solutions chevron

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Accreditations chevron

    Netskope training will help you become a cloud security expert.

Supporting sustainability through data security

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more
Supporting Sustainability Through Data Security
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working
Post Thumbnail

How have perceptions and appetite for risk changed over the past 5 years? In this episode of Security Visionaries we speak to the man who literally co-wrote the book on risk, Jack Freund, Chief Risk Officer at Kovrr, along with a CIO and CISO who has worked for more than one global financial institution, David Fairman CIO & CSO – APAC at Netskope, to try to better understand how cyber risk sits within broader organization risk decisions.

I think we’ve all become much more aware of how interconnected everybody is and that brings with it benefits clearly, and it also brings with it some risks that we need to account for…. I think that’s going to have significant shifts in the way that we assess risk, that we think about identifying risk.

—Jack Freund , Chief Risk Officer at Kovrr
Jack Freund, Chief Risk Officer at Kovrr

 

Timestamps

*(0:01): Introduction*(17:07): How important is it that we trust the people in the processes of risk assessment?
*(1:26): Why is it important to understand your organizational risk level?*(23:04): How does effective communication of risk and the programs in place to manage risk relate to an organization's actual comfort with the risk they have?
*(3:15): How many companies actually understand what their risk appetite is?*(27:49): Are there any words risk management folks use that don’t connect with organizations?
*(8:00): How have things changed around risk appetite in particular in the last five years?*(29:57): Why do some legal teams have discomfort that legal teams sometimes have about the very idea of risk assessment and risk quantification?
*(9:56): How does third-party risk fit in?*(31:43): Are there any material upsides beyond mitigating the risks?
*(12:16): Do you think as risk potentially becomes more complex it becomes harder to perhaps predict and capture risk?*(34:39): Conclusion
*(14:18): How have high profile cyber incidents in Australia had an impact on risk conversations?

 

Other ways to listen:

green plus

On this episode

Jack Freund
Chief Risk Officer at Kovrr

chevron

Jack Freund

Jack Freund is a leading voice in Information Risk measurement and management. He is an expert at using risk quantification to implement, mature, and sell information risk and security programs. He has attracted and developed staff to build state of the art risk analysis and decision making programs. Jack has spearheaded strategic shifts in IT Risk by leading his staff in executing multi-million dollar efforts in cooperation with other risk and control groups.

LinkedIn logo

David Fairman
Chief Information & Chief Security Officer APAC

chevron

David Fairman

David is a highly experienced professional in the Security & Financial Crime disciplines covering Cyber Security, Fraud and Financial Crime, Intelligence, Business Continuity, Physical Security and Operational Risk. David has worked for, and consulted to, several large financial institutions and Fortune 500 companies, across the UK & EU, North America and APAC. David is a passionate leader in Cyber Security and Financial Crime and has been actively involved in founding several industry alliances and expert groups, holding Board positions, across multiple regions with the aim of making it safer to do business and transact in the digital world.

David has been recognised as one of the Top CISOs to know, is a published author and adjunct professor. A core capability of David’s is his ability to understand the operational risks arising from digital commerce and translate these into strategic actions encompassing technological solutions and organisational capability maturity, in order to transform organisations abilities to manage all aspects of cyber and digital risk. David’s current focus is driving collaboration and innovation across the industry to address current and emerging threats prevalent with digital risk and improve the cyber resiliency and literacy in the community.

Emily Wearmouth
Director of International Communications and Content at Netskope

chevron

Emily Wearmouth

Emily Wearmouth runs Netskope’s communications across EMEA, LATAM, and APAC. Working across public relations, social media, customer references and content creation, Emily keeps busy unearthing stories and telling them in a way that helps customers and prospects understand what Netskope can do for them.

LinkedIn logo

Jack Freund

Jack Freund is a leading voice in Information Risk measurement and management. He is an expert at using risk quantification to implement, mature, and sell information risk and security programs. He has attracted and developed staff to build state of the art risk analysis and decision making programs. Jack has spearheaded strategic shifts in IT Risk by leading his staff in executing multi-million dollar efforts in cooperation with other risk and control groups.

