Before becoming chief risk technology officer at cyber security firm Qualys, Richard Seiersen worked at cyber insurance firm Resilience and has also held CISO roles at cloud communications firm Twilio, and GE Healthcare.
Seiresen co-founded and sold cloud security firm Soluble before selling the start up to security firm Lacework in 2021.
Now, Seiersen has been at Qualys for just under a year, and has worked with IANS CISO Faculty, a CISO advice resource, for over seven years with a passion for helping customers at Qualys and CISOs worldwide measure and secure their cyber risk.
At the Qualys Security Conference in San Diego, TI talked with Seiersen about security measurement, his books on cyber, and Qualys’ launch of its ‘Risk Operation Centre.’
How has your career so far informed your new role at Qualys?
Before becoming the Chief Risk Technology Officer here at Qualys, I served as the Chief Risk Officer for a cyber insurance company called Resilience. Even now, I’m still an advisor there and very much involved.
I co-authored a book titled “How to Measure Anything in Cybersecurity Risk.” Despite its lengthy title and noticeable green cover, it’s become one of the more popular books in security from an insurance perspective. In fact, it was required reading for the Society of Actuaries exam prep for two to three years. My role involved explaining complex issues globally and helping drive strategy.
My job now is to be a global explainer of things to help drive strategy. Me and Sumedh [Thakar, Qualys CEO], had been in contact and he saw a big vision in terms of cybersecurity management. He reached out, saying there was a compelling vision here at Qualys that I might find intriguing, which indeed I did.
How do you think that data can help CISOs?
I’ve always been focused on how our domain—the CISO field and more broadly, cybersecurity—could improve through measurable and empirical methods, much like other STEM fields have. By embracing empirical data, we can enhance our ability to make impactful, consistent changes.
I’m not a mathematician; I’m a poet/bard by training, but necessity drove me to delve into measurement after realising existing practices weren’t sufficient for assessing risks adequately. I’ve spent the last decade or so both learning about and educating others in our field on better measurement techniques.
Serendipitously, I’m here now collaborating with the Qualys team to aid businesses in measuring crucial aspects and thinking through approaches to efficiently mitigate risks. This involves applying relevant controls and effectively transferring remaining risks. This effort is particularly exciting because it aligns with what Mulberri [a cyber insurance company working with Qualys] is doing. This firm works with insurance regulators to integrate risk scores produced by Qualys’ enterprise risk management platform into underwriting processes to help companies obtain insurance policies at sensible premiums.
Historically, the insurance market overlooked actual security data, leading to challenges, especially with ransomware. Insurers began evaluating risks with questionnaires and external scans, but these aren’t always effective. Qualys, with Mulberri, is now developing comprehensive internal and external risk evaluations, helping insurers better assess if a company is a good bet.
Through our Risk Operations Centre, we’re providing insurance companies with the insights they need to improve loss ratios and earn bonuses for managing risks effectively.
Read: Qualys: Can automation relieve CISO pressure?
Would you briefly explain the news around the Risk Operations Centre?
On average, companies have around 70 security solutions dealing with threats, vulnerabilities, identities, and cloud services. Larger companies often have multiple tools meeting these needs, generating vast amounts of data that require normalisation and contextual understanding. Each vendor might have its custom scoring system for assessing risk, compounding complexity.
Our solution aggregates and normalises data across these tools, presenting a unified risk assessment to aid in decision-making.
How should this contribute to CISOs rethinking their strategy?
Security strategy should focus on understanding the market, determining where to play, and figuring out how to win in that space. This means creating efficient operations that support the broader business goals.
What are the big discussions with CISOs, in terms of risk?
One of the major discussions is around AI. Over the past year, it’s been quite common for boards to ask their CISOs about protective measures against AI-related risks. Businesses are heavily investing in AI with the hope that it will enhance scalability and value delivery. From a security perspective, questions about securing AI-driven processes will continue to be a trend.
We’re also seeing ongoing concerns with cloud-native security. Many security professionals struggle with ephemeral assets, like container images, because these assets can appear more like events rather than enduring elements. Figuring out how to manage and secure such dynamic environments remains a significant challenge.
Collaborating effectively with developers and platform engineers is another key area. Security teams need to reduce unnecessary work for these groups, enabling them to focus on creating value.
Lastly, managing financial pressures is crucial. As budgets tighten organisations must focus on being capital-efficient and align resources towards the risks that truly matter. It’s about optimising efforts to create more value with limited resources.
How do you take your coffee?
I typically drink my coffee black. I use a Moka pot for a strong brew. It’s quite old school, and my wife jokingly calls it “pilot’s coffee.”
You do travel a lot. How do you wind down?
Well, if I’m in the UK, I often wind down by having a pint with friends!
Share