LinkedIn logo

David Fairman

David is a highly experienced professional in the Security & Financial Crime disciplines covering Cyber Security, Fraud and Financial Crime, Intelligence, Business Continuity, Physical Security and Operational Risk. David has worked for, and consulted to, several large financial institutions and Fortune 500 companies, across the UK & EU, North America and APAC. David is a passionate leader in Cyber Security and Financial Crime and has been actively involved in founding several industry alliances and expert groups, holding Board positions, across multiple regions with the aim of making it safer to do business and transact in the digital world.

David has been recognised as one of the Top CISOs to know, is a published author and adjunct professor. A core capability of David’s is his ability to understand the operational risks arising from digital commerce and translate these into strategic actions encompassing technological solutions and organisational capability maturity, in order to transform organisations abilities to manage all aspects of cyber and digital risk. David’s current focus is driving collaboration and innovation across the industry to address current and emerging threats prevalent with digital risk and improve the cyber resiliency and literacy in the community.

Emily Wearmouth

Emily Wearmouth runs Netskope’s communications across EMEA, LATAM, and APAC. Working across public relations, social media, customer references and content creation, Emily keeps busy unearthing stories and telling them in a way that helps customers and prospects understand what Netskope can do for them.

LinkedIn logo

Episode transcript

Open for transcript

Emily Wearmouth [00:00:01] Hello and welcome to today's episode of Security Visionaries, a podcast for anyone in the cyber data or adjacent industries. Today, we're going to be talking about risky business. And I don't mean Tom Cruise's mediocre rom com. I mean cyber risk. And more specifically, we're going to be discussing risk appetite, risk assessment and risk communication. Now, I know I always tell you I'm excited about my guests, but today those guests include the man who quite literally wrote the book about risk measurement and management, as well as a man who's been responsible for the risk programs at a couple of pretty huge international banks. Let me introduce them. First up, Jack Freund. Over the course of his 25 year career in technology and risk, Jack has become a leading voice in cyber risk, measurement and management. He's the coauthor of the award winning book on Risk Quantification, Measuring and Managing Information Risk A Fair Approach, and holds a doctorate in Information Systems. So welcome, Jack.

Jack Freund [00:00:58] Thank you Emily, happy to be here.

Emily Wearmouth [00:01:00] Alongside Jack. I'm also really pleased that we have David Fairman here to give us his sage perspective. David is an experienced CSO strategic advisor, investor, and coach. He has extensive experience in the global financial services sector, is known for his innovative thinking, and in 2015 he was named as one of the top ten CISOs to know. So I am very proud, therefore, to know him. Welcome, David.

David Fairman [00:01:23] Emily Thanks very much for having me on the program today.

Emily Wearmouth [00:01:26] Right. I'm going to dive straight in. The first thing I want to ask you both is why is it important to understand not just your organizational risk level, but also your organizational risk appetite or comfort level? Shall we start with you, David?

David Fairman [00:01:41] Yeah, sure. So risk management is an interesting thing. I like to define risk management as applying your finite resources to your highest areas of risk. What that means is you are never going to address and remediate or eliminate all risk. So I think the risk appetite play, or defining risk appetite and understanding what that looks like for your organization really helps you to make some of those definitive decisions. Like I say you're not going to be able to close all or eliminate all risk. You're going to need to make some priority decisions as to how you allocate those finite resources, Understanding what risks your organization is facing, then understanding what your appetite is to experience a loss due to those risk scenarios allows an organization to make more informed decisions, to take action to close out or minimize. And maybe that's the word we want to talk about. Minimize. It's not about necessarily eliminating completely. It's about addressing taking action to bring those risk loss scenarios within that risk appetite, within that range of what the organization is willing to experience due to a risk scenario or risk loss scenario. So defining that risk appetite improves, and ensures much better decision making and allows the organization to operate within some controlled boundaries.

Emily Wearmouth [00:03:15] Jack, what are your thoughts? And I suppose as a supplementary question, how many companies actually understand what their risk appetite is?

Jack Freund [00:03:22] Yeah, it's a great question. And David's right, it really is about prioritization. And I think back to the times, you know, I've spent communicating quantified cyber risk to different organizations, whether I was internal to that organization or, you know, helping other organizations do the same thing and offer the same advice as, you know, it's novel. The first time you display a loss exceedence curve and a distribution of loss potential in terms of quantified risk. But inevitably, maybe in that same meeting, maybe in the next meeting, you're going to get asked the question, you know, so what? So what do I do with this? How do I operationalize this? And that's really where the appetite part of it comes into play. It's a matter of assigning a priority label to the saying that means this is unacceptable and we have to do something about it, a.k.a. allocate scarce resources to bring it back within tolerance, or we monitor it or we accept it. We sort of manage it that way. And that's really what that threshold represents, is that boundary between doing something and not doing something. So it's really valuable. I don't think a lot of firms have really thought through what appetite means in terms of operationalization. I think a lot of firms probably still, you know, say something to the fact a very fluffy kind of we don't accept any high risk scenarios. And, you know, operating in a competitive marketplace, selling products and services is a high risk scenario for any company. So that's not enough really. You have to sort of find another threshold to define how much is enough and how much is not enough.

David Fairman [00:04:59] And so Jack, can I double click on that for a minute. I'd love your take on this because I think you highlight a really good point. You know, a lot of organizations might make some of these very high level statements in terms of risk appetite. So, you know, we will not accept any high, high risks. But what does that actually really mean? How do we make that a little bit more real, a little bit more tangible? I come from a banking background, so the natural categories, I start to think about customer impact, financial impact, regulatory impact. What else would we have the employee impact as an example. So maybe putting some boundaries around that. So anything that impacts more than 10% of customers. Anything that impacts more than 10% of employees. Anything that results in a financial loss or loss of revenue of X amount of dollars. Anything that results in regulatory action in some way, shape or form. So I think defining those sorts of categories that's relevant to your organization really helps make these risk appetite statements real and more usable.

Jack Freund [00:06:08] Yeah, that's great insight. And I agree. I think, you know, you name some of the typical financial services categories. I've always been a fan of the Basel two operational risk categories. I think they're applicable whether you're in finance or not. And I really think sort of connecting the the quantified risk to those categories is important. So, for example, if you're thinking about. You know, the operational losses associated with ransomware. And there's a range of possible outcomes and you're trying to decide where on that distribution is an acceptable amount of loss. And you sort of drop a point and sort of, you know, help people manage or they think that is but, you know, let's say you get agreement that there's a line after which you, you know, we don't accept more than a 10% chance of losing $100 million or something like that. You know, once you find that line, then you have to sort of identify what are all the risk triggers that can cause that scenario to happen. And this is where you really connect. It's different, I think, in cyber risk and other operational risk disciplines because there are so many things that could go wrong. So you have you know, you have these injuries, these entire catalogs full of these varieties of, you know, attack methods and controls and the combination thereof that can trigger these things to happen. And that's why I think the operationalization happens, is we're able to communicate. Okay. So, you know, maturity on these process controls or coverage on these thing based controls which are just, you know, deploying end points and point protections. You know, we're missing all of these things. So improving those gives you the opportunity to reduce the probability of experience. These losses that we've already determined are unacceptable. I think that's where we sort of translate that is, you know, the sort of connection between one and here's how bad things could be. And then here's a list of things that we need to fix in order to cause that to happen.

Emily Wearmouth [00:08:01] We're having this conversation in 2023, and I know you wrote the book a little while ago, Jack, and I wondered how have things changed in particular in in the last five years? You know, we've seen huge economic, geopolitical, societal changes over the last five years, have they had an impact on some of the foundational assumptions that business leaders are basing ris